Within corporate groups, personal data is frequently exchanged between affiliated companies for central functions such as HR or IT operations. However, these data transfers are subject to stringent data protection regulations under the GDPR, which does not provide exemptions for corporate structures. Therefore, it is essential to comply with applicable data protection regulations even for internal data transfers.
For each transfer of personal data within the corporate group, it is necessary to determine whether it constitutes a simple data transfer (with sole responsibility of each company), data processing on behalf of others, or joint responsibility. In cases of data processing on behalf of others or joint responsibility, appropriate data protection agreements must be concluded in accordance with Articles 28 or 26 of the GDPR.
Internal Data Transfer Agreement as a Simple Solution
To avoid a multitude of individual agreements, affiliated companies can enter into an internal data transfer agreement. This agreement transparently outlines which companies export and import data, the purposes of such transfers, the types of data involved, and the relevant data protection arrangements (data processing on behalf of others or joint responsibility).
Such internal data transfer agreements are crucial for making complex data flows within the corporate group transparent and avoiding contractual chaos. They significantly facilitate compliance with data protection requirements by encompassing the necessary data protection agreements (data processing agreements under Article 28 GDPR, joint responsibility agreements under Article 26 GDPR, and EU standard contractual clauses).
Contents of an Internal Data Transfer Agreement
This agreement should consider various data protection arrangements and transparently depict the details of data processing within the corporate group. It is important to treat data transfers outside the EU/EEA separately and clearly allocate data flows to the three main categories (transfers outside the EU/EEA, joint responsibility, and data processing on behalf of others).
For each of these categories, the involved companies and details of the data processing (such as data types, data subjects, processing purposes, and methods) should be precisely described. All involved companies within the group should be able to sign or join the internal data transfer agreement, with appropriate accession clauses provided.
An internal data transfer agreement is thus a central instrument to ensure compliance with data protection standards within a corporate group and to guarantee transparency over data flows.
Veröffentlicht von:
tec4net GmbH
Lohenstraße 13
82166 Gräfelfing bei München
Telefon: +49 (89) 54043630
Homepage: http://www.tec4net.com
Ansprechpartner(in): Matthias Walter
Herausgeber-Profil öffnen
Die Firma tec4net wurde 2003 in Berlin gegründet und hat heute ihren Hauptsitz im Großraum München. Als IT-Dienstleister betreuen wir mittelständische Unternehmen und unterstützen Großkunden und Konzerne bei der Planung und Umsetzung ihrer IT-Projekte.Als ein Team von Fachleuten aus vielen Bereichen der Informationstechnologie und Unternehmensberatung, bieten wir auf Ihre Bedürfnisse zugeschnittene individuelle und wirtschaftliche Lösungen.
Informationen sind erhältlich bei:
Herr Matthias Walter