Third party vs. data processor: how to differentiate them? There are some key differences you need to understand when it comes to data protection. One of these is the distinction between a data processor and a third party.
It’s fundamental to understand it, especially if you are a website or app owner. For example, you may be required different legal documents to make sure you’re complying with the applicable law.
So let’s jump straight to definitions!
According to the GDPR, a data processor is:
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data controllers (i.e. the website or app owner) often rely on external suppliers to provide services or other features in their website. These suppliers are the data processors, and they take on the duty of processing personal data on behalf of the data controllers and following their direct instructions.
The data processor does not set the purposes for which the data is used, and therefore only processes the data on behalf of the controller (not for the processor’s own interest).
Some examples of processors include your website host, or email management platforms like Mailchimp.
To ensure the processing is carried out lawfully, the data controller and data processor govern their relationship with an agreement called Data Processing Agreement (DPA). This contract will specify the rights and responsibilities of each party.
On the other hand, the GDPR defines a third party as:
a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
The definition may not seem so different from the previous one, but there is a key difference: a third party does not process personal data on the behalf of the controller. Instead, they simply receive your users’ personal data and are authorized to process it as they want. Thus, they don’t need to follow the controller’s instructions.
Furthermore, third parties may set their own purposes for which the user data is used and therefore may process user data in their own interest.
Some examples of third parties might be social plugins and media display services on your website.
Be careful, though! You can’t just simply transfer personal data to third parties. You need a valid legal basis to do so. For many cases, the legal basis may be your users’ consent, which must meet specific requirements.
Now let’s take into consideration some practical examples, to understand the difference even better.
You are a business owner who wants to create a website for his activity. However, since you don’t have the expertise to create a website from scratch, you decide to rely on a web hosting company, which will create the website and take care of legal compliance, too.
➡️ In this case, the web hosting company is a data processor.
So what you’ll need to do is to sign a Data Processing Agreement, with all the relevant instructions on how you intend to use the data you will collect through your website.
You use social media plugins on your website to increase the reach of your content. In this way, it will be much easier for your users to share an article you wrote. However, when you set up social media plugins, you accept to send back to social media platforms some of the information you’ve directly collected. These platforms then may use this information for their own purposes.
➡️ Social media here are third parties, and you’ll need to take all the necessary steps to ensure you’re complying with the law.
The above-mentioned third parties need, by law, to be listed in your document.