DATA ACCESS WITHIN THE COMPANY GROUP: Are companies permitted to access the IT systems of parent, sister, or subsidiary companies?

Data transfers within the group via central HR systems, shared IT infrastructures, or the bundling of specialist functions in shared services units are part of everyday life for many companies. While this promises organizational efficiency, each company remains independently responsible for data protection. This raises complex questions about the permissible legal basis, the structure of responsibilities, and the technical security of shared systems. Companies in group structures are therefore required to align their internal structures with the requirements of the GDPR in order to avoid legal risks and at the same time be able to take advantage of group-wide cooperation. The following section outlines the legal framework, possible models of cooperation, and practical recommendations for action. The aim is to highlight key challenges and show ways in which groups can make their data processing legally compliant.

I. Legal framework

Even within a group, each company is an independent controller within the meaning of Art. 4 No. 7 GDPR in terms of data protection law. The regulation does not provide for an automatic "group privilege" that would generally allow internal data flows within the group. Any transfer of or access to personal data between affiliated companies therefore constitutes processing that requires a legal basis in accordance with Art. 6 GDPR.

This is particularly relevant in the context of employment. Although Section 26 of the German Federal Data Protection Act (BDSG) contains specific provisions on the processing of employee data, it does not grant general permission for intra-group data transfers. This means that the general permissions under the GDPR also apply here. Even the mere retrieval or reading of personnel data is considered processing and must be legitimized. To this end, not only must the appropriate legal basis under the GDPR be determined and documented, but additional contracts between the group companies may also be mandatory – such as agreements on joint responsibility or data processing agreements.

II. Permissible models of cooperation

This raises the question of the legal basis on which joint data use is permissible. Depending on the form of organization, different models can be considered, which differ in scope, legal certainty, and practical feasibility.

One option is to integrate employees into different companies organizationally through multiple employment contracts. Anyone who is legally employed by both companies may also work for both. In this case, data exchange is justified under Art. 6 (1) (b) GDPR, as processing is necessary for the performance of the respective employment contracts. However, this model involves considerable administrative effort, as each additional contract entails additional rights and obligations.

A more flexible model is the contractual transfer of tasks to another company within the group. If, for example, one company commissions another to provide certain services, the necessary personal data may be processed and passed on within this framework. It is important here to clearly define the purpose of the data transfer. This is because not all existing employee data is relevant and may be transferred, but only that which is necessary for the specific task to be performed. This model can be set out in a service agreement, an outsourcing contract, or a so-called shared services agreement.

However, determining the correct legal basis in these cases is significantly more complex, because while outsourcing payroll accounting or the purchase of certain IT programs may still be justified by the contractual necessity under Art. 6 (1) (b) GDPR, this is by no means the case for every data transfer.

Instead, obtaining consent would theoretically be conceivable. In practice, however, this approach regularly fails due to the strict requirements for voluntariness in the employment relationship. Employees can revoke their consent at any time, and their actual freedom of choice is considered limited due to the relationship of dependency. Therefore, consent is often not a reliable basis in a corporate context.

Finally, there is the option of securing intra-group data flows via references in employment contracts. So-called group dimensionality or matrix clauses can ensure that an activity is explicitly group-wide and that data transfers are part of the employment relationship. This would also allow a transfer to be based on Art. 6 (1) (b) GDPR. In practice, however, such clauses are usually only realistic for newly concluded contracts. For existing contracts, the only option is often to weigh up the interests in accordance with Art. 6 (1) (f) GDPR, which must be documented with particular care.

In addition, the question arises as to whether further contracts must be concluded in addition to the outsourcing contract – especially in a group of companies, it is not easy to distinguish between joint responsibility, where several companies jointly determine purposes and means, and strictly instructed order processing.

In cases where tasks are actually completely outsourced and taken over by a central unit, there is usually joint responsibility within the meaning of Art. 26 GDPR. This requires an explicit agreement between the companies involved, which specifies the respective roles, responsibilities, and obligations in detail. This model is often the most legally secure option, especially for centralized HR or IT functions, because it best reflects the actual processes and creates transparency for the employees concerned.

In addition, there are constellations in which one company merely acts on behalf of another. This is contract processing in accordance with Art. 28 GDPR. The contractor processes the data exclusively on behalf of and according to the instructions of the client, and is therefore not permitted to pursue its own purposes. This solution makes sense if the service character is clearly in the foreground and there is no independent decision-making authority. However, contract processing within a group also entails risks, as it is often outsourced to the parent company – and it is not always possible to prove that the parent company is strictly bound by instructions from the subsidiary.

Overall, it is clear that legal protection for intra-group data flows is possible, but requires careful selection of the appropriate model. It is crucial that each solution accurately reflects the actual processes and at the same time complies with the principles of purpose limitation, data minimization, and transparency.

III. Recommendations for action

Companies that want to set up group-wide HR or IT structures or consolidate existing data flows should examine how the requirements of the GDPR can be implemented in a legally compliant manner. It is crucial that not only the technical side is kept in mind, but that clear organizational and legal regulations are also put in place.

Firstly, it is advisable to make internal group processes transparent and to document exactly which data is processed by which company and for what purpose. On this basis, it is possible to determine which legal basis is relevant and which model – joint responsibility, contract processing, or, in exceptional cases, separate data protection responsibility – best reflects the actual processes.

Secondly, the roles and responsibilities should be clearly defined in the relevant agreements. The clearer the rules are regarding who performs which function and what data is actually required for this, the easier it is to prove legality to supervisory authorities and affected employees.

Thirdly, technical safeguards are essential. These include strict authorization concepts, client separation in shared systems, and complete logging of accesses. This prevents employees from accessing data from other companies without authorization or mixing information in an uncontrolled manner.

Fourthly, companies should raise awareness among their employees who work across the group through internal guidelines and training. Only if employees know exactly what role they are acting in and what data they are allowed to use can legal risks be avoided in the long term.

IV. Conclusion

Intra-group data transfers are possible, but require a clear legal and organizational basis. Since there is no general group privilege, companies must base every access and transfer of personal data on the relevant legal basis and align their processes accordingly. Clear agreements between the companies involved, transparent role assignments, and technical safeguards through authorization concepts and client separation are indispensable in this regard.

Those who take these requirements into account not only avoid fines and conflicts with supervisory authorities, but also build trust among employees. In this way, corporations can leverage the efficiency advantages of shared structures while ensuring the legally compliant processing of employee data.

This article was created in collaboration with our student employee Emily Bernklau.