Disclosure of data to partner companies

Only when customer complaints accumulate does the issue of data protection come up: How did the customer data get to the cooperation partner? Was there a contractual provision for this? What is the basis for data transmission? Has the customer agreed to this? Why did the customer not know about this cooperation?

Before cooperating, data controllers must always clarify the legal basis on which a transfer of data to the future partner could take place. The consent of the persons concerned must often be obtained beforehand. These must then be planned and obtained in good time before the start of cooperation. If the envisaged partnership is a processing operation under shared responsibility within the meaning of Art. 26 GDPR, this shall be regulated by contract. In this context, responsibilities must be clearly defined, including who serves as the contact person for the persons concerned and who provides the customers with the information required under Art. 13, 14 DSGVO provides the data protection information required.

The widespread myth that the transmission and disclosure of personal data within a group is “already okay”, persists tenaciously. It’s a corporation”. However, the GDPR does not provide for such a group privilege. Each controller, i. e. each legal person, must be considered separately. Two legal entities belonging to the same group must also justify the transfer of personal data and regulate it in terms of data protection law. The effort required for the corporations to regulate and document data protection responsibilities is enormous, but indispensable. Responsible persons do well to provide appropriate resources to be able to devote themselves to this task.

In order to avoid fines, responsible companies should put their partnerships to the test in terms of data protection law. Especially if they have been in place for a long time, they may not have been subject to a data protection review even in the wake of the introduction of the GDPR 2018. If data flows have not been analysed comprehensively and cooperation has been taken for granted, it may be that they have not been sufficiently regulated under data protection law. In the worst case, data is systematically transferred without a legal basis and heavy fines may be imposed. Customers increasingly see data protection as a quality feature. Therefore, all partners of a cooperation have a high interest in a clean regulation of the data transfer according to data protection law. Those responsible should therefore not shy away from negotiations with their cooperation partners.

You are unsure about what you would need to arrange with your partner companies in terms of data protection? Please contact us. We will be happy to advise you.