At least since May 2018, most companies have started dealing with the topic of data protection. Like all other companies, corporate groups, i.e. associations of several companies under common control, are legally obliged to deal with the protection of their customers' and employees' personal data.
The so-called group privacy ensures that data are handled correctly within the entire group structure including all business entities.
The number of large and often multinational groups is growing. The privacy requirements for groups of companies are many times more complex than those placed on individual companies.
Probably the greatest challenge involved in group privacy is developing and establishing a harmonized group-wide data protection management that still leaves the individual companies enough scope for necessary individual solutions. In this context, the European General Data Protection Regulation (GDPR) and German national privacy laws need to be taken into account as well as industry-specific provisions or a sector's regulatory requirements.
A key issue of group privacy in large companies is the group-wide exchange of personal data, whether in the operational business or in the context of sharing or delegating administrative tasks, e.g.
- for the purposes of a group-wide HR management
- in the context of centralized IT infrastructures, or
- for establishing a central customer management system.
Just like the German Federal Data Protect Act (BDSG), the GDPR – except for a few innovations – does not provide for any significant simplification in respect of the exchange of data between the companies of a group.
In particular, the European data protection legislation does not allow for a so-called intra-group exemption according to which the exchange of data within groups would be basically permitted. Data transmissions from one affiliate to another therefore continue to be allowed subject to legal grounds only.
The GDPR recognizes that groups of companies may have a legitimate interest in sharing personal data for internal administrative purposes. It remains unclear, however, which data transmissions are accepted as being made for "administrative purposes". In addition, this reasoning would require a balancing of interests and its documentation in each individual case.
On the other hand, several companies may, in the future, assume responsibility for the processing by defining common responsibilities. In order to do so, the rights and obligations of each of the controllers must be clearly defined in an agreement (so-called joint controllership).
The data privacy-compliant transmission of personal data to countries outside the European Union (so-called third countries) also requires a special admissibility check. Therefore, companies should carefully examine whether and under what conditions a group-wide data processing is admissible. Our experienced team will be pleased to assist you.
We help you structure data protection within groups of companies in a lawful and practical manner. Our services include in particular:
- Developing and coordinating data protection management concepts within the group
- Advice on the data privacy-compliant transmission of personal data to countries outside the European Union
- Advice on employee data protection
- Preparing multilateral shared services agreements and data processing contracts
- Advice on the use of cloud services
- Provision of an external (group) data protection officer
- Delivering employee training courses
- Drafting agreements on common responsibilities (joint controllership)
- Advice on setting up binding corporate rules on data protection
- Advice on data privacy-compliant operations of group-internal shared services centers established to bundle administrative tasks (e.g. group-wide payroll accounting)
Privacy Law: Recent blog posts
Do you need support?
Do you have questions about our services or would you like to arrange a personal consultation? We look forward to hearing from you! Please fill in the following information.
Or give us a call: +49 69 76 75 77 80