Group data protection
according to the GDPR

Reach GDPR compliance with our experienced data protection legal experts. Receive flexible support for your data protection teams and officers in companies and corporations.

Group data protection
according to the GDPR

Reach GDPR compliance with our experienced data protection legal experts. Receive flexible support for your data protection teams and officers in companies and corporations.

Compliance builds sustainable trust

CIPP-E_Seal_2013
activeMind-legal-ISO-27001-Siegel-2022-06-27
activemind-tisax-logo

What are your most difficult challenges in data protection in your company?

Corporations are seeing themselves confronted by ever more complex data protection requirements and responsibilities.

The organisational and legal interlinking of businesses, which belong to a corporation, leads to data protectional challenges especially concerning the intercommunication inside companies respectively the processing of personal data of employees, customers, and partners.

The legal situation gets even more difficult when the companies are outside the EU or the EEA. It is necessary, that in all company units adequate technical and organisational measures are taken to ensure the protection of personal data.

In addition, Human Resources and IT departments are not allowed without further ado to process personal data for the parent company and the subsidiaries.

Data transfers between companies within the group.

Data transfers outside of the EU and respectively the EEA.

Joint processing operations through central organisational units.

How can our legal experts support you in data protection matters in your company?

You profit from punctual and flexible support in all data protection related questions, where you need advice from experts.

In most companies there is at least one internal, respectively one corporate data protection officer. The topic of data protection will often be organised by the compliance departments. However, there are many specific questions that can only be answered by specialised legal experts, which come to terms with the General Data Protection Regulation (GDPR) and the data protection laws of individual EU Member States on a daily basis.

Our experts will support you in every field, where you require further expertise – may it be on only projects or on a long-term basis. This way we can find GDPR compliant solutions for all data protection matters in your company.

The following data protection matters we can provide advice for

As per Art. 30 of the GDPR every company must create a register of processing activities (ROPA) to the particular data processes. Company structures should also be noted during the creation and management of the registers, like the catalogues from the perspective of the contracting service company.

Companies are required per Art. 25 and 32 of the GDPR to decide technical and organisational measures in order to protect personal data, namely, to reflect data protection pre-sets (Privacy by Design, Privacy by Default). Inside the company there should not be any vulnerabilities in order to not endanger the GDPR-compliance. Also, company-wide protection concepts should be prioritised.

According to Art. 35 of the GDPR there should always be a Data Protection Impact Assessment (DPIA), if there is a potential elevated risk during data processing operations due to the kind, the scope, the circumstances, and the goals of the data processing. A DPIA expertly analyses the protection risks to personal data before the data is processed, which has very extensive requirements for complex processes.

Expanded data subject rights are included in Art.12 f. of the GDPR, like the right to information and the right of objection. Because in corporations data is transferred, processed together, or ordered to be processed by partnered companies it is in one’s favour to create uniformed processes and regulations in the handling of data subject rights in the company.

If it comes to a data protection violation, then the responsible parties and the data subject must be informed per Art. 33 and 34 GDPR. Individual companies often process data on behalf of other companies within the group. Therefore, the establishment of a uniform system within the group where a quick information exchange can be held in the case of a data protection violation or similar cases is advisable.

Some compliance requirements need an as-extensive-as-possible processing of personal data. However, data protection law requires to limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. In addition, some companies are required by (wanted) certificates to create management systems. These systems are operated group-wide and integrated. The data protection organisation should be involved with these management systems in order to eliminate contradictions and to create synergy. Data protection is therefore a cross-section between various fields.

For companies there is the opportunity to create Binding Corporate Rules (BCRs) for the purpose of data transfers outside the EU or EEA. These apply group-wide but must still be approved by the relevant supervisory authority. BCRs as a transfer mechanism can also serve as a guarantee for data transfers to countries outside the EU or EEA in accordance with the GDPR.

Groups of companies do not enjoy any corporate privileges and therefore every data transfer must be justifiable. According to the type of the cooperation between companies of a group this can either be in the form of Joint Controller Agreements (JCA) or Data Processing Agreements (DPA). However, if the data transfer is outside the EU or EEA then one will need Standard Contractual Clauses (SCC) or other guarantees. Instead of establishing BCRs one would mostly suggest framework agreements for group-wide data transfers, including Joint Controller Agreements, Data Processing Agreements and if necessary Standard Contractual Clauses. Other companies of the group may join such framework agreements, so that the greatest possible flexibility is maintained.

