For German companies with affiliates abroad, data protection law is a challenge, as it is for German affiliates of international groups. GvW Graf von Westphalen has prepared an overview on basic issues of data protection law in the EU, together with other law firms from EU Member States.

Data Protection law in theory and practice

In practice, it is often necessary to share data with group affiliates in the same manner as within a company. However, German data protection law as well as the laws of the other EU Member States do not recognise this practical necessity. This means, sharing data within the group is deemed a “transfer” in the legal sense. Legally, it makes no difference whether the data is sent to an external company or a group affiliate.

A group has to respect this legal principle if it centralises its HR administration across the group, implements shared service centers for the entire group or establishes central databases for several group affiliates. Also, if a US group creates a whistleblower system as per the Sarbanes-Oxley Act, from a data protection viewpoint, this is considered a data transmission from the German affiliate to the US head office.

It is often overlooked that corporate email systems could also lead to a data transmission within the group. The same applies to the central maintenance of IT systems: The group company providing the services can access other group companies’ data.

Different Data Protection Laws in Europe …

Data transfer in international groups touches on the laws of several jurisdictions. In the EU States, data protection law is based on Directive RL 95/46/EG from 1995, so that the same basic principles apply. However, all EU States have implemented the Directive differently. When looking at the fine detail, the data protection laws of the EU States vary significantly. Currently, the EU is working on further harmonising the law. However, the envisaged Regulation will still take quite some time before coming into force. Waiting that long is not an option for companies. Companies that operate on an EU-wide basis have to structure their internal regulations now so as to fulfill the requirements of all Member States where the group has branch offices.

… and worldwide

The legal requirements are even stricter when transferring data outside the EU or European Economic Area (EU plus Iceland, Liechtenstein and Norway). Groups with headquarters based in the USA or otherwise outside Europe have to bear this in mind. The same applies to groups headquartered in Germany with branch offices outside of Europe.

It is important that an adequate data protection level is ensured in all those states where the group operates. According to the EU Commission, an adequate level of data protection is guaranteed only in a few countries worldwide, for instance Switzerland, Israel, Argentina and Canada. For group affiliates in other states, the group first has to implement an adequate data protection level. In the USA, the affiliate has to join the Safe Harbor Program, based on self-certification, and get listed by the Department of Commerce.

Another possibility is that group companies enter into EU standard agreements with each other. Such agreements contain standard clauses approved by the EU Commission. Although it could be work-intensive to employ EU standard agreements in large groups, this is a legally secure method to create an adequate data protection level. A further option for the intra-group data exchange is to implement standardised corporate guidelines, so-called binding corporate rules (BCR).

Further Prerequisites for the Transmission

Once an adequate data protection level has been created, the first step has successfully been taken. In addition, under German law companies only may transmit data if a legal provision allows for this or if the data subject consents. Each data transfer, regardless if domestic or international, has to meet these requirements.

In practice, there are several options: In the case of group-wide client databases or other centralised services, a controller processor relationship can be established. The group company that provides the services would then act as a processor bound by instructions for all other companies. Even the parent company can act as a processor within the meaning of data protection law. In other cases, for instance in centralised HR administration, consent can be used. In contrast, Whistleblower schemes can be implemented in such a way that the data transmission is permitted by law.

German Particularities

In Germany, data protection law is stricter than in most other EU States. It is also more complicated, since there are 16 independent, local data protection authorities. Furthermore, the conference of German data protection commissioners in July 2013 drew conclusions from the Prism scandal and announced that it would no longer approve data transmission to countries outside Europe.

This resolution by the data protection commissioners does not mean that data transmission will be illegal because the recognition of the Safe Harbor Program and the EU model clauses rest on EU law. The EU Commission announced on 27 November 2013 that the Safe Harbor Program with the USA will be continued; however, under stricter conditions. In practice, the German resolution of July 2013 means that the commissioners are critical of data transfers to the USA and an international group has to expect stricter supervision by German authorities. Stricter supervision is an effective means to limit data transmission.

Companies should not wait until controls by authorities occur and complaints and fines result as a consequence. It is better to check the group’s data processing and transfer regulations in advance and make adjustments now if necessary.

Overview of GvW and European Partner Law Firms of November 2013

To facilitate data processing in international groups and other cross-border data transmission, Graf von Westphalen, together with partner law firms from various EU Member States, has published an overview on the fundamental issues of data protection law in the EU. If you are interested to find out more, please send an email to a.boeken@gvw.com.

Arnd Böken