Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.
The EU’s General Data Protection Regulation (GDPR) regulates the transfer of personal data in the European Union. For many multinational employers, Standard Contractual Clauses (SCCs) offer the only practical means of transferring this data to countries outside the EU or European Economic Area (EEA). In 2020, the Court of Justice of the European Union (ECJ) ruled, in a judgement known as “Schrems II,” that the SCCs may still be used for transferring EU personal data, but noted that supplemental measures would be needed to ensure a level of data protection in the third country equivalent to that in the EU. Following Schrems II, data protection authorities announced that they would carry out cross-border monitoring of international data transfers. The deadline for adapting SCCs to meet new compliance obligations is December 27, 2022. Therefore, internationally active group companies need to act now: Those that are not yet familiar with the Intra Group Data Transfer Agreement (IGDTA) should now take note; those that are already familiar with it should take stock.
In EU-based companies with subsidiaries (i.e., group companies), personal data of employees and applicants are often not only processed within the employing company, but also transferred to the parent company located abroad or to other group companies. There are many reasons for this: in the age of mobile working, employees in matrix structures report to superiors at another (foreign) company, the HR department is centralized for all group companies, or a common Human Resource Information System (HRIS) is applied for standardization. These arrangements are relevant from a data protection perspective in two respects: The first step is to clarify whether the processing of personal data is in itself permissible under data protection law. The next assessment is the extent to which an equivalent level of data protection actually exists in the third country in which the other group companies are located.
In order to check compliance with data protection law, fact-finding should first be carried out. This level of review should be familiar, as it also regularly takes place in the case of data transfers within the EU or EEA. In general, the following question arises: Which personal data should be transferred to which group companies and for which purposes? It is advisable to consult data protection experts already at this first stage, because the definition of personal data alone often raises questions in practice. In addition, the time and effort involved should not be underestimated. Experience has shown that this can be time-consuming when introducing complex IT systems and can also trigger other issues relevant to employment law.
In a nutshell: The GDPR prohibits the processing of personal data unless it is separately authorized. In an employment relationship in Germany, for example, Section 26 (1) sentence 1 of the Federal German Privacy Act (“Bundesdatenschutzgesetz” or “BDSG”) is of particular importance. This provision permits data processing, among other things, if it is necessary for deciding the establishment of an employment relationship or, after establishment, for its implementation, execution or termination. The term "necessity" is to be understood restrictively in this context: Not everything that is expedient may also be necessary. For example, the centralization of the HR department