Sensitive and non-sensitive personal data may be transferred to third parties if the data subject’s explicit consent is obtained or if one of the additional legal grounds is applicable for such transfer.
The Data Protection Law does not define a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially about transfers between data controllers and data processors, as there is no explicit provision concerning data transfers between data controllers and data processors. As a result, any transfer of personal data from a data controller to a data processor may be interpreted as a transfer to a third party. Such an interpretation means that any such transfer would need to be made either:
- With the explicit consent of the data subject; or
- Where additional legal grounds exist.
Data Protection Law defines a “Data Processor” as the natural or legal person who processes personal data on behalf of the data controller upon their authorisation. As the data processor is a natural person or a legal entity processing personal data “on behalf of” the data controller, it can be stated that the data processor is different from an ordinary third party. It acts under the authority of the data controller, making the data processor a part of the data controller’s organisation. As the transfer of personal data between the employees of a data controller cannot be considered a transfer to a third party (although the data controller and each employee is a separate person), then transfer to the data processor should also not be considered as a transfer to a third party. This is a far-reaching interpretation, but if the Board adopts a decision in this respect, such an interpretation would be strong, and its chances of holding out against the test of a court would be high. However, under the current circumstances, each transfer made to a data processor is considered a data transfer to a third party.