Following Schrems II, data protection authorities have announced that they will carry out cross-border monitoring of international data transfers. In addition, the deadline for adapting the SCCs expires on December 27, 2022. There is therefore a need for action for internationally active group companies: Those who are not yet familiar with the Intra Group Data Transfer Agreement (IGDTA) should now take note; those who are already familiar with it should take stock.
In group companies, personal data of employees as well as applicants are often not only processed within the German employing company, but also transferred to the parent company located abroad or to other group companies. There are many reasons for this: in the age of mobile working, employees in matrix structures report to superiors at another (foreign) company, the HR department is centralized for all group companies, or a common Human Resource Information System (HRIS) is to be used for standardization. These constellations are relevant from a data protection perspective in two respects: On the one hand, the first step is to clarify whether the processing of personal data is in itself permissible under data protection law, and on the other hand, the question arises as to the extent to which a comparable level of data protection actually exists in the third country in which the other Group companies are located.
In order to check compliance with data protection law, fact-finding should first be carried out. This level of review should be familiar, as it also regularly takes place in the case of data transfers within Germany (or the EU/EEA). In general, the following question arises: Which personal data should be transferred to which group companies and for which purposes? It is advisable to consult data protection experts already at this first stage, because the definition of personal data alone often raises questions in practice. In addition, the time and effort involved should not be underestimated. Experience has shown that this can be time-consuming when introducing complex IT systems and can also trigger other issues relevant to employment law.
In a nutshell: The General Data Protection Regulation (GDPR) prohibits the processing of personal data unless it is separately authorized. In the employment relationship, the legal permissibility of Section 26 (1) sentence 1 BDSG is of particular importance. This permits data processing, among other things, if it is necessary for the decision on the establishment of an employment relationship or, after establishment, for its implementation or termination. The term "necessary" is to be understood restrictively in this context: Not everything that is expedient may also be necessary. For example, the centralization of the HR department should be considered here. This may well be financially expedient, but will probably not be necessary for the individual employment relationship. If the necessity is denied, it may be possible to legitimize the data transfer by means of another authorization. If the employees' consent is used, this should be examined particularly critically, since in the employment relationship there are increased requirements for the examination of voluntariness.
The second stage is the Intra Group Data Transfer Agreement (IGDTA). This is a contractual agreement between the various Group companies that regulates (international) data transfers within the Group. If personal data is transferred to a third country, i.e., a country outside the EU or EEA, this international data transfer is subject to further requirements. The aim is to ensure a comparable level of protection of personal data in the third country. The GDPR provides for various options for this: among others, the existence of an adequacy decision by the European Commission, the establishment of binding internal data protection rules ("Binding Corporate Rules") or the agreement of standard data protection clauses ("Standard Contractual Clauses" or "SCCs").
If there is no adequacy decision (link to overview of current third countries with adequacy decisions) for the relevant third country, in practice many companies choose the latter option and conclude an Intra Group Data Transfer Agreement in which they agree on the applicability of the SCCs. The SCCs are contractual clauses published by the European Commission that contain provisions designed to ensure adequate data protection safeguards. On June 4, 2021, the European Commission published new SCCs that must be used immediately for new agreements (IGDTAs). Existing legacy agreements should be subject to an inventory, as the "old" SCCs must be replaced by December 27, 2022.
In the IGDTA, the relationship between the respective companies, i.e. in which role they act (controller or processor), must be determined and regulated. Then the appropriate of the four different modules of the SCCs can be chosen and used as part of the IGDTA (e.g. as an annex). However, the mere conclusion of an IGDTA or the agreement of the SCCs alone is not sufficient to bring about compliance with data protection law. Finally, the SCCs - as decided in particular in the Schrems II ruling of the ECJ - must also be worth the paper they are written on. To ensure this, the SCCs stipulate, among other things, that the company must review the level of data protection in the third country and ensure it by taking additional protective measures. This review is carried out through the mandatory performance of a so-called "Transfer Impact Assessment" (TIA), which analyzes the risk of data transfer, taking into account the legal situation in the third country. This requires a detailed examination of the law applicable in the third country. In addition, the specific measures taken to protect the data must be considered and evaluated. This is not a one-time task, but rather a dynamic process that requires constant review and adjustment. This is also accompanied by the company's obligation to constantly implement protective mechanisms, such as technical and organizational measures, in order to be able to permanently guarantee a comparable level of data protection in the third country and to refrain from transferring data if this can no longer be guaranteed. The recommendation of the European Data Protection Committee (EDSA) can be used as an aid to action.
Group companies should pay increased attention to international data transfers, otherwise they could face significant fines under the GDPR. The implementation of the new SCCs should be used at the latest to review the data flow and the associated contractual framework and to (re)assess the respective risk on the basis of the TIA.