Any exchange of data requires a legal basis. This fundamental principle applies not only for the data transfer from one controller to a different external third party. This principle equally applies to data transfer from one legal entity to another legal entity within the same group.
In general, two different options are available for the exchange of customer data within a group:
- Transmission of data from one legal entity to another legal entity on basis of consent.[1]
- Transfer of personal data on basis of data processing on behalf.
At first glance data processing on behalf seems to be the option which is easier to implement in practice, while a communication with the customer is not necessary. At a second view the requirements of data processing exclude certain constellations of data processing within a group.
1. Requirements of ‘data processing’
The requirements of data processing on behalf are equally applied to both situations, data processing by an external third party and data processing within a group.
According to Art. 28 GDPR the processor shall inter alia
- act solely on basis of a contract with the controller and adhere to the instructions of the controller,
- provide adequate technical and organisational security measures,
- not engage any another (sub-) processor without authorisation,
- bind its staff to confidentiality,
- make available all information to the controller to demonstrate the compliance with GDPR.
WP29[2] has defined to which extent the instructions of the controller are reaching and which leeway rests with the processor. WP29 states that the controller shall determine the purpose of the processing, whereas the means of the processing may be delegated to the processor. The means are understood by WP29 as technical or organisational aspects of the processing.[3] As consequence the TOMs according to Art. 32 GDPR may be defined by the processor.
2. Parent company as ‘data processor’?
By transferring the concept of data processing on behalf to a group the question arises whether a parent company may act at the same time as processor for its subsidiaries. To further elaborate this aspect a look to the definitions of the GDPR is helpful.
GDPR defines a ‘group of undertakings’ in Art. 4 (19) as a controlling undertaking together with its controlled undertakings. Recital 37 further states that
“…the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented.” [4]
A further insight is provided by the statement of the WP29 of the lead authority, while the lead authority is dependent on the place of the main establishment of a group. In that working paper WP29 describes the main establishment of a group as the place
“…where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented.”[5]
Therefore, the main establishment of the group cannot be at the same time a processor for a subsidiary, because the main establishment defines the purpose of the processing of the group and the legal entity which defines the purpose is the controller and cannot be the processor.
It follows that whether the main establishment nor a parent company with dominant influence can act at the same time as processor on behalf of its subsidiaries. The statement of WP29 on the concept of ‘controller’ and ‘processor’ underlines that the factual influence and the concrete circumstances in the very case are determine the controllership.[6]
3. Exemption of GDPR-requirements for data exchange within a group?
From an economic standpoint there is a need to ease the requirements of data protection within a group to offer easy and cost-effective ways for the consolidation of IT-infrastructure. Recital 48 of GDPR does reflect this need by stating:
“Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data.”
But Recital 48 does not establish a general exemption of the GDPR-requirements. It only establishes a legitimate interest of the undertaking. This legitimate interest may be weighed against the Right of Data Protection of the data subject and can provide a legal basis according to Art. 6 (1)(f) GDPR.
E.g., the legitimate interest of a group may outweigh the Right to Data Protection of the employees in that respect, that the contact details of the employees of all subsidiaries are published in the intranet groupwide. But the legitimate interest of a group to consolidate the IT-infrastructure does not outweigh the Right to Data Protection of the customers that their data being stored in a central data base without being asked for their consent.
4. Risk of breach
An infringement of the rules of data processing has the consequence that the processor is considered to be a controller and that it faces the risk of fines and damages.[7]
[1] see press release Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, https://datenschutz-hamburg.de/pressemitteilungen/2018/03/2018-03-02-oberverwaltungsgericht-best%C3%A4tigt-verbot-des-datenaustauschs-zwischen-whatsapp-und-facebook
[2] Article 29 Working Group
[3] Article 29 Working Party, WP 169, Opinion 1/2010 on the concepts of “controller” and “processor”,
adopted on 16 February 2010, page 32
[4] Recital 37 GDPR: “A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.”
[5] Article 29 Working Party, WP 244 rev.01, Guidelines for identifying a controller or processor’s lead supervisory authority, as last Revised and Adopted on 5 April 2017, page 5
[6] Article 29 Working Party, WP 169, Opinion 1/2010 on the concepts of “controller” and “processor”,
adopted on 16 February 2010, page 8
[7] Article 29 (10) GDPR.