Legally compliant data transfer between group companies

von Nadja-Maria

According to the General Data Protection Regulation, companies that are part of a group are not treated as uniformly responsible, but as independent group companies. There is therefore no group privilege. A separate justification is therefore required for each data transfer between the group companies, which must comply with the principles of the General Data Protection Regulation.

1. Different types of data transfers

In the case of group-internal data transmission, the transfer to a third party who processes the data as an independent controller, the transfer within the framework of joint responsibility according to Art. 26 GDPR and the transfer to a service provider bound by instructions, who acts as a processor within the meaning of Art. 28 GDPR acts for the person responsible. The different types of data transmission are explained in more detail below.

2. Own responsibility

The legal basis for the data transfer between two responsible parties is usually Article 6 Paragraph 1 Clause 1 lit. f GDPR. When it comes to the question of whether there is a legitimate interest, membership of a group of companies must be taken into account. The group position often shifts the weighing of interests in favor of the company.

3. Order processing, Art. 28 GDPRa

If the group-internal data transfer meets the requirements for order processing in accordance with Art. 28 GDPR, recourse to the permissions of Art. 6 Paragraph 1 Clause 1 GDPR is unnecessary. For this it is necessary that the service company only determines the technical means of data processing, but has no influence on the essential means and the purpose of the processing activities. This is particularly the case when the service company provides IT services to the other companies, since the service company determines the technical means of data processing, but the other group companies use the IT infrastructure to process their own data for their own purposes.

4. Joint responsibility, Art. 26 GDPR

From a joint responsibility i.S.d. Art. 26 GDPR is generally to be assumed if the service company is included in the decision on the means and purposes or data processing or if it is allowed to pursue its own interests. An example of this are activities in human resources, since the service company there has a major influence on the circumstances surrounding the processing of employee data in the other group companies.

Are you wondering whether data transfer in your company is GDPR-compliant?

Please do not hesitate to contact us. We check your entire company or parts of it for data protection compliance. You will then even receive a seal from us that you can publish. In this way, your business partners know at first glance that you are concerned about information security in your company. Please fill out our contact form or call us at 08505 – 91927-0.
Or find out more about our services on our Audits page.


Nadja-Maria leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.