Corporation privileges in data protection
Data processing between entities within a corporate group according to the GDPR
For internationally active corporations, the cross-border transferral of personal data to individual, legally independent entities within a corporate group based outside of Germany, whether within European countries or outside of the European Economic Area, poses a great challenge. All the same, corporations have an interest in transferring and collecting personal data within a corporate group in order to have, for example, a centralised personnel management system, or a corporation-wide communications directory.
The prevailing situation determined by the German Data Protection Act, Section 28(1) BDSG
In the light of the German Federal Data Protection Act (BDSG), permission for such data transferral can be granted based on Section 28(1) no. 2 BDSG. This regulation allows data transferral if it is necessary to preserve legitimate interests of the company and does not outweigh the legitimate interest of the data subject. Thus, the interests of the company and of the data subject must be balanced. Even if the data subject can claim a legitimate interest, this does not automatically mean that the rights of the individual regularly outweigh those of the company. On the contrary, the greater claim to legitimate interest is to be determined in a fair manner. It therefore cannot be ruled out that the rights of an individual may have to be waived in an individual case. A legitimate interest must be of a legally permissable economic, real or idealistic nature. A ‘general corporate interest’ is not sufficient reason, as legislators have deliberately decided against corporate privileges, thus against the facilitated transferral of personal data between individual affiliates of one corporation. Furthermore, it cannot be simply any arbitrary interest, but must relate directly to the intended data processing and of an essential nature. A simple furthering of the purpose is not sufficient.
Processing of employee data
For the processing of employee data, the special rule outlined in Section 32 BDSG, which allows the processing of personal data of an employee only if this is necessary for the justification for or implementation of employment, applies alongside - or according to some even displacing - Section 28(1) no. 2 BDSG. Legitimisation cannot be achieved merely through a useful purpose. For example, the establishment of a corporate-wide database of employee data is not essential, even though it would clearly be of use to the Human Resources Department. However, permissibility on the basis of Section 32 BDSG can be achieved if the contractual conditions themselves demonstrate a corporate-wide relevance, for example if the employee concerned regularly works at the company’s different locations or is prepared from the outset to be deployed across the entire corporation.
Intra-corporate data processing can be enabled through works agreements, as these constitute ‘any other legal provision’ as defined in § 77 German Work Constitution Act and in accordance with Section 4(1) sentence 1 var. 1 BDSG, and can therefore provide for data protection permissibility. Therefore, if the processing of employee data is thoroughly regulated in the works agreements, data of this nature can be transferred to other companies within the corporate group. This, however, only applies to transferrals between companies within German.
The General Data Protection Regulation and the ‘small corporate privilege’
With the General Data Protection Regulation (GDPR) coming into force, it was initially not clear to what extent the prevailing legal situation would change. Contrary to all fears of changes, the permissibility obtained through the balancing of interests outlined in Section 28(1) no. 2 BDSG will, for the most part, be maintained in parallel with Article 6(1)(f) GDPR. It is certainly a relief to corporations that both internal purposes and legitimate interests of third parties can be considered when balancing interests. On the other hand, any hope companies had had of the introduction of a corporate privilege through the GDPR has been disappointed. Still, recital 48 contains a so-called ‘small corporate privilege’, which clarifies that corporate groups can have a legitimate interest in transferring personal data within the corporate group. This is stated in reference equally to both customer and employee data. However, this means little more than that corporate interests must be considered in the balancing of interests outlined in Art. 6(1)(f) GRPR.
‘Legitimate interests’ should be interpreted broadly with reference to Recital 47 sentences 2, 6, 7. For example, the existence of a legal relationship between the person responsible (controller) and the person concerned (data subject) is already sufficient justification of a legitimate interest. According to the recital, it is enough for the data subject to be a customer of the controller, or employed by them. Direct advertising is also named as a possible legitimate interest. However, one aggravating factor is the fact that data processing based on a balancing of interests means greater risks than in the past, as the data subject will have the right to object to data processing in accordance with Art. 21(1) GDPR, and must be informed thereof.
An internal contract on corporate-wide data transfer, also called a Company-to-Company Agreement, can enable data transferral between entities within a corporate group. This contract should serve in such a way that the level of data protection is set higher than prescribed by law, in order to guarantee that the interests of the data subject are not compromised. This does not render obsolete a balancing of interests; however, given the protective function of the Company-to-Company Agreement for the interests of the data subject. Accordingly, the content requirements for company interests are also lower. . To achieve this effect, the Company-to-Company Agreement must fulfil certain content requirements and actually exceed the level of legal protection provided by the BDSG or the GDPR respectively.
In comparison with the current legal situation based on the BDSG, the question arises as to whether works agreements can provide for permissibility under Section 4(1) sentence 1 BDSG. The affirming answer to this question is given in the opening clause of Art. 88 GDPR, in connection with the associated recital: under the GDPR it is equally possible, by way of law or collective agreement, to create specific regulations that guarantee the protection of the rights and freedoms of subjects of personal or employee data processing. Thus, there is broad consistency with the provisions of Section 28(1) no. 2 BDSG.
Data transferal outside of the EU
While the implementations thus far refer mainly to cross-border matters, they are limited to EU member states and countries within the European Economic Area. In the case of data transferal between a corporation situated in Germany to a company situated outside of the EU, a so-called 2-step check must be executed. Additionally to the principal conditions, namely permissibility or the provision of consent, the intended third country must have an 'adequate level of protection'. As opposed to EU member states, the existence of adequate data protection must be assessed separately in third countries. Such an assessment can be conducted with reference to the nature of the data, the purpose and the duration of the planned processing as well as the country of origin and of final destination.
The findings of the EU Commission's separate assessment based on Article 25(4),(6) Directive 95/46/EC are binding. The countries Argentina, Australia, Switzerland and Canada have been found to have an adequate level of data protection; China, India, Brazil, Japan and Russia have not.
In the case of an insufficient level of data protection, one can fall back on the provisions of Section 4c(1) BDSG or Section 4(2) sentence 1 BDSG. The latter offers an alternative, allowing the competent data protection authority to approve data transferral to a third country, provided the transferring corporation displays sufficient personal data protection guarantees. These guarantees can take the form of contractual clauses or 'Binding Corporate Rules'.
Summary and recommended course of action
Although the central regulatory provisions of the BDSG concerning intra-corporate data processing will remain the same once the GDPA has come into force, there will still be a number of resulting changes. It is therefore recommended, wherever Company-to-Company-Agreements are necessary as grounds for permission, to review their content in light of the requirements of the GDPA. It will in future be especially important to ensure the information on data processing is clear and intelligible (Article 12 GDPA), that the obligations for provision of information are fulfilled (Article 14, 14(a) GDPA) and that the data subject is sufficiently informed of their rights and the exercising thereof (Article 15 and following GDPA).