Companies that are affiliated to a group must comply with the provisions of the EU General Data Protection Regulation (GDPR) when exchanging personal data between different group companies.

In recital 48 of the GDPR, the EU legislator has recognised in principle that there may be a legitimate interest in exchanging data between different group companies. However, this recital does not contain a general permission to exchange data within a group. Rather, it is an indication that it must be evaluated in each individual case whether a data exchange can be based on Art. 6(1)(f) of the GDPR.

Data protection-compliant exchange of personal data within a group of companies always presupposes that the principle of data minimisation laid down in Art. 5 GDPR is observed. It must therefore always be examined whether and to what extent an exchange of data is necessary at all and whether the exchange of psyeudonymised or anonymised data would be sufficient.

Then it should be examined on which legal basis the data exchange can be founded and whether additional legal texts need to be drawn up for this purpose. In particular, an agreement on commissioned processing, agreements on joint responsibility of several companies, a permission resulting from the purpose of an individual contract, a written consent of the data subject or a works agreement can be considered.

We advise group companies on all questions of data protection within the group and create legally secure templates for the necessary legal texts.