SITTIG LAW Law Firm Blog

Can personal data be passed on within a group?

Personal data may only be transferred within a group of companies under certain legal conditions. The GDPR treats each group company as an independent controller within the meaning of Art. 4 No. 7 GDPR, which is why data transfers between group companies require a legal basis. Legitimate interests, order processing or joint responsibility can legitimize such transfers. An experienced data protection lawyer can help to develop legally compliant group structures and minimize compliance risks.
Contents

The most important facts at a glance

Basic legal situation for group data transfers

The transfer of personal data within a corporate group is a complex data protection law issue that poses significant challenges for many companies. While corporate groups operate economically as a single unit, the General Data Protection Regulation (GDPR) generally treats each group company as a separate legal entity.

This means that the transfer of personal data between group companies is generally subject to the same legal requirements as data transfers to completely unrelated third parties. There is no automatic „group privilege“ in European data protection law.

Nevertheless, data transfers within corporate structures are quite possible and legally permissible under certain conditions. The crucial factors are choosing the right legal basis and properly implementing data protection requirements. An experienced Lawyer for data protection can help develop legally sound corporate structures and minimize compliance risks.

Legal Basis for Intra-Group Data Exchange

General Data Protection Regulation and Corporate Structures

The GDPR contains only a few specific provisions for corporate group structures. Although Art. 4(19) GDPR defines the term „group of undertakings,“ this term does not play a central role in the permissibility of data transfers. Instead, the general provisions of the GDPR apply. Each group company is generally an independent controller within the meaning of Art. 4(7) GDPR if it decides on the purposes and means of processing personal data. This results in the requirement of a legal basis for each data transfer between group companies in accordance with Art. 6 GDPR.

Possible legal bases for corporate data transfers

The most important legal bases for sharing personal data within corporate structures are the data subject's consent (Art. 6(1)(a) GDPR), necessity for contract performance (Art. 6(1)(b) GDPR), legal obligation (Art. 6(1)(c) GDPR), and the safeguarding of legitimate interests (Art. 6(1)(f) GDPR). In practice, Art. 6(1)(f) GDPR plays the most significant role in internal corporate data exchange. Legitimate interests can include economic efficiency, consistent customer service, risk management, or compliance requirements, always requiring a balancing of interests.

Special categories of personal data

For special categories of personal data according to Art. 9 GDPR (such as health data, ethnic origin, political opinions), stricter requirements apply. Here, legitimate interests are not sufficient; instead, one of the specific legal bases under Art. 9(2) GDPR is required. The same applies to personal data on criminal convictions and offenses according to Art. 10 GDPR, where processing by private companies is only permissible within very narrow limits.

Models for Collaboration Within the Group

Order processing between group companies

A proven model for the legally compliant transfer of personal data within corporate structures is data processing on behalf of another entity pursuant to Article 28 of the GDPR. In this arrangement, one group company processes data on behalf of another group company, with the commissioning company remaining the data controller and the contracting company becoming the data processor. This requires a written data processing agreement pursuant to Article 28(3) of the GDPR. Data processing offers the advantage that the transfer is not considered a disclosure to a third party; however, the purposes of use are limited to the original purposes of the controller.

Joint responsibility within the group

If several group companies jointly decide on the purposes and means of processing, joint responsibility within the meaning of Art. 26 GDPR applies. This can be the case for group-wide projects, shared IT systems, or uniform customer databases. Joint controllers must transparently define in an agreement who fulfills which obligations and are jointly and severally liable to the data subjects. This model is particularly suitable for cases where several group companies actually jointly decide on data processing.

Classic data transfer between responsible parties

The third possibility is the classic data transfer between legally independent controllers. In this case, both the transmitting and the receiving company require their own legal basis according to Art. 6 GDPR. The transmitting company must check whether the transfer is compatible with the original processing purposes, while the receiving company must in turn have a legal basis for processing.

Practical use cases in the corporation

Human Resources and HR Data Exchange

In human resources, situations frequently arise where employee personal data needs to be exchanged between group companies – for transfers, company-wide training programs, unified HR systems, or payroll processing by shared service centers. A legal basis is regularly required for employee transfers, such as consent, the necessity for contract fulfillment, or processing under Section 26(1) of the German Data Protection Act (BDSG). Employee health data is particularly sensitive, where the stricter requirements of Article 9 of the GDPR apply.

