As per Art. 30 of the GDPR every company must create a register of processing activities (ROPA) to the particular data processes. Company structures should also be noted during the creation and management of the registers, like the catalogues from the perspective of the contracting service company.

Companies are required per Art. 25 and 32 of the GDPR to decide technical and organisational measures in order to protect personal data, namely, to reflect data protection pre-sets (Privacy by Design, Privacy by Default). Inside the company there should not be any vulnerabilities in order to not endanger the GDPR-compliance. Also, company-wide protection concepts should be prioritised.

According to Art. 35 of the GDPR there should always be a Data Protection Impact Assessment (DPIA), if there is a potential elevated risk during data processing operations due to the kind, the scope, the circumstances, and the goals of the data processing. A DPIA expertly analyses the protection risks to personal data before the data is processed, which has very extensive requirements for complex processes.

Expanded data subject rights are included in Art.12 f. of the GDPR, like the right to information and the right of objection. Because in corporations data is transferred, processed together, or ordered to be processed by partnered companies it is in one’s favour to create uniformed processes and regulations in the handling of data subject rights in the company.

If it comes to a data protection violation, then the responsible parties and the data subject must be informed per Art. 33 and 34 GDPR. Individual companies often process data on behalf of other companies within the group. Therefore, the establishment of a uniform system within the group where a quick information exchange can be held in the case of a data protection violation or similar cases is advisable.

Some compliance requirements need an as-extensive-as-possible processing of personal data. However, data protection law requires to limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. In addition, some companies are required by (wanted) certificates to create management systems. These systems are operated group-wide and integrated. The data protection organisation should be involved with these management systems in order to eliminate contradictions and to create synergy. Data protection is therefore a cross-section between various fields.

For companies there is the opportunity to create Binding Corporate Rules (BCRs) for the purpose of data transfers outside the EU or EEA. These apply group-wide but must still be approved by the relevant supervisory authority. BCRs as a transfer mechanism can also serve as a guarantee for data transfers to countries outside the EU or EEA in accordance with the GDPR.

Groups of companies do not enjoy any corporate privileges and therefore every data transfer must be justifiable. According to the type of the cooperation between companies of a group this can either be in the form of Joint Controller Agreements (JCA) or Data Processing Agreements (DPA). However, if the data transfer is outside the EU or EEA then one will need Standard Contractual Clauses (SCC) or other guarantees. Instead of establishing BCRs one would mostly suggest framework agreements for group-wide data transfers, including Joint Controller Agreements, Data Processing Agreements and if necessary Standard Contractual Clauses. Other companies of the group may join such framework agreements, so that the greatest possible flexibility is maintained.

Per Art. 88 GDPR collective agreements, provided these are GDPR conform, may allow the transfer of personal data from employees between companies of the group. Especially in the German legal traditions collective agreements are favoured because they let themselves integrate in a group-wide transfer mechanism.

Group of companies are due to their data protection law vulnerability often in the focus of authorities and lawyers. The rule of thumb says that a vast number of processed personal data as well as affected data subjects mean an elevated risk to become a target of authorities and legal authorities. Therefore, legal expertise, that oneself does not possess, is crucial in order to avoid this ire.

The compliance of regulatory requirements is tied to the continuing sensitization of the involved persons in data processing. For companies it is indispensable to have a successful data protection structure with whose help one can create in all companies of the group a uniform data protection standard. Therefore, regular education courses of multipliers and employees as well as a culture of open discussion are essential.