What is a third party in GDPR?

According to Article 4(10) of the GDPR, a third party is a natural or legal person, public authority, agency or body other than the data subject, controller, and processor who is authorized to process personal data by the controller or processor. Third parties could include social media plugins that you use on your website.

Note that under GDPR, a third party is different from a processor that processes data on behalf of the controller, such as an email marketing tool, hosting provider or CRM software. They do not process data for their own interest and are pursuant to a written contract. However, the third-party receives personal data from the controller and is authorized to process it as they want. They are not pursuant to a written contract like a processing agreement and may process data for their own interest.