Data transfer in corporate groups according to the GDPR

No matter where data is to be transmitted, this always constitutes data processing within the meaning of the GDPR. This must then also be permitted within the meaning of the GDPR. In practice, this can pose difficult problems for corporations in particular.

Corporate groups are groups of companies that all operate under the umbrella of the corporate group, but are usually legally independent. It is in the nature of things that data is often to be transferred between the individual companies here. In the event of violations, high fines also apply here.

The question arises: Are there regulations in the GDPR that facilitate this process?

Is there a group privilege?

To anticipate the answer: In contrast to other areas of law, there is no real group privilege in the GDPR.

In this context, corporate groups not only have the task of observing data protection in one company, but must also monitor this in several companies at the same time and, in addition, adapt it in the individual companies to the approach of the entire corporate group. This requires a great deal of communication and coordination.

However, the so-called "small group privilege" of the GDPR helps here. According to Art. 37 II GDPR, a group of companies as defined in Art. 4 No. 19 GDPR may appoint a central data protection officer for all companies in the group. In addition to all other requirements of the GDPR for a data protection officer, this data protection officer must also be easily accessible from the branch offices. Thus, from the legislator's point of view, he or she should be able to cooperate better with both the subsidiaries and the local data protection authorities. Particularly in the case of larger corporate groups that also have international branches, however, this is a requirement that cannot be met in practice due to the time, space and, where applicable, language barriers.

In practice, therefore, corporate data privacy officers are often supported by local data privacy coordinators (also known as privacy managers). These are familiar with local law and language, but are not themselves designated data protection officers. They act only as intermediaries. Indeed, Art. 37 II GDPR does not require that the corporate data protection officer is always available on site, which simplifies such solutions. Otherwise, the applicability would also come to nothing in practice. It should be sufficient that he or she can be contacted quickly by technical means and that, at least within the EU, an on-site appointment can be arranged promptly.

International conflicts

Large corporations in particular operate predominantly internationally, even outside the scope of the GDPR, which presents them with the challenge of having to comply with various data protection regulations.

Here, the procedure already explained via data protection coordinators is essential.

If data is transferred to a country outside the EU, it must also always be ensured that a level of protection is guaranteed there that corresponds to the standard of the GDPR. In addition, the transfer process must also be appropriately secured so that the data cannot get to unauthorized persons.

Compliance with the provisions of the GDPR must of course also be verifiable in accordance with accountability. It is therefore advisable to document all data processing without gaps.

Before an operation is carried out, the relevant data protection officer should always be consulted in the planning stage.