Article 30 1. d) of the GDPR requires that the register includes information relating to "the categories of recipients to whom the personal data have been or will be communicated, including recipients in third countries or international organizations".

Article 4 of the GDPR defines the recipient as being "the natural or legal person, public authority, service or any other body which receives communication of personal data, whether or not it is a third party . However, public authorities which are liable to receive communication of personal data in the context of a specific fact-finding mission in accordance with Union law or the law of a Member State are not considered recipients; the processing of this data by the public authorities in question complies with the applicable data protection rules depending on the purposes of the processing”.

In other words, in the term recipients, we mean all the entities that will access the data other than the public authorities (authorized third parties such as the CNIL, the judicial police within the framework of a judicial investigation or the administration tax for example). These are the internal services of the data controller (HR department for example), processors, joint managers, other data controllers (business partners for example).