"Privacy Law": Recent blog posts
29.03.2019 - Olga Stepanova
25.02.2019 - Olga Stepanova
19.12.2018 - Olga Stepanova
Group Privacy: Data Protection in Groups and Large Companies in Germany
What is group privacy?
At least since May 2018, most companies have started dealing with the topic of data protection. Like all other companies, corporate groups, i.e. associations of several companies under common control, are legally obliged to deal with the protection of their customers' and employees' personal data. The so-called "group privacy" ensures that data are handled correctly within the entire group structure including all business entities.
Privacy management in groups of companies
The number of large and often multinational groups is growing. The privacy requirements for groups of companies are many times more complex than those placed on individual companies.
Probably the greatest challenge involved in group privacy consists in developing and establishing a harmonized group-wide data protection management that still leaves the individual companies enough scope for necessary individual solutions. In this context, the European General Data Protection Regulation (GDPR) and national privacy laws need to be taken into account as well as industry-specific provisions or a sector's regulatory requirements.
Group-wide data transmission
A key issue of group privacy in large companies is the group-wide exchange of personal data, whether in the operational business or in the context of sharing or delegating administrative tasks, e.g.
- for the purposes of a group-wide HR management
- in the context of centralized IT infrastructures, or
- for establishing a central customer management system.
Just like the Federal Data Protect Act (BDSG), the GDPR – except for a few innovations – does not provide for any significant simplification in respect of the exchange of data between the companies of a group.
In particular, the European data protection legislation does not allow for a so-called "intra-group exemption" according to which the exchange of data within groups would be basically permitted. Data transmissions from one affiliate to another therefore continue to be allowed subject to legal grounds only.
The GDPR recognizes that groups of companies may have a legitimate interest in sharing personal data for internal administrative purposes. It remains unclear, however, which data transmissions are accepted as being made for "administrative purposes". In addition, this reasoning would require a balancing of interests and its documentation in each individual case.
Joint controllership determines rights and obligations
On the other hand, several companies may, in the future, assume responsibility for the processing by defining common responsibilities. In order to do so, the rights and obligations of each of the controllers must be clearly defined in an agreement (so-called joint controllership).
The data privacy-compliant transmission of personal data to countries outside the European Union (so-called third countries) also requires a special admissibility check. Therefore, companies should carefully examine whether and under what conditions a group-wide data processing is admissible. Our experienced team will be pleased to assist you.
Featured article on data protection law:
Data Protection and Cyber Security in Germany 2019
(Chapter and book are from the series Law Review)
The WINHELLER IP and data protection department contributed an entire chapter to the sixth issue of The Privacy, Data Protection and Cybersecurity Law Review. This chapter summarizes the German privacy policies, discusses current regulatory efforts regarding Social Media and presents the EU General Data Protection Regulation.
Our consulting services concerning group privacy
We help you structure data protection within groups of companies in a lawful and practical manner. Our services include in particular:
- Developing and coordinating data protection management concepts within the group;
- Advice on the data privacy-compliant transmission of personal data to countries outside the European Union;
- Advice on employee data protection;
- Preparing multilateral shared services agreements and data processing contracts;
- Advice on the use of cloud services;
- Provision of an external (group) data protection officer;
- Delivering employee training courses;
- Drafting agreements on common responsibilities (joint controllership);
- Advice on setting up binding corporate rules on data protection;
- Advice on data privacy-compliant operations of group-internal shared services centers established to bundle administrative tasks (e.g. group-wide payroll accounting).
Your attorney for German group privacy
Your contact partner for all aspects of data privacy in groups and the transmission of personal data is Attorney Olga Stepanova. The easiest way to reach us is by e-mail (email@example.com) or by phone (+49 (0)69 76 75 77 80). Please do not hesitate to contact us with any questions.
Attorney Olga Stepanova contributed a chapter on German data protection regulations again.