An email such as the following from a group company headquarters may seem unspectacular at first glance: "Please provide us with a complete list of all employees working at your company including details regarding age, entry date, position and remuneration by tomorrow, COB."
A human resources (HR) department may quickly compile the requested list and send it to the headquarters without further inquiry, overlooking – as is often the case – that such a transfer of details entails significant risks under data protection law. Data transfers between group companies are often regarded as an internal matter and this appears to be true, especially if the parent company cites reasons for its inquiry that appear plausible (eg, conducting a due diligence review, introducing group-wide know-how databases or group-wide staff development).
However, the transfer of personal employee data between legally independent companies of a group is not necessarily permissible under data protection law. The Federal Data Protection Act permits the collection, processing and use of personal data only if it is permitted by law or if the data subjects have given their consent. Corporate and economic connections and links between the sender and receiver of personal data are not taken into consideration; in particular, companies belonging to the same group are not considered one entity. If the transfer of personal data does not satisfy the requirements under data protection law, it may result in fines of up to €300,000.
This is no longer a purely theoretical problem. Supervisory authorities have intensified their activities and increasingly imposed fines on companies and employees, as well as responsible managing directors and board members.
The problem is aggravated by the EU General Data Protection Regulation, which will be applicable as of May 25 2018. According to the regulation, even fines of up to €20 million or 4% of the annual turnover – possibly of the entire group – could be imposed.
Data protection law does not facilitate the exchange of data within group structures; there is thus no group privilege. Transfers between legally independent companies belonging to the same group are treated the same as transfers to third parties by the law. Under data protection law, each company is deemed an independently responsible party (Section 3(7) of the Federal Data Protection Act).
Transfer of personnel data is data processing within the meaning of the law (Section 3(4)(3) of the act) that requires justification (Section 4(1)).
Contract data processing is not transfer of data Data transfer covers both passing on and providing data for inspection or retrieval (Section 3(4)(3)). Whether personnel data is forwarded by email or whether other companies are granted direct access to the specific server is irrelevant.
However, contract data processing lacks a transmission process (Section 11 of the act). A contractually tied contract data processor is not considered a third party. Examples of contract data processing include externally provided salary statements, saving data in the cloud or providing similar IT services. The instruction to process data must be given in writing, providing the statutory minimum content pursuant to Section 11. An essential criterion regarding contract data processing is the contractor's duty to comply with instructions. A contract data processor must not have discretionary power with regard to the manner in which the data is processed (eg, as is the general case for salary statements). The parent company can also function as contractor. However, it must fulfil a purely serving function and submit to the instructions of the companies belonging to the group.
If the data processor has decision-making powers or if the principal's exertion of influence is limited, the contract data processor is considered to be the controller within the meaning of the act. This is deemed to be a transfer that requires separate justification.
It may be difficult to make a distinction in individual cases. Since supervisory authorities are rather critical of activities exceeding the mere provision of salary statements, it is paramount to review individual cases in detail.
Justification for transfer If a case in which data is transferred is not a case of contract data processing, justification is required. A transfer of personnel data may be permitted based on a statutory regulation or the employees' valid written consent.
Consent At first glance, employee consent may be the preferred choice, especially since standardised employment agreements often include such clauses.
However, such consent rarely satisfies the strict requirements set out in Section 4a of the act. The supervisory authorities and some legal scholars fundamentally doubt that consent given in the employment agreement, as required under Section 4a, can actually be based on "the free decision of the data subject". However, this doubt was countered by a recent Federal Labour Court decision (8 AZR 1010/13, December 11 2014) that emphasised that employees do not lose their fundamental and personal rights when they enter into an employment relationship and are integrated into an establishment.
In addition, standardised clauses in employment agreements do not often satisfy the requirements for valid consent for other reasons:
- informed consent would have to include a sufficiently clear reference to the specific purpose of the data processing and in general to the consequences of refusing to grant consent; and
- the employee would need to have a real choice between granting and refusing consent.
It is therefore (and owing to the necessary revocability of any consent with effect for the future) difficult to establish standardised HR processes based on consent.
Statutory regulations that may permit transfers are primarily to be found in the Federal Data Protection Act.
Section 32 For the duration of the employment relationship, Section 32 of the act applies. Accordingly, transfer is permissible if this is necessary for decisions on hiring, performing the employment contract or terminating the employment relationship.
