Sensitive and non-sensitive personal data may be transferred to third parties if the data subject’s explicit consent is obtained or if one of the additional legal grounds is applicable for such transfer.
The Law does not define a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially about transfers between data controllers and data processors, as there is no explicit provision concerning data transfers between data controllers and data processors. As a result, any transfer of personal data from a data controller to a data processor may be interpreted as a transfer to a third party. Such an interpretation means that any such transfer would need to be made either:
- With the explicit consent of the data subject; or
- Where additional legal grounds exist.
The Law defines a “Data Processor” as the natural or legal person who processes personal data on behalf of the data controller with their authorisation. As the data processor is a natural person or a legal entity processing personal data “on behalf of” the data controller, it may be argued that the data processor is different from an ordinary third party. It acts under the authority of the data controller, making the data processor a part of the data controller’s organisation. If the transfer of personal data between the employees of a data controller cannot be considered a transfer to a third party, then transfers to the data processor should not be considered transfers to a third party. This is a far-reaching interpretation, but if the Board adopts a decision in this respect, such an interpretation would be strong, and its chances of holding out against the test of a court would be high. It must be noted however that, under the current circumstances, each transfer made to a data processor is considered a data transfer to a third party.