Who are these actors?
Art. 4(9) GDPR defines a recipient as “a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.”. However, public authorities that receive personal data through inquiries in accordance with the Union or member state law are explicitly excluded from this definition and are not to be regarded as third parties (Art. 4(9)(2) GDPR.
Anyone else is considered a recipient by receiving personal data. Therefore, a processor or a third party, both discussed as main actors in this document, are regarded as a recipient if a controller transfers personal data to them.
What are their tasks?
The recipient has no active part as it is defined only by access to the data. If an entity receives personal data and processes it, it naturally becomes a controller. This demonstrates that the type of actor changes with the access and the processing of personal data.
What are their rights and responsibilities?
There are no special rights granted to recipients. As personal data is disclosed to a recipient, the controller has to inform the data subjects about the recipient. In case of rectification or erasure by the data subject’s recipient have to be informed about such changes. However, if recipients are a controllers or processors themselves, they might be caught under the GDPR as a controller or processor depending on the Regulation’s territorial scope.
An individual uses an online food ordering service to order a meal. The company C that is offering the web interface is however not the restaurant that is producing the meal. Company C now distributes the personal data of the individual, name and address to restaurant R. Both C and R are seen as controllers for the processing of the personal data that they carry out to offer their respective services. As C distributes the personal data to the restaurant, R is seen as the recipient of the data. In this scenario, there is no controller-processor relationship.
1See https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202007_controllerprocessor_en.pdf p.29 for this example. ↑
2Art. 19 GDPR Notification obligation regarding rectification or erasure of personal data or restriction of processing ↑