Disclosure of data to partner companies

For many companies, division of labour and cooperation are not only a matter of necessity, efficiency and cost reduction, but also a matter of course. What someone else can do better, he can usually do faster and cheaper, and if you sell to the same customers, there are synergies in the merger. In this respect, many companies think of many things when it comes to partnerships and cooperations with other companies – only data protection is often forgotten when it comes to the disclosure and transfer of data. It is often overlooked that cooperations with other companies require that personal data be disclosed to third parties. However, responsible companies should definitely check this data transfer in terms of data protection law and clearly define and regulate responsibilities in order to avoid fines.

Customer complaints as a trigger

Only when customer complaints accumulate does the issue of data protection come up: How did the customer data get to the cooperation partner? Was there a contractual provision for this? What is the basis for data transmission? Has the customer agreed to this? Why did the customer not know about this cooperation?

Data disclosure – what to watch out for

Before cooperating, data controllers must always clarify the legal basis on which a transfer of data to the future partner could take place. The consent of the persons concerned must often be obtained beforehand. These must then be planned and obtained in good time before the start of cooperation. If the envisaged partnership is a processing operation under shared responsibility within the meaning of Art. 26 GDPR, this shall be regulated by contract. In this context, responsibilities must be clearly defined, including who serves as the contact person for the persons concerned and who provides the customers with the information required under Art. 13, 14 DSGVO provides the data protection information required.

There is no group privilege in the GDPR

The widespread myth that the transmission and disclosure of personal data within a group is “already okay”, persists tenaciously. It’s a corporation”. However, the GDPR does not provide for such a group privilege. Each controller, i. e. each legal person, must be considered separately. Two legal entities belonging to the same group must also justify the transfer of personal data and regulate it in terms of data protection law. The effort required for the corporations to regulate and document data protection responsibilities is enormous, but indispensable. Responsible persons do well to provide appropriate resources to be able to devote themselves to this task.

Avoid penalties – create rules

In order to avoid fines, responsible companies should put their partnerships to the test in terms of data protection law. Especially if they have been in place for a long time, they may not have been subject to a data protection review even in the wake of the introduction of the GDPR 2018. If data flows have not been analysed comprehensively and cooperation has been taken for granted, it may be that they have not been sufficiently regulated under data protection law. In the worst case, data is systematically transferred without a legal basis and heavy fines may be imposed. Customers increasingly see data protection as a quality feature. Therefore, all partners of a cooperation have a high interest in a clean regulation of the data transfer according to data protection law. Those responsible should therefore not shy away from negotiations with their cooperation partners.

You are unsure about what you would need to arrange with your partner companies in terms of data protection? Please contact us. We will be happy to advise you.