Under the new General Data Protection Regulation (“GDPR”), cross-border data transfer within groups of undertakings operating internationally will be challenging. On the one hand, group companies wish to share as much data as possible, on the other hand violations of the rules can result in fines of up to 20,000,000 EUR, or up to 4 percent of a company's total global sales in the previous financial year, whichever is higher.
In exactly the same way as other international transfers, international data transfer within a group of companies requires a two-step check on lawfulness. As a first step it needs to be assed whether the transfer of personal data from one company to another is lawful under Art. 6 (1) GDPR or any other legal basis such as the consent of the data subjects concerned. In a second step it needs to be assessed whether the data importer provides for an adequate level of data protection.
The first step requires particular attention by data controllers, as even the mere access to personal data is considered as transfer of personal data. In other words, if a group company accesses data of another group company, for example through use of a shared personnel database, this requires a legal basis under data protection law. If the group company is based in a country outside the European Economic Area (EEA) (so-called third country), the rules governing the transfer of personal data to third countries apply in addition (second step).
Recital 48 Sentence 1 GDPR states that controllers who are part of a group of companies, can have a justified interest in transferring personal data within the group of companies for internal administration purposes, including the processing of personal data of customers and employees. However, this does not mean that any sharing of personal data within an international group of companies is admitted under the GDPR. In particular, the GDPR does not provide for any group privilege. However, the recital can support arguing that the transfer is in the justified interest of the exporting company pursuant to Article 6 (1) point f) GDPR and therefore legal unless the interests or fundamental rights and fundamental liberties of the data subject, requiring the protection of personal data, prevail. This does not however apply if sensitive data (particular categories of personal data pursuant to Art. 9 GDPR) are to be transferred. Sensitive personal data includes for example health data and data on religious beliefs that are regularly a constituent of the personnel file. These data can be transferred only within the very tight constraints of Art. 9 GDPR, Section 26 (4) BDSG New, or with the express consent of the data subject.
In the case of intragroup data transfer within the EEA, no particular restrictions apply provided a positive result on the first level.
If the data recipient is located in a country outside the EEA (i.e. in a so-called third country), an adequate level of data protection must be ensured at the data recipient in the third country.
How this can be done is set out in Articles 44 et seq. GDPR.
a) Adequacy decision by the European Commission (Article 45 GDPR)
Personal data can be transferred to a third country if the European Commission has established via an adequacy decision that an adequate level of data protection exists in this country (Article 45 GDPR). Account must be taken of the fact that the certification of the adequate level of data protection can also be limited to a specific area in the third country, or can apply solely to selected categories of personal data. Adequacy decisions of the European Commission confirming that an appropriate level of data protection already exists in a third county, will also remain applicable under the GDPR, Article 46 (5) Sentence 2 GDPR.
The European Commission has thus far confirmed an adequate level of data protection in the following countries:
The EU and Japan are currently negotiating a free trade agreement. In this context, the European Commission is also expected to issue an adequacy decision for Japan. A current list of recognized third countries can be accessed here.
In its decision dated July 12, 2016, the European Commission established that the provisions of the EU-US Privacy Shield also provide an adequate level of data protection. The European Commission presented an initial audit report on October 18, 2017, according to which the EU-US Privacy Shield has thus far proven itself.
b) Existence of appropriate safeguards (Article 46 GDPR)
If no adequacy decision is available, the adequate level of data protection must be ensured by other means. These can take the form of a legally binding and enforceable instrument between public authorities or bodies, binding internal data protection rules (Binding Corporate Rules ("BCR")), EU standard contractual clauses (EU Model Clauses) or individually negotiated contractual clauses.
(1) BCR (Article 46 (2) b) GDPR, Article 47 GDPR)
By means of BCR, a group establishes its own rules for the processing of personal data, including in third countries. These must be binding on all companies involved within the group. BCR must ensure a level of protection that corresponds essentially to that of the GDPR. BCR must be approved by the responsible supervisory authority, Art. 47 (1) in conjunction with Art. 63 GDPR.
(2) Model Clauses (Article 46 (2) c) and d) GDPR)
The use of the EU standard contractual clauses can also ensure an adequate level of data protection. They must be used word-for-word as a general rule. It must, however, be noted that the standard contractual clauses are currently being checked by the ECJ (as reported in our Update no. 29). Their continued existence could be at risk as a result.
(3) An approved code of conduct and an approved certification mechanism (Article 46 (2) e) and f) GDPR)
The GDPR introduces data transfer on the basis of an industry-specific code of conduct (Article 40 GDPR) and an approved certification mechanism (Article 42 GDPR) as a new means of ensuring an appropriate level of data protection. Nevertheless, these instruments must be provided together with legally binding commitments of the controller (and, as the case may be, processor) and must be approved by the competent supervisory authority.
(4) Individually negotiated contractual clauses (Article 46 (3) GDPR)
Individually negotiated agreements can also constitute a legal basis for the transfer of data to a third country. However, such agreements require approval by the responsible supervisory authority and the implementation of a consistency mechanism (Article 63 GDPR).
Intragroup data transfer will always require the presence of an objective reason that forms the basis for the assessment whether a legal basis for the transfer pursuant to Art. 6 (1) GDPR applies. In particular, the instruments for a legal transfer of personal data to third countries must be carefully chosen. Current developments in case law may make such transfer of data even more difficult, see Safe Harbor (Updates nos. 1, 2). Given the significant fines, there is also a need to be very diligent when setting up intragroup transfers.