In data protection law, a third party is any natural or legal person, public authority, agency or body other than the data subject, the controller, the processor, and those authorised to process personal data under the direct authority of the controller or processor. This distinction is crucial for determining responsibilities and obligations when personal data is shared or disclosed. Understanding who qualifies as a third party helps organisations manage data flows and apply appropriate safeguards.
Correctly identifying third parties is essential when conducting data protection impact assessments and drafting privacy notices. Whenever personal data is disclosed to a third party, the legal basis for that disclosure must be established and documented. Organisations should maintain a register of third-party disclosures to ensure transparency and accountability in their data processing activities.