Transfer of employee data among corporate groups: new considerations under the General Data Protection Regulation
By Dr. Alexander Insam M.A. and Hanna Michalak
Currently, we see a sustained industry trend toward centralizing HR services – either by consolidating them at the top level within a group of companies, and/or by outsourcing the services as a whole or in part to a third-party service provider. One of the drivers for this trend is cost efficiency. Another is strategy: Companies want to get the best talent working in the best positions in the group. Although decentralized HR services within each individual company in a group might provide more tailored services, often the drive for efficiency prevails. However, implementing centralized HR services in a group or outsourcing components of a company’s HR services is tricky. A number of rules and regulations in the realm of data protection must be properly addressed.
The new General Data Protection Regulation (GDPR) stipulates that a corporate group does not always have the right to process personal data, including employee data, anywhere within the group — in fact, this can be equivalent to the transfer of personal data to a third party. As a result, companies in the same group have to be treated, in principle, as independent third parties when processing personal data. This means any access to or transfer of employee data within the group requires a specific legal justification. However, certain exceptions apply under particular preconditions.
In the following article, we will outline how these exceptions work and how they allow corporate groups to maintain some privileges.
One exception requires that one company in the group processes personal data on behalf of one or a couple of other members of the group. In this case, it is not necessary for the processing member of the group to be treated as a third party. The transfer of personal data thus requires no particular justification here.
For a member of a group of companies to qualify as a processor, the processor must have no decision rights over the processed data. If the processor makes decisions on the basis of detailed systematic plans provided by the controller, this requirement is still considered to be met. On the other hand, if responsibility is transferred entirely to the processor, the processing company is certainly considered to be acting beyond the scope of a processor.
Even a parent company can act as a processor. In general, current legal conditions do not threaten a parent company’s freedom to act as a processor, as long as the parent company is not involved in decisions related to the processing of personal data. For example, it is permissible for payroll accounting to be outsourced as a service allocated to the processor.
Most corporate groups that are active internationally have affiliates outside the EU and the EEA. For these groups, the GDPR offers more flexibility than ever before, as affiliates outside the EU and the EEA can now act as processors.
However, there are circumstances under which a company can’t create detailed systematic plans for decision-making, leaving the processing company to make its own decisions. Under these circumstances, the processing company is either controller or joint controller — thus a specific legal justification for the transfer of data and ongoing processing of that data is required.
Article 6 paragraph 1 letter b GDPR
The transfer of personal data to a company within a group can be lawful when the processing of personal data is necessary for the performance of a contract to which the data subject is a party, or when an employer is taking steps at the request of the data subject prior to entering into a contract.
The specifics of the employee’s employment contract with the company within the group is highly relevant here. In principal, the above exception only applies to the processing of personal data when it enables the employer to exercise their rights and fulfill their obligations under the employment contract. Within this context, the transfer of employee data by the employer to another company within the group is generally not justified unless the employment contract refers to a group context. When the characteristics of an employee’s tasks are linked to the interests of the group, article 6 paragraph 1 letter b of the GDPR justifies the transfer of employee data within the group for such purposes as storing the data in a central HR system.
If appropriate, it would be advisable to include a clause in the employment contract referring to the relevance of his or her duties to the group. Under these circumstances, the storage of personal data belonging to employees who have been identified as highly competitive candidates for leading positions in a group-wide HR development system is also justified.
Another example of an acceptable transfer of employee data based on article 6 paragraph 1 letter b of the GDPR pertains to the introduction, maintenance and distribution of a group directory. Only employees who need access to the information published in a group directory ( such as, employee names, departments, office phone numbers, and e-mail addresses ) in order to fulfill their obligations should have access to the group directory.
Article 6 paragraph 1 letter f GDPR
The transfer of personal data to a company within a group can also be lawful when processing is necessary to protect the legitimate interests of the data controller, except where such interests are outweighed by the interests, fundamental rights and freedoms of the data subject. Although no special privilege exists for the transfer of personal data within a group of companies, recital 48 of the GDPR offers a certain amount of leeway. Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data. According to article 4 (19) of the GDPR, a group of undertakings means a controlling undertaking and its controlled undertakings.
Although recital 48 is not legally binding, it helps in the interpretation of the above stipulation and indicates that even a complete transfer of HR administrative duties within a group of companies can be a viable move to consider. While balancing interests in the context of considering this kind of centralization, it is important to note that the level of data security cannot be lowered. The highest level of security required by any company in the group determines the minimum standard for the entire group. As a result, centralization may even result in a higher level of data security — which may in turn have a positive impact on the balancing of interests. A contractual agreement specifying the minimum level of data security within the group of companies is advisable.
Another example of an acceptable transfer of employee data in accordance with article 6 paragraph 1 letter f of the GDPR could be a group-wide skill-related database.
Consent: article 6 paragraph 1 letter a GDPR)
Another option available for the transfer of employee data to a company within a group has its legal basis in voluntary consent on the part of the data subject. In this context, it could be a challenge to verify and prove that the consent was voluntary. When asked for their consent, employees may feel a certain amount of pressure. As a result, this approach is more advisable if the processing of the data is of economic benefit to the employee, or if the employer and the employee have a balanced interest in the data being processed in this way. In the latter case, however, it is advisable to use article 6 paragraph 1 letter f of the GDPR as the legal basis for processing (as described above) without taking the additional step of seeking the employee’s consent. It is important to note that consent, being of a voluntary nature, can be revoked by the employee at any time. Should the employee revoke his or her consent, the processing must be stopped immediately, as it is questionable whether the processing could continue on the basis of different legal reasons under these circumstances.
A works agreement is an instrument that can be used to legitimate the processing of employee data, while at the same time establishing a harmonized approach to data processing within the corporate group as a whole. Article 88 of the GDPR strengthens the works agreement as a useful instrument in the context of processing employee data, as it can give the works agreement the status of a legal permission. The works agreement is strengthened even further by § 26 paragraph 4 of the BDSG (Bundesdatenschutzgesetz) when the employer and the works council follow article 88 paragraph 2 of the GDPR.
Specifically, the works agreement should:
a) clarify that the works agreement is a legal permission for processing employee data;
b) respect the principles laid down in article 5 of the GDPR; and
c) confirm joint controllership when applicable.
Transfer to third countries
When transferring employee data within a corporate group to a company in a third country outside the EU and the EEA, the particular stipulations in article 44 and following of the GDPR apply. Recital 48 specifies that a corporate group has no special privileges in these circumstances.
Most likely, companies would have been greatly appreciative if the GDPR offered corporate privileges. Unfortunately, this is not the case.
The good news, however, is that the abovementioned stipulations in the GDPR offer a number of options to facilitate the processing of employee data in corporate groups. In particular — from our perspective — companies should use the regulations regarding the legitimate interests of the controller and conclude works agreements with their works councils. Defining the roles of controller, joint controller, third party and processor, all of which can be filled by companies within a corporate group, is still a challenging task under the GDPR.
It is therefore our recommendation that companies seek individual legal advice in each case — to be on the safe side.