Skip to content
Sub practice
Sub practice

Group Data Protection

The bigger the corporate group, the greater the scope of data protection measures

Corporate groups face far more complex data protection requirements than stand-alone companies:

  • Secure data transfer between group companies and with third parties;
  • Data protection in cross-border data transfers to third countries (eg based on BCRs) in compliance with local data protection laws, which may vary substantially across jurisdictions;
  • Uniform approach to handling and processing data (eg e-mails, employee data, telephone use, whistleblowing systems);
  • Creating data pools;
  • Data protection systems for the use of uniform software solutions;
  • Works agreements with group/general works council under data protection aspects.

One of the major and most frequent challenges in group data protection is the absence of the possibility to implement a single, group-wide data protection solution. In most cases, the problems faced by the individual companies must be solved on an individual basis.

Scope of services
  • Establishing data protection systems within the group
  • Data transfer and data processing within groups
  • Advising on the compliant handling of data, data management systems and IT tools
  • Cross-border data transfer (eg under EU standard contract clauses)
  • Appointment of data protection officers 
  • Privacy notices and privacy policies
  • Big data and data outsourcing via cloud computing
  • Data protection compliance

News and insights

Blog Post: 22 February 2024

EDPB adopts opinion on the notion of main establishment during 90th plenary

The European Data Protection Board (EDPB) during its 90th plenary session, on 14 February 2024, amongst other things: adopted an opinion (the Opinion) on the notion of a controller’s main…

Read more
Data protection

Blog Post: 14 February 2024

ICO and AEPD take steps for protection of minors

The Information Commissioner’s Office (ICO) launched a campaign called ‘Think. Check. Share’ (the Campaign) on 29 January 2024, to promote responsible data sharing to safeguard children. The Campaign…

Read more
computers

Blog Post: 10 January 2024

CJEU rules that a credit score constitutes automated decision making under the GDPR

On 7 December 2023, the Court of Justice of the European Union (CJEU) issued a landmark judgment on Article 22 of the General Data Protection Regulation (GDPR), focused on decision making based solely…

Read more
World map with graph information overlaid

Blog Post: 13 September 2022

Germany – Schrems II: German court overturns presumption of international data transfer from EU-subsidiary to non-EU parent company

On 13 July 2022, the Public Procurement Chamber of the German state of Baden-Württemberg (the Public Procurement Chamber) issued a decision confirming that personal data processed by an EU subsidiary…

Read more