“Third party” refers to a natural or legal person, a public authority, a service, or another organization that is not one of the following: the data subject, the data controller, the data processor, individuals authorized to process personal data under the direct authority of the data controller or data processor.

The disclosure of entire databases to other entities (transfers of entire databases to third parties) is a type of processing that carries clear risks for the data subjects (individuals). Therefore, in this case, it is essential for the company that discloses personal data to a third party to inform the data subjects and obtain their specific consent for such processing of their personal data. This consent should be separate from others, with a clear indication of the categories (e.g., financial, publishing) of the entities to which the data will be disclosed. The company that receives the data, in turn, must provide the data subjects with privacy information before processing the data (i.e. before sending commercial communications). This information should also specify the source of the data so that individuals can also contact the company which has disclosed the data to exercise their rights.


A beauty salon and beauty shop collect data from their respective customers. The owner of the beauty shop asks the owner of the beauty salon to share with him its database (list of clients) for the purpose of direct marketing in order to increase sales. In its privacy notice a beauty salon informed its clients that the beauty salon could share the data with partners offering beauty products. As far as specific consent was given for the purpose of transmitting the data to other recipients for their own direct marketing, a beauty salon can send the client list to a beauty shop. No data can be sent about an individual who objected to the processing of their personal data.