Who are these actors?
Art. 4(10) defines a third party as “a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.” Employees that are not authorized to process personal data, which they obtained access to, are therefore defined as third parties.
A research organization, or a chair at a university, that is the controller of personal data, hires a cleaning service. Cleaning personnel may now technically access this personal data if they clean the desks of the organization on which the personal data might be stored. Even though the cleaning personnel does not, and does not want to, process the data, they may come in contact with the data. The cleaning service and its stuff are regarded as a third party. The organization, in its position as controller, must enforce technical and organizational measures to ensure that personal data cannot be processed by third parties. This includes the secure storage of the data in a such a way that other entities, here third parties, are not able to access the data, either involuntarily or on purpose.