Customer Data Management

Many corporate groups want to have a unified view of their customers and use customer data across the group for cross-selling activities, consistent customer service, or risk assessments. In principle, the transfer of customer data between group companies is permitted if there is an appropriate legal basis. In the case of existing customer relationships, this can be justified on the basis of legitimate interests, provided that the balancing of interests yields a positive result. The situation becomes critical when customer data is to be used for entirely new purposes that are incompatible with the original purposes of processing.

Compliance and Risk Management

Corporations have legitimate interests in identifying risks early and complying with regulatory requirements. This may necessitate the transfer of personal data for anti-money laundering checks, sanctions list screenings, or internal investigations. It is crucial to carefully assess whether the processing is necessary for compliance with legal obligations or for safeguarding legitimate interests, while always ensuring proportionality.

IT Services and Shared Services

Many corporate groups operate centralized IT services or shared service centers for multiple group companies. In such cases, the data processing model is often appropriate, whereby the service-providing company acts as a data processor. However, the Data Protection Conference (DSK) points out that, in cases of cooperation without instructions, joint responsibility or independent responsibility may exist. This requires appropriate data processing agreements and compliance with the requirement to act in accordance with instructions.

International Corporate Structures and Third-Country Transfers

Special challenges for international corporations

When it comes to international corporate structures, additional complexities arise when personal data is to be transferred to countries outside the European Union. Such third-country transfers are subject to the stricter requirements of Art. 44 et seq. GDPR and are only permitted if an adequate level of protection is guaranteed. This can be achieved through an adequacy decision by the EU Commission, appropriate safeguards such as standard contractual clauses or binding corporate rules, or by the existence of an exception under Art. 49 GDPR.

Transfer Impact Assessments

Following the Schrems II ruling by the European Court of Justice and the recommendations of the European Data Protection Board, an assessment of the level of protection in the third country („Transfer Impact Assessment“) must be carried out before any transfer to a third country. This assessment must examine whether the laws and practices in the destination country ensure a level of protection essentially equivalent to that of the GDPR. If this is not the case, additional safeguards such as end-to-end encryption or supplementary contractual guarantees must be implemented.

Binding Corporate Rules as a group solution

For large international corporations, Binding Corporate Rules (BCRs) offer an elegant solution for intra-company data transfers to third countries. BCRs are internal data protection regulations approved by European supervisory authorities, serving as the legal basis for all international data transfers within the company. Implementation is complex and typically takes 12–24 months, but offers the advantage of uniform company-wide data protection standards and flexibility during corporate restructuring.

Information obligations and data subject rights

Transparency toward Data Subjects

Regardless of the chosen cooperation model, affected individuals must be informed about the sharing of their data within the corporate group. The information obligations according to Art. 13 and 14 GDPR require that affected individuals be informed about the recipients or categories of recipients. In practice, this means that information must be provided at the very first data collection that the data may be shared with other group companies.

Information rights and other data subject rights

Affected individuals have the right to know what of their data is processed within the group and to whom it has been disclosed. Therefore, in response to information requests, all group companies must respond in a coordinated manner. The same applies to other data subject rights such as the right to rectification, erasure, or restriction of processing – corresponding measures must be coordinated group-wide.

Technical and organizational measures

Data security in internal corporate transfers

The transfer of personal data within the corporate group requires adequate technical and organizational measures to protect the data. This includes both the security of data transmission and the security of data storage at the receiving entity. Encryption, access controls, logging, and regular security audits are important building blocks that must be proportionate to the risk of processing.

Data minimization and purpose limitation

The principles of data minimization and purpose limitation also apply to intra-company data transfers. Only the data that is necessary for the specific purpose may be passed on. A blanket transfer of all available data is not permissible. The receiving group company may, in principle, only use the data received for the purposes for which it was transmitted.

Common Mistakes and Compliance Risks

Underestimated complexity

A common mistake is underestimating the legal complexity of intra-group data transfers. Many companies assume there is a „free pass“ for data processing within the group. However, this is a misconception that can lead to significant compliance risks. Supervisory authorities have already imposed hefty fines on corporations that exchanged personal data between group companies without a sufficient legal basis.

Incomplete documentation

Another common problem is the incomplete documentation of data transfers. According to Art. 30(1) of the GDPR, comprehensive documentation of all processing activities, including onward transfers, is required. Without proper documentation, a compliance assessment is hardly possible, and no clear evidence can be provided in the event of data protection incidents or audits.

