Share on social networks!

Can personal data be transferred between companies in the same group? 

According to article 42 of the Commercial Code, we speak of Business group when a company holds or may hold, directly or indirectly, control of another or others.

In the same direction, Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data and which repeals Directive 95/46/EC, (General Data Protection Regulation), defines the business group as a group consisting of a company that exercises control and its controlled companies.

It is a criterion reiterated by the Spanish Data Protection Agency (AEPD) that the fact that a business group exists does not mean that each of the companies that form it does not have its own legal personality and, therefore, each one of them responsible for their personal files.

In data protection practice, it is very common to find large business groups made up of different companies dedicated to different activities and that communicate customer, supplier, employee, etc. data among themselves.

In those cases, we would be dealing with communications or transfers of data; However, we must ask ourselves if this transfer within the group is legitimate and if, in order for it to be carried out, it needs some additional guarantee. 

Data transfer or processing order?

To do this, the first thing that the organization that is going to communicate data to another or other organizations in the group must be clear about is whether that communication can be classified as a data transfer or if it is a treatment order, since the guarantees to be able to carry out the communication will be different in one situation and another.

We are facing a treatment order when what occurs is access to the data by one of the companies, which will be considered responsible for the processing, necessarily for the provision of a service to another or other companies in the group that will be responsible for the processing of that data. The company responsible for the processing will be the one that has the power to decide the purpose, content and use of the processing of these data.

That is, in a processing order the company in charge of the treatment simply follows the instructions of the responsible company.

On the other hand, the data transfer It exists when one or more companies in the group communicate data to another or others in a unidirectional or bidirectional manner, each one being able to decide on the purpose, content and use of data processing. That is to say, In the transfer of data, both companies are responsible for the treatment and, whoever receives the data, can apply it to their own purposes, thus deciding on the object and purpose of the processing of that data.

What guarantees are necessary in both situations?

Once both situations have been clarified, in order for them to occur in practice, companies must comply with a series of guarantee depending on whether they are in one situation or another.

In the case of “order of treatment”, According to the provisions of article 28 General Data Protection Regulation (RGPD) and article 33 Organic Data Protection Law (LOPDGDD), the existence of a contract or a binding legal act between the company that acts as data processor and the company or companies that act as data controller. This contract or act will be the one that defines the order.

For its part, in the case of “data transfer” between companies in the same group, they must, first of all, report this circumstance to those affected whose data is intended to be transferred (suppliers, clients, workers, etc.), this information will be made compliance with article 12 and 13 RGPD and 11 LOPDGDDThat is, they must be informed of the transfer of their data, identifying the group companies, the purpose of the transfer and the basis that legitimizes that transfer.

Secondly, they must analyze whether the transfer can be covered by Recital 48 GDPR or, if not, it will be necessary to obtain the consent of those affected to carry out the transfer.

He Recital 48 of the GDPR understand that Group companies may transfer data to each other claiming legitimate interest for administrative purposes. provided that the interests or rights and freedoms of the interested party do not prevail: “The controllers who are part of a business group or entities affiliated with a central body may have a legitimate interest in transmitting personal data within the business group for internal administrative purposes, including the processing of personal data of clients or employees. The general principles applicable to the transmission of personal data, within a business group, to a company located in a third country are not affected."

We can conclude that the fundamental thing is to analyze the communication that is going to be carried out between the companies of the group and know how to determine if it is an assignment or if, on the contrary, the company to which they are communicated simply accesses that data, which is then a treatment order and thus be able to comply with the necessary guarantees in each case. 

Subscribe to our newsletter to stay up to date with all the news

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad
Blog Master Dpo

Leave a comment