Per Art. 88 GDPR collective agreements, provided these are GDPR conform, may allow the transfer of personal data from employees between companies of the group. Especially in the German legal traditions collective agreements are favoured because they let themselves integrate in a group-wide transfer mechanism.

Group of companies are due to their data protection law vulnerability often in the focus of authorities and lawyers. The rule of thumb says that a vast number of processed personal data as well as affected data subjects mean an elevated risk to become a target of authorities and legal authorities. Therefore, legal expertise, that oneself does not possess, is crucial in order to avoid this ire.

The compliance of regulatory requirements is tied to the continuing sensitization of the involved persons in data processing. For companies it is indispensable to have a successful data protection structure with whose help one can create in all companies of the group a uniform data protection standard. Therefore, regular education courses of multipliers and employees as well as a culture of open discussion are essential.

Whistleblowing-Richtlinie

In einer Whistleblowing-Richtlinie legen wir den Meldeprozess fest und dokumentieren Zuständigkeiten sowie Einhaltung gesetzlicher Vorgaben.

Mitarbeiterschulung und Infomaterial

Mittels Onlineschulung unterrichten wir Ihre Mitarbeiter über das eingerichtete Hinweisgebersystem. Ergänzend erhalten Sie Informationsmaterial, um auf das Hinweisgebersystem aufmerksam zu machen.

4 good reasons, why activeMind.legal is the best choice for data protection in your group

Specialised legal experts

Our Law Firm with offices in Berlin, London and Munich is specialised in the data protection and related law field. We not only know what you have to do to be GDPR compliant, but also how to do it in the best way possible. Our lawyers are prepared to consult with you in complex matters around data protection and other compliance issues. Numerous certificates prove our long-lasting expertise.

Lived transfer of knowledge

Through internal and external courses, we stay modern in order to fit in with the dynamic field of data protection law. Technological developments and regulatory projects which have an impact on data protection law have our focus, like Artificial Intelligence Act, Data Act, Data Governance Act, ePrivacy Directive, The Digital Markets Act.

International orientation

In our team we speak 10+ European languages and attend clients around the world. With partnerships in the UK and in Switzerland we can cover most data protection aspects in Europe.

Compliance enabler

Data protection, information -security- and quality-assurance-management is our motto in our firm every day. Compliance is part of our DNA. That is why we are specifically suited to help you in creating compliant business models.

Free initial consultation

Group structures are complex and their requirements for data protection highly differ. Therefore, we would like to know where and how we could support you specifically.

In order to do that we offer a free initial consultation between you and one of our legal experts.

Simply write us a message and within 2 business days we will report back with a date proposal.

Frequently asked questions about the EU representative required under the GDPR

Art. 27 GDPR (General Data Protection Regulation) requires companies that do not have offices, branches, or other establishments in the EU (non-EU businesses), but conduct business with European clients, to appoint an EU representative. Specifically, you must appoint an EU representative if your organisation processes personal data in the following contexts:

  • offering goods or services to individuals in the EU, or
  • monitoring the behaviour of individuals in the EU.

This obligation applies to both data controllers and data processors.

An EU representative serves as a contact point between your company and individuals or data protection authorities in the EU. An EU representative therefore acts on your company’s behalf with regard to your obligations under the GDPR. Furthermore, the representative maintains your records of processing activities and makes these records available to supervisory authorities upon request.

EU representatives can be external service providers, and the role can be performed by individuals or organisations, such as law firms, consultancies, or other private companies. They must be based in one of the countries where customers or data subjects that are being monitored are located or where your goods or services are being offered.

The GDPR does not specify the minimum qualifications an EU representative should hold. However, it is advisable to appoint a representative that has a broad understanding of the relevant legal and technical data protection issues in order to be able to communicate with the authorities efficiently. Furthermore, as an EU representative serves as the contact point between your company and data subjects or authorities, it is thus essential that the representative speaks the local language fluently.

How much you can expect to pay for an EU representative under the GDPR depends on several factors, for example, the size of your company, the number of employees, what data you process and how many locations in how many countries you have. These all influence the amount of queries and attention from supervisory authorities your company may expect to receive. Furthermore, the costs for an EU representative are influenced by how much support you may need in creating and maintaining the necessary data protection documents (especially the records of processing activities – ROPA).

Contact us!