The most important facts at a glance
- Group structures require special data protection solutions - standard GDPR measures are not sufficient for complex corporate groups
- Binding Corporate Rules (BCR) are the instrument for legal international data transfers within multinational corporations
- Centralized vs. decentralized data protection organization must be strategically planned and legally secured
What does data protection mean in the Group?
Data protection in corporate groups includes the legally compliant design of all data protection processes and structures in corporate groups. Corporate groups face the particular challenge that they are legally separate entities but want to operate as a single economic unit.
The General Data Protection Regulation (GDPR) only recognizes the concept of a group to a limited extent and treats each company as a separate controller. This leads to complex legal requirements if personal data is to be exchanged between group companies. An experienced Lawyer for data protection can help to develop legally compliant structures.
For international groups with companies in different jurisdictions, there are additional complexities due to different national data protection laws and international data transfer regulations.
Legal basis of group data protection
Data protection in group structures poses particular legal challenges that require a differentiated view of the various roles and responsibilities under data protection law.
GDPR application in the Group
The GDPR distinguishes between different roles under data protection law, which are of particular relevance in group structures. According to Art. 4 No. 7 GDPR, each group company is in principle independently responsible for the personal data it processes. This independent responsibility means that each company must fulfill the data protection requirements independently.
However, Group companies may also act as processors within the meaning of Art. 4 No. 8 GDPR if one company processes data on behalf of another. In this case, the special regulations for order processing apply.
Another important constellation is joint controllership in accordance with Art. 26 GDPR. This applies when several group companies jointly decide on the purposes and means of processing. In such cases, the companies involved must define their respective responsibilities in an agreement.
Data transfers between Group companies
Data transfers between Group companies within the European Union are subject to the normal GDPR provisions and require a legal basis in accordance with Art. 6 GDPR. These intra-European transfers are generally unproblematic, as a uniform level of data protection is guaranteed.
Data transfers to group companies outside the EU and the EEA are more complex. These third country transfers require additional protective measures, which can take various forms. An adequacy decision by the EU Commission is the simplest solution, but is only available for a few countries. Alternatively, standard contractual clauses, binding corporate rules, recognized certifications or approved codes of conduct can serve as a basis for transfers.
Art. 6 para. 1 lit. f GDPR (legitimate interests) can serve as the legal basis for intragroup data exchange if the necessary balancing of interests is in favor of the Group. The interests of the Group must be weighed against the rights and freedoms of the data subjects.
Binding Corporate Rules as a group solution
Binding Corporate Rules (BCR) are a solution specially developed for multinational corporations that offers considerable advantages in international data transfer.
What are Binding Corporate Rules?
Binding Corporate Rules are internal data protection regulations of multinational groups that are approved by the supervisory authorities and serve as the basis for international data transfers within the group. They create uniform group-wide data protection standards and provide a legal basis for all international data transfers.
The advantages of BCRs are manifold: they enable flexibility in group restructuring and only require a one-off approval process instead of bilateral agreements for each individual transfer. This makes them particularly attractive for large, internationally active groups.
The requirements for BCRs include a substantial international data transfer within a group, uniform group structures and controls, compliance with the minimum requirements under Art. 47 GDPR and comprehensive data protection governance.
BCR approval process
The approval process is managed by the lead supervisory authority at the EU headquarters. As part of the consistency procedure, all EU supervisory authorities must approve the BCR, which increases the complexity and duration of the procedure.
The minimum content of the BCR must include the scope and structure of the Group, data protection principles and processing purposes, data subject rights and their enforcement, liability and legal remedies as well as training and audit programs.
The process typically takes 12 to 24 months, which must be taken into account when planning.
Group data protection organization
The organization of data protection in group structures can take various forms, each of which has specific advantages and disadvantages.
Centralized vs. decentralized structures
A centralized data protection organization is characterized by a Group-wide data protection officer, uniform data protection policies and procedures, central training and audit programs and efficient use of resources. This structure offers cost savings and ensures uniform standards.
In contrast, a decentralized data protection organization relies on local data protection officers in each company, enables better adaptation to local legal requirements, ensures proximity to operational business processes and ensures better local compliance.
Hybrid models combine central control with local implementation and often work with a Group Privacy Officer and local privacy managers. This structure combines the advantages of both approaches.
Data protection officer in the Group
A Group Data Protection Officer can look after several Group companies, provided he or she is easily accessible to all of them and there are no conflicts of interest. In the case of complex structures or different business areas, it may make sense to have separate data protection officers for different Group divisions or companies.
