Data protection law recognises two distinct types of data user, the data controller and the data processor. The controller is the body that makes decisions about the reasons for processing, the type of data to be processed, the groups of data subjects and how the data is processed. The processor carries out the instructions of the controller.
The status of the data user affects the contract required when passing personal data from one organisation to another. Data passed between two controllers is data sharing and should be subject to a data sharing agreement. Data passed between controller and processor requires a data processing agreement incorporating the clauses required by Article 28(3) of GDPR.
Most organisations have now got the measure of these rules and are able to put appropriate contracts in place with third parties. One area where they are less consistent is in relation to intergroup agreements, that is contracts between associated companies, companies in the same trading group.
Data protection law does not recognise groups of companies. It treats each legal entity in the group as a third party. So the rules around data sharing and data processing apply between companies in a group as would apply with external third parties. Inevitably in a group corporate structure there will be interdependencies. Staff might be employed by one company, computer and IT equipment deemed to be “owned” by another for accounting purposes. In these scenarios, the employer and the IT equipment owner, are technically providing data processing services to the other companies in the group. Particularly in the financial services sector, regulation means that some companies can only carry out limited activities which might not include employing staff or owning IT equipment and a service company is established to fulfil the role of employer, generating a more complex group structure.
Employees who work for a company within a group will not ordinarily distinguish between tasks carried out on behalf of their employer as distinct from tasks carried out on behalf of the other companies in the group. A facilities manager might be employed by company A but arrange property repairs for a building owned by company B without realising that two different legal entities are involved.
The view of a group of companies as a single brand feeds into the illusion that all the companies in a group are one entity but, legally, the position is quite different.
It follows that contact details for suppliers and professional advisers will be held in common and used on behalf of different group companies indiscriminately. This is essentially data sharing.
If group companies are in different jurisdictions then the GDPR provisions relating to restricted transfers may also be relevant. A “restricted transfer” is a transfer of personal data from an EEA country (EU Member States, Iceland, Norway and Lichtenstein) to a non-EEA country. There are strict rules for making such transfers. So if part of a corporate group is outside of the EEA that might also impact on the choice of contract terms to deal with the restricted transfer. The EU Commission has approved model contract clauses for this situation.
Don’t neglect intergroup data protection contracts. The same rules apply as would between third parties, the need for data processing agreements, data sharing agreements and, where necessary, model clauses to cover restricted transfers of personal data are required under GDPR.
Mandy P Webster, Data Protection Consultant, Burton-on Trent