Privacy policies and third parties under the GDPR

Under the GDPR, do I need to disclose details of third party recipients of personal data in my privacy policy?

Alasdair Taylor's answer to Privacy policies and third parties under the GDPR (1565796967)

In some cases you do need to disclose details of third party recipients of personal data in your privacy policy; in other cases you do not.

In relation to personal data collected from data subjects, Article 13(1)(e) says that "the controller shall ... provide the data subject with all of the following information ... (e) the recipients or categories of recipients of the personal data, if any". Article 14(1)(e) contains a similar requirement for personal data which is not obtained from the data subject. Congruent with this, Article 15(c) provides that data subjects have a right to obtain from the data controller information including "the recipients or categories of recipient to whom the personal data have or will be disclosed". See:

You should not however conclude from this that disclosure of “categories of recipient” will be adequate in all cases. One set of issues relates to consent, one of the key “legal bases” of processing.

The Article 29 Working Party's guidance on consent indicates that where a consent covers multiple joint controllers, all those controllers will need to be named. The same guidance indicates that processors do not need to be named in the context of consent-base processing: "WP29 notes that in a case where the consent sought is to be relied upon by multiple (joint) controllers or if the data is to be transferred to or processed by other controllers who wish to rely on the original consent, these organisations should all be named. Processors do not need to be named as part of the consent requirements, although to comply with Articles 13 and 14 of the GDPR, controllers will need to provide a full list of recipients or categories of recipients including processors." See:

However, another issue arises out of the principle of fairness. In this context, the Working Party’s guidance on transparency suggests that naming processors should be the default position. “In accordance with the principle of fairness, the default position is that a data controller should provide information on the actual (named) recipients of the personal data. Where a data controller opts only to provide the categories of recipients, the data controller must be able to demonstrate why it is fair for it to take this approach. In such circumstances, the information on the categories of recipients should be as specific as possible by indicating the type of recipient (i.e. by reference to the activities it carries out), the industry, sector and sub-sector and the location of the recipients.” See:

This begs another question of course: what is fair in this context?