Missing balancing of interests

When invoking legitimate interests according to Article 6(1)(f) GDPR, a careful balancing of interests is required. However, many companies only conduct this balancing superficially or do not document it sufficiently. The balancing of interests must consider the specific interests of the company, the necessity of data processing, the impact on the data subjects, and possible less intrusive means.

Checklist for Legally Compliant Corporate Data Transfers

To legally transfer personal data within a group of companies, the following points should be considered: First, check whether a data transfer actually occurs or whether alternatives such as order processing are possible. For each transfer, determine an appropriate legal basis according to Art. 6 GDPR and, in cases of legitimate interests, conduct a documented balancing of interests. Transparently inform the data subjects about the intra-group data transfers and ensure that all data subject rights can be coordinated and fulfilled. Implement appropriate technical and organizational measures to protect the transferred data.

For international transfers, check third-country requirements and conduct a Transfer Impact Assessment. Document all transfers thoroughly and regularly review legality and necessity. Train your employees regularly on legal requirements and establish clear approval processes. For complex group structures, consider implementing Binding Corporate Rules or other group-wide data protection solutions.

Practical tips for implementation

Step-by-step procedure

Begin by conducting a comprehensive inventory of all current data transfers within your group. Create a data map that visualizes all data flows between group companies. Then, assess each identified transfer for its legality, prioritizing transfers with high data volumes or sensitive data. Develop solution concepts for problematic transfers, which may include new legal bases, switching to order processing, or obtaining new consents.

Governance and Organization

Establish clear governance structures for internal data exchange within the group with defined responsibilities and approval processes. A central Data Governance Committee can help enforce uniform standards. Implement technical solutions to support compliance, such as Data Loss Prevention systems or Privacy Management platforms. Conduct regular audits and compliance checks, as legal requirements are constantly changing.

Strategic Approach for Legally Compliant Group Cooperation

The transfer of personal data within corporate structures is generally possible, but requires careful legal planning and implementation. The GDPR offers various tools to enable legally compliant and efficient group cooperation. It is crucial to consider the legal requirements from the outset and not treat them as a downstream compliance exercise.

We support corporations in developing legally compliant data transfer strategies. With our expertise in IT law and practical experience as external data protection officers, we develop customized solutions that meet the specific requirements of your corporate structure and enable efficient collaboration within the group.

Frequently asked questions

Yes, but only with the appropriate legal basis. The GDPR treats each group company as an independent controller, which is why the same rules apply to data transfers between them as for third parties.

Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR are often used. However, these require a careful balancing of interests. Alternatively, contract processing or joint controllership may be suitable.

Yes, the information obligations under Art. 13/14 GDPR require that data subjects are informed about recipients or categories of recipients of their data.

Yes, a data protection officer can be responsible for several Group companies, provided he or she is easily accessible to all of them and there are no conflicts of interest.

Employee data can be passed on for transfers, HR services or payroll accounting. Consent is often required or processing is necessary for the fulfillment of a contract.

Yes, data transfers to third countries are subject to the stricter requirements of Art. 44 et seq. GDPR APPLY. Transfer impact assessments and suitable guarantees such as standard contractual clauses are required.

BCRs are internal data protection regulations for international groups that are approved by the supervisory authorities. They are suitable for large corporations with regular international data transfers.

Yes, this is a tried and tested model. The contracting company becomes the processor and requires a data processing agreement in accordance with Art. 28 GDPR.

The supervisory authorities can impose fines of up to 4% of global annual turnover. Claims for damages by affected persons are also possible.

An annual review is recommended. In the event of major group restructuring, new business areas or changes in the legal situation, you should check more frequently.

Hamburg location
Head office
Martinistrasse 11
20251 Hamburg
Phone: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559
Kassel location
Branch office
Motzstrasse 1
34117 Kassel
Phone: +49 (0) 561 510 053 80
Fax: +49 (0) 561 510 053 99
Frankfurt location
Branch office
Oeder Weg 11
60318 Frankfurt am Main
Phone: +49 (0) 69 710 471 070
Fax: +49 (0) 69 710 471 079
SITTIG LAW
Lawyer.
Specialist lawyer for criminal law.
Specialist lawyer for IT law.

[email protected]
Hamburg location
Head office
Martinistr. 11
20251 Hamburg
Tel: +49 (0) 40 808 125 550
Fax: +49 (0) 40 808 125 559

Contact form