It primarily relates to the legal relationship with the employer, meaning the contracting company. The purposes pursued by a company affiliated with the employer are generally irrelevant. Transferring employee data can thus only rarely be based on Section 32.
Exceptions are allowed if the employment relationship is already closely connected to the group at the time that the agreement was concluded. An example is agreeing on a group-wide mobility clause: such a clause entitles the employer to transfer personnel data for the purpose of group-wide HR management. This also applies to executive employees who were aware of the group structure and their positions' group connection. This justifies the transfer of personnel data for standard group incentive programmes or performance evaluation and personnel development systems. Such group connection may be created even after the employment relationship has been established.
However, the general permissibility does not mean that all personnel data can be transmitted freely. It must be reviewed in each case whether the transfer is necessary for the purpose of the employment relationship. A group connection alone will not suffice to justify the transfer of personnel data for a due diligence review when preparing a sale of companies or establishments. In this and similar cases, it should be considered whether an anonymous data transfer would be sufficient to fulfil the intended purposes. The advantage is that the personal reference no longer exists, so that the strict provisions under data protection law are no longer relevant.
Section 28(1)(1)(2) If the data transfer does not directly serve the purpose of the employment relationship, justification may be provided based on Section 28(1)(1)(2).
However, Section 28(1)(1)(2) does not allow the regulatory framework established by Section 32 to be circumvented. Data transfers that would allow other group companies to use data in a way in which the employer would not be permitted are therefore impermissible.
Moreover, the transfer to a group company must be necessary to safeguard the employer's justified interests. The interests of the affiliated company are, in principle, irrelevant. The employees' interests in having their data stored only with their employer must also be taken into consideration. In the view of the supervisory authorities, such interest in principal outweighs the employer's interest in data transfer. This view seems generally too far-reaching. Nonetheless, official practice must be adjusted. The employer must therefore take protective measures for the benefit of the employees in order to reach an outcome that is advantageous for the employer. These may include establishing a group-internal data protection concept in addition to binding regulations between participating companies.
Works council agreement
Data transfer can ultimately also be justified based on a works council agreement. According to the Federal Labour Court, they are covered by the statutory provisions of the Federal Data Protection Act (1 ABR 2/13 [A], July 9 2013). This solution may be particularly suited for group structures. In this respect, a separate works council agreement concerning data protection is not required. The permissibility of transfer may also result from a works council agreement concerning a different subject, such as a group-wide incentive system.
Transmission to a foreign country
If the affiliated group company is domiciled abroad, there are stricter requirements to be fulfilled. In such a case, the data transfer does not only have to be per se permitted. In addition, there must be an adequate level of data protection in the receiving country.
European Union and European Economic Area A transfer of data within the European Union and the European Economic Area is not a problem. Data privacy protection laws are largely harmonised within the European Union by way of the EU Data Protection Directive (1995/46/EC). The European Economic Area contracting countries – Norway, Iceland and Liechtenstein – have adopted the directive and also warrant a level of data protection that corresponds to that required under the Federal Data Protection Act. Data transfers to these countries do not, therefore, require any additional justification (Section 4b(2) of the act).
Non-member countries Data transfers to recipients outside the European Union and the European Economic Area are permitted only if certain prerequisites are met. Non-member countries are generally deemed unsafe from the perspective of EU data privacy protection law. A permissible transmission under general data privacy protection rules thus requires supplemental measures to ensure an adequate level of data protection on the second level (Section 4b(2) and (3)).
For some countries, the European Commission has positively determined the required level of protection within the framework of decisions on adequacy. These countries include Andorra, Argentina, Canada, Switzerland, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand and Uruguay.
If the level of data privacy protection is inadequate, the data may be transferred only in exceptional cases (Section 4c of the act). A transmission based on the consent of the employee or a transmission that is necessary to perform a contract is permissible. In addition, the regulatory authorities may approve the transfer as an exception. Binding corporate rules that apply within the group may also be approved. It is also possible to achieve an adequate level of data protection among group companies by way of contractual agreements.
If certain standard contracts (EU standard contractual clauses) are used, no additional approval from the regulatory authorities is required, at least in Germany. The commission has made a binding decision with regard to the EU standard contractual clauses that they warrant an adequate level of data protection. However, this decision will be reviewed over the mid-term by the European Court of Justice.
For further information on this topic please contact Andreas Josupeit, Michael Kamps, Carsten Domke or Philippe Heinzke at CMS Hasche Sigle by telephone (+49 211 4934 409) or email (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com.)
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.