At least since May 2018, most companies have started dealing with the topic of data protection. Like all other companies, corporate groups, i.e. associations of several companies under common control, are legally obliged to deal with the protection of their customers' and employees' personal data. The so-called group privacy ensures that data are handled correctly within the entire group structure including all business entities.
The number of large and often multinational groups is growing. The privacy requirements for groups of companies are many times more complex than those placed on individual companies.
Probably the greatest challenge involved in group privacy is developing and establishing a harmonized group-wide data protection management that still leaves the individual companies enough scope for necessary individual solutions. In this context, the European General Data Protection Regulation (GDPR) and German national privacy laws need to be taken into account as well as industry-specific provisions or a sector's regulatory requirements.
A key issue of group privacy in large companies is the group-wide exchange of personal data, whether in the operational business or in the context of sharing or delegating administrative tasks, e.g.
Just like the German Federal Data Protect Act (BDSG), the GDPR – except for a few innovations – does not provide for any significant simplification in respect of the exchange of data between the companies of a group.
In particular, the European data protection legislation does not allow for a so-called intra-group exemption according to which the exchange of data within groups would be basically permitted. Data transmissions from one affiliate to another therefore continue to be allowed subject to legal grounds only.
The GDPR recognizes that groups of companies may have a legitimate interest in sharing personal data for internal administrative purposes. It remains unclear, however, which data transmissions are accepted as being made for "administrative purposes". In addition, this reasoning would require a balancing of interests and its documentation in each individual case.
On the other hand, several companies may, in the future, assume responsibility for the processing by defining common responsibilities. In order to do so, the rights and obligations of each of the controllers must be clearly defined in an agreement (so-called joint controllership).
The data privacy-compliant transmission of personal data to countries outside the European Union (so-called third countries) also requires a special admissibility check. Therefore, companies should carefully examine whether and under what conditions a group-wide data processing is admissible. Our experienced team will be pleased to assist you.
We help you structure data protection within groups of companies in a lawful and practical manner. Our services include in particular:
21.09.2022 - Olga Stepanova
29.06.2022 - Patricia Jechel
30.12.2021 - Olga Stepanova