The transfer of personal data between group companies is very common in many companies; this can be done for various reasons - for example, to be able to pursue joint strategies efficiently, to roll out (inter)national projects, to centralise HR and administration in a cost-effective and resource-efficient way, etc.
In practice, one thing is often overlooked: the exchange of data within a group of companies is not permitted just like that. In principle, the requirements for data transfer or contract data processing must be fulfilled as if working with an external company. This also applies to the use of so-called "shared services", i.e. the joint use of centrally managed data by several companies in a group. Sending staff or customer data to a foreign branch by e-mail also counts as a data transfer under data protection law.
The so-called "small group privilege" of the GDPR facilitates a few things - for example, it enables a group of companies to appoint a group data protection officer or specifies criteria for balancing of interests within the framework of the legitimate interest. Accordingly, data controllers may have a legitimate interest in transferring certain personal data within the group of companies for internal administrative purposes, depending on the specific individual case - but this should not be taken as carte blanche.
At the end of last year, the Regional Labour Court of Hamm (Germany) dealt with the scope of the "small group privilege" in the light of claims for damages under Art. 82 of the GDPR. In this case, an employer not only passed on an employee's employment contract to an affiliate in the group but also her private address and details of her salary. The affiliate had taken on HR tasks for other companies within the group, and the purpose of the data transfer was for the affiliate to keep track of non-tariff employees’ salary structure.
The employee concerned sued for injunctive relief and damages, and she won the case. According to the Regional Labour Court, far "less intrusive means" than the transfer of all data - such as pseudonymisation or anonymisation – would have been available for such an overview. The transfer of all data was not covered by the "small group privilege" and there was also no other legal basis under the GDPR for the transfer. The employee, who had also not been informed about the data flows within the group, was awarded EUR 6,000.00 in immaterial damages.
Conclusion: Even within a group of companies, data cannot be transferred "just like that". The data flows must be designed in accordance with the law, failing which fines will be imposed and claims for damages may (and will) be asserted.
Your KWR data protection team will be happy to support you in structuring data transfers within your group in a legally compliant manner.
Link: [Regional Labour Court of Hamm, Judgment of 14 December 2021 – file no. 17 Sa 1185/20 Landesarbeitsgericht Hamm, 17 Sa 1185/20 (nrw.de)]