Introduction
General principles
Possible legal legitimation for data transfer within group of companies
Comment
Data protection is close to the heart of most Europeans and so it is unsurprising that the EU legal framework for data protection and data privacy should be so rigid. This update examines whether German data protection law, which is based on the EU Data Protection Directive (95/46/EC), prevents companies from entering into and conducting offshore outsourcing transactions.
German data protection law is codified in different acts, most notably the Data Protection Act. Following an overview of the legal implications of data transfers outside the European Union, this update analyses whether data protection law prevents German companies from sending data outside the European Union for offshoring projects.
The Data Protection Act is mainly governed by four principles:
- the principle of legitimation;
- the principle of data processing for a specified purpose;
- the principle of data avoidance and data economy; and
- the principle of data security.
Principle of legitimation
According to the principle of legitimation, personal data may be processed (ie, collected, stored, transferred and used) only if permitted by law or consented to by the individual whose data is to be processed (eg, an employee or a customer). To protect the employee's or customer's rights, the data processing must be transparent to the employee or customer. The employee or customer must be informed of:
- the type of data to be processed;
- the purpose for data processing; and
- where and by whom the data will be processed.
This is even more valid where data processing is legitimate only with the individual's consent.
Principle of data processing for a specified purpose
The principle of data processing for a specified purpose is crucial to data protection law. Data may be processed only for a specified purpose, which is not interchangeable. In other words, data that was collected for purpose A may not be used for purpose B. Rather, data for purpose B must be collected from scratch. This also requires that data collected for different purposes must be stored separately.
Principle of data avoidance and data economy
The principle of data avoidance and data economy requires that data may be processed only when absolutely necessary and then only to an absolute minimum. Any redundant data processing must be avoided. This also requires the deletion of any data that is no longer needed.
Principle of data security
Finally, the principle of data security requires the company collecting and processing personal data to implement technical and organisational measures in order to secure these data and prevent their unauthorised usage.
Possible legal legitimation for data transfer within group of companies
By definition, offshore outsourcing transactions require two companies acting from different geographical locations: a customer based in one geographic area (eg, Europe) and a provider based in another (eg, the United States or India). The question therefore is whether the customer can transfer data to its own group or a third party provider in another geographical location.
Under the Data Protection Act, a parent company with headquarters outside Germany is considered to be a third party as far as the data from the local entity in Germany is concerned. This means that data transfer from a German subsidiary to the parent company must still be legitimated, either by law or by the consent of the respective employees or customers. There is no group privilege in German data protection law. Since obtaining the employees' or customers' consent is usually not feasible – and it is also questionable whether an employee can freely 'consent' to an employer in an employment relationship(1) – this is not an option.
Data processing by commission
However, the data transfer would not be considered an act relevant to data protection and therefore would not need legitimation if the parent company were to process the received data only by commission and on behalf of the German subsidiary. When processing data by commission, it is crucial that the recipient of personal data as 'processor' (ie, the parent company) processes the data based on and according only to the instructions of the transferring party (ie, the local German subsidiary), which is the 'controller'. It must be obvious that the parent company as processor has no scope for evaluation and/or discretion in regard to the transferred data. The parent company may provide no other human resources services (eg, talent management or personnel development) to the German subsidiary. Furthermore, the German subsidiary must be in sole charge of the transferred data. Therefore, the German subsidiary would be required to check and control the data processing conducted by the parent company on a regular basis.
Cross-border data transfer
Under German data protection law, data transfer to a company outside the European Union is of no specific concern. Data may be transferred to another country if that country provides for a level of data protection equivalent to data protection in Germany. Within the European Union, where the EU Data Protection Directive applies, an adequate level of data protection is guaranteed, so that generally a data transfer to another EU country is allowed. Transferring data to a country outside the European Union is allowed if – among other available options which are less common in the industry – the latest version of Standard Contractual Clauses for the Transfer of Personal Data from the Community to Third Countries is used.
Data protected by criminal law
Only in narrowly defined areas (eg, private healthcare insurance, accident insurance or life insurance) does the criminal law (Section 203 of the Penal Code) prohibit the transfer of personal data. In such instances, the companies looking to outsource services must anonymise or encrypt the data before sending it to a third party. In all other cases, German law does not prohibit outsourcing as long as the statutory requirements of the German data protection laws and other local compliance rules (eg, the strict compliance rules in the financial service sector) are met.
Thus, unless the data is protected by criminal law in narrowly defined areas of application, German data protection law does not prohibit companies located in Germany from using offshore services or outsourcing functions to providers outside the European Union. On the other hand, the provider and the German company seeking assistance must look at all the issues associated with data protection and ensure that they follow the processes prescribed by the German data protection law.
For further information on this topic please contact Ulrich Bäumer or Stephanie Ostermann at Osborne Clarke by telephone (+49 221 5108 4168), fax (+49 221 5108 4169) or email ([email protected] or [email protected]).
Endnotes
(1) See the draft of the new EU Data Protection Regulation, available since February 2012.