For smaller group companies, an external data protection officer can be an efficient solution, as they bring in specialized expertise without incurring high internal costs.
Data protection governance structures
A Group-wide Privacy Committee can act as a body for data protection strategies and decisions. Standardized privacy impact assessments ensure uniform procedures for data protection impact assessments throughout the Group.
Group-wide incident response procedures are essential for the coordinated handling of data breaches and the fulfillment of reporting obligations.
International data transfers within the Group
The international transfer of data within corporate groups poses particular challenges, which have been further exacerbated by recent legal developments.
Challenges with third country transfers
The ECJ's Schrems II ruling has tightened the requirements for data transfers to third countries. Companies must now implement additional protective measures for data transfers to insecure third countries.
A transfer impact assessment to evaluate the legal situation and risks in the destination country is required before every data transfer. Additional protective measures may include technical and organizational measures to compensate for inadequate third-party protection, such as end-to-end encryption, pseudonymization and anonymization, additional contractual guarantees or the exclusion of certain types of data.
Standard contractual clauses in the Group
The new standard contractual clauses of 2021 take into account various transfer scenarios: Controller-to-controller between controllers, controller-to-processor to processors and processor-to-processor between processors.
Group-specific adjustments include multilateral agreements for complex Group structures, flexibility in Group restructuring and uniform governance mechanisms.
Special challenges of different types of groups
Different industries present specific data protection challenges that must be taken into account in the Group's data protection organization.
Technology groups
Cloud-based data processing requires special requirements for the security and localization of data in international cloud services. Data protection-compliant development and the use of AI systems across Group companies pose further challenges.
Platform business models must guarantee data protection for complex multi-sided platforms with different user types. The integration of privacy-by-design into fast development cycles of DevOps and agile development requires special attention.
Financial groups
Additional data protection obligations imposed by financial supervisory authorities such as BaFin or EBA must be taken into account. The data protection-compliant design of know-your-customer procedures and money laundering prevention poses particular challenges.
The consideration of various financial market regulations in international data transfers and data protection in automated trading systems and market data processing require specialized expertise.
Industrial groups
The Internet of Things and Industry 4.0 pose data protection challenges for networked production facilities and smart factory concepts. The data protection-compliant design of international supply chains in supply chain management is becoming increasingly important.
Predictive maintenance and the analysis of machine data as well as the consideration of local employee data protection regulations at international locations require special attention.
Pharmaceutical and medical groups
Health data is subject to special protection requirements in accordance with Art. 9 GDPR. International data transfers for multinational clinical trials must be carefully planned.
Data protection in approval procedures and pharmacovigilance as well as the Group-wide management of patient consent pose further specific challenges.
Data protection breaches in the Group
Dealing with data protection breaches in group structures requires special coordination and clear responsibilities.
Reporting obligations for group structures
In the case of group-wide data breaches, it must be clarified which supervisory authority is responsible. Coordinated notifications help to avoid multiple notifications in the event of incidents that affect several Group companies.
Cross-border incidents pose particular challenges in the event of data breaches with international implications. The clarification of internal responsibilities and rights of recourse between group companies should be regulated in advance.
Crisis management
Group-wide incident response teams enable a coordinated response to data protection incidents. A uniform external and internal communication strategy for major incidents is of crucial importance.
The coordination of forensic measures across Group companies and the maintenance of business operations during incident handling require well thought-out business continuity planning.
Checklist for Group data protection compliance
- Analyze group structure and define data protection roles
- Mapping data flows between all Group companies
- Check the legal basis for all intra-group data transfers
- Implement BCR or SCC for international data transfers
- Transfer Impact Assessments for all third country transfers
- Establish data protection organization (centralized, decentralized or hybrid)
- Appoint a data protection officer according to Group structure
- Guidelines and procedures Harmonize across the Group
- Training programs develop for all Group levels
- Incident response procedure Coordinate across the Group
- Regular audits and conduct compliance reviews
- Documentation ensure all data protection measures
Strategic approach for sustainable Group data protection
Data protection in the Group requires more than mere compliance with regulatory requirements. Successful corporations integrate data protection as a strategic element in their governance structures and business processes.
A well thought-out data protection strategy not only creates legal security, but can also generate operational benefits and competitive advantages. The balance between central control and local flexibility is crucial for success.
Our law firm supports corporate groups in the development and implementation of legally compliant data protection structures. With our expertise in IT law and practical experience as external data protection officers, we develop tailor-made solutions that meet the specific requirements of your group.
German 
English