Group data protection: Requirements & legal bases for intra-group data transfers

The group privilege: special rules for group data protection?

According to Section 18 of the German Stock Corporation Act (AktG), a group consists of a controlling company and one or more independent companies that are united under the uniform management of the controlling company. However, unlike in some areas of law, such as tax law, the GDPR does not provide for a group privilege.

Instead, the companies within a group are to be regarded as independent for data protection purposes and as separate controllers for the purposes of the GDPR, which is why a separate legal basis for data transfers is required. However, there are some special rules, often referred to as the small group privilege.

First, the term "group of companies" is used in several places. The definition in Art. 4 No. 19 GDPR is similar to the definition of a group of companies in the German Stock Corporation Act (AktG): 'group of companies' means a group consisting of a controlling undertaking and the undertakings dependent on it'.

Moreover, Art. 88 GDPR expressly permits data transfers within the group for the purpose of employment. Recital 37 of the GDPR also provides further information:

A group of undertakings should consist of a controlling undertaking and its dependent undertakings, the controlling undertaking being the one which can exercise a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation, the rules which govern it or the power to have data protection rules implemented. An undertaking which controls the processing of personal data in its connected undertakings should be considered together with those undertakings as a 'group of undertakings'.

Finally, Recital 48 of the GDPR explains when controllers that are part of a group of undertakings may transfer personal data within a group of undertakings. They may have 'a legitimate interest to transfer personal data within the group of undertakings for internal administrative purposes, including the processing of personal data of customers and employees', while the 'basic principles for the transfer of personal data within groups of undertakings to an undertaking in a third country' remain unaffected.

What are the possible legal bases?

A legal basis pursuant to Art. 6 GDPR is required for any processing of personal data in order for it to be permissible under data protection law. This also applies to data transfers - which are ultimately data processing operations - within the group. The correct legal basis may depend on a number of factors. Is the data being transferred to countries outside the EU or EEA? Does the data belong to the special categories of data (Article 9 GDPR), which are particularly sensitive and therefore subject to increased requirements?

Consent

Consent is generally not a suitable basis for group data transfers. As it must be given voluntarily, it is largely excluded by the hierarchical relationships between employees, employers and superiors. In addition, consent can be freely withdrawn at any time and therefore cannot guarantee the necessary legal certainty and permanence.

Legitimate interests

Art. 6 para. 1 lit. f GDPR is likely to be the relevant legal basis in most cases. This states that data processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller, 'except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data'. This legitimate interest has already been explicitly mentioned in recital 48 of the GDPR for intra-group data transfers, in order to clarify the increased need for intra-group data transfers.

However, before a legitimate interest can be assumed, the legitimate interest requirements should be reviewed in advance for each data transfer. This requires a documented balancing of the interests of the controller in the data transfer and the interests of the data subjects, their fundamental rights and freedoms. This should be done carefully.

1. The first step is to identify the company's legitimate interest. In principle, any economic, legal, factual or even ideal interest can be used.
2. Second, it must be determined whether the data transfer is necessary to protect the legitimate interest. This requires no more than that the data transfer is suitable for this purpose and that there is no alternative that is equally or more suitable and less restrictive of the fundamental rights and freedoms of the data subjects.
3. The third step is to weigh up the interests. In this context, it is important to consider whether the data subject could have expected in advance that data would be transferred between the individual companies of the group. The intensity of the interference with the interests, fundamental rights and freedoms of the data subjects also plays a decisive role.

Intra-group data protection agreements

In order to reduce the intensity, technical and legal measures can be taken to increase data protection for the data subjects. In particular, care must be taken to ensure that the rights of data subjects under the GDPR (Art. 12 to 23 GDPR) are respected, including the obligation to provide information to data subjects.

Internal data protection agreements can be used to bindingly list the protective measures taken to balance the interests in favour of the company. These should include technical and organisational measures, such as the use of a firewall and other it security measures, as well as anonymisation and pseudonymisation procedures for personal data.

Data processing for the performance of the employment relationship

The processing of employee data in the context of the employment relationship is a special case. The German legislator created Section 26 (1) sentence 1 of the Federal Data Protection Act (BDSG) for this purpose. Following a ruling by the European Court of Justice (ECJ, judgement of 30 March 2023 - C-34/21), which declared an identical provision of the Hessian Data Protection Act to be incompatible with the opening clause of Art. 88 GDPR, Section 26 para. 1 sentence 1 BDSG as largely inapplicable.

Against this background, only the general provision of Art. 6 para. 1 lit. b GDPR as the legal basis for the processing of employee data in the context of the employment relationship. However, the principles developed and applied in accordance with Section 26 para. 1 sentence 1 BDSG remain valid and are also applied accordingly in the context of Art. 6 para. 1 lit. b GDPR.

Pursuant to Art. 6 para. 1 lit. b GDPR, data processing is permitted if it is necessary for the performance of a contract to which the data subject is a party. The term "performance of a contract" is to be understood broadly and includes the establishment, performance or termination of an employment relationship. Other transfers within a group, for example for commercial or administrative purposes, are not covered. The possibility of transferring employee data within a group is particularly important where, for example, a central HR department is to be responsible for the employees of all group companies. In principle, such an organisation is also legally possible.

The application of Art. 6 para. 1 lit. b GDPR is the necessity of the data processing specifically for the employment relationship. A necessity test must be carried out, in which the "conflicting fundamental rights positions", the "interests of the employer in data processing and the personal rights of the employee" must be balanced as fairly as possible by weighing the interests involved.

