Under the GDPR, a recipient is any natural or legal person, public authority, agency or other body to whom personal data is disclosed, whether or not they are a third party. This includes internal departments, external service providers, and regulatory authorities that receive personal data as part of their functions. Understanding who qualifies as a recipient is essential for maintaining accurate processing records.
Organisations must document all recipients in their records of processing activities and, where applicable, in their privacy notices. When personal data is transferred to recipients outside the European Economic Area, additional safeguards such as Standard Contractual Clauses or adequacy decisions must be in place.