Sensitive and non-sensitive personal data can be transferred to third parties if the explicit consent of the data subject is obtained, or if one of the additional legal grounds is applicable for such transfer.

The Data Protection Law does not provide a definition for a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially in relation to transfers between data controllers and data processors, as there is no explicit provision in relation to data transfers between data controllers and data processors. As a result, any transfer of personal data from a data controller to a data processor may be interpreted as a transfer to a third party. Such an interpretation means that any such transfer would need to be made either:

  • With the explicit consent of the data subject; or
  • Where additional legal grounds exist.

“Data processor” is defined under the Data Protection Law as the natural or legal person who processes personal data on behalf of the data controller upon his/her authorization. As the data processor is an individual or a legal entity processing personal data “on behalf of” the data controller, it can be stated that the data processor is different from an ordinary third party. It acts under the authority of the data controller, making the data processor a part of the data controller’s organisation. As the transfer of personal data between the employees of a data controller cannot be considered a transfer to a third party (although the data controller and each employee is a separate person), the transfer to the data processor should also not be considered as a transfer to a third party. This is a far-reaching interpretation, but if the Board adopts a decision in this respect, such an interpretation would be strong, and its chances of holding out against the test of a court would be high.