In particular, the principle of proportionality must be observed when balancing these interests. In addition to being suitable for achieving the intended purpose, the proportionality of the data processing also requires that there are no less intrusive measures that serve to establish, implement or terminate the employment relationship in a comparable manner. In a narrower sense, the severity of the encroachment on the employee's personal rights caused by the data processing must not be disproportionate to the employer's legitimate reasons in the overall balance.

Further points of reference for the necessity test may be compliance with data protection principles such as data minimisation (Art. 5 lit. c GDPR), the employer's scope for decision-making on the organisation of operational processes due to entrepreneurial freedom (e.g. with regard to possible "milder measures") or the sensitivity of the data concerned. Here, too, it is particularly important that the employees' data is adequately protected, both during the transfer itself and at the respective company that then processes the personal data.

Technical as well as legal (e.g. contractual) measures can make sense here, such as a written limitation to the data processing that is actually necessary for the employment relationship.

Transfer of special categories of data

Special rules apply to the processing of special categories of personal data (Article 9 GDPR). As they are particularly sensitive for the data subjects, the data may not be processed unless there is a legal exception. Special categories of personal data include ethnic origin, religious affiliation, but also health data, data about sexual orientation or trade union membership.

This is particularly problematic for the central HR department of a group of companies where such data needs to be processed on a regular basis. If, for example, a group company is used specifically to handle HR administration for all companies in a group, the permissibility of this must be examined in the context of Art. 6 and 9 GDPR and Section 26 (3) and (4) BDSG.

When sensitive data is transferred in the context of an employment relationship, specific procedural rules must be applied to ensure compliance with the requirements of the GDPR and the BDSG (Section 22 (2) BDSG). These include, for example, restrictions on access to the data, pseudonymisation and encryption techniques and other technical security measures. However, due to the sensitivity of the data, special emphasis should be placed on its protection. The Data Protection Officer should always be involved.

The group data privacy officer

A data protection officer must be appointed in accordance with Art. 37 para. 1 GDPR, if the core activity of a company consists of carrying out processing operations and requires systematic monitoring of the data subjects, if special categories of data are processed or, pursuant to Section 38 para. 1 BDSG, if at least 20 persons are usually permanently employed with the automated processing of personal data.

Pursuant to Art. 37 (2) GDPR, a data protection officer does not have to be appointed separately for each company, but a common group data protection officer is possible if he or she can be easily reached from each branch. The data protection officer is responsible for informing and advising the controller or processor of their obligations under the GDPR. They can monitor compliance with data protection law, assign responsibilities or train employees in data protection. The DPO is not subject to instructions, and controllers must ensure that there are no conflicts of interest with their duties.

The position of data protection officer can be filled internally or externally. While an internal DPO may be easier to reach locally and may be more familiar with the Group's processes, an external DPO has the advantage of being able to assess the situation objectively and dealing exclusively with data protection regulations. In any case, they must have the necessary professional qualifications.

Joint controllership and commissioned processing

Art. 26 of the GDPR provides for the concept of joint controllership, where two controllers jointly determine the purposes and means of data processing. This situation often arises in groups of companies when two of their companies work together. This is also due to the fact that it is not necessary that decision-making powers are equally distributed, but that a small contribution is sufficient to determine the purposes and means of a company.

In particular, it is important to conclude a joint controller agreement that sets out which party is responsible for which data protection requirements and implements them accordingly. In addition, the essential content of the contract must be made available to the data subjects. In the context of intra-group data transfers, it is advisable to go beyond the requirements of Art. 26 GDPR and agree additional safeguards as required in the above-mentioned intra-group data protection agreement.

If there is no joint control, but, for example, the main company alone has determined the purposes and means of the data processing, an order processing pursuant to Art. 28 GDPR may be considered. While the controller determines the purposes and means, the processor processes the data on behalf of and according to the instructions of the controller and without any decision-making authority of its own. This is often the case in the Group with so-called "shared services", where certain services and processes that are identical for all Group companies are centralised in one Group company.

Examples include call centres, invoice processing and archiving offices, HR services or IT services. In each case, a service level agreement (SLA) must be concluded, which regulates and specifies the key requirements of the client's strict authority to issue instructions and the contractor's lack of decision-making authority. The measures already regulated in the group data protection agreement must also be included in the DPA in order to prevent circumvention of the protective measures.

The privileged nature of order processing applies to this: data transfers to the contractor are possible without restrictions, as it is no longer a third party within the meaning of the GDPR who receives the data. This also applies to the special categories of personal data according to Art. 9 GDPR.

Cross-border data transfer

Other legal requirements also apply when personal data is transferred to countries outside the EU or EEA. This also applies if the recipient of the data is a Group company, including in the context of order processing. For transfers to be legally permissible, the third country must have a level of data protection comparable to that in the EU.

For some countries, there are adequacy decisions issued by the European Commission (Article 45 GDPR). In the absence of such a decision, the data controller must take its own additional protective measures. In general, standard contractual clauses (Art. 46 para. 2 lit. c GDPR) or binding internal data protection rules (Art. 47 GDPR) can be used for such agreements.

Conclusion

Intra-group data transfers are in principle possible and can be easily implemented in practice, as long as care is taken to ensure that membership of a group is not in itself sufficient for a transfer of personal data to be lawful. Due to the different relationships between companies in a group, the requirements often vary from case to case and are not always easy to assess.

It is important to bear in mind that, from a data protection perspective, the different companies within a group are initially independent controllers. Most intra-group data transfers are therefore likely to be between two or more controllers and will require a legal basis.

In the case of joint controllers or outsourced processing, appropriate data protection agreements will also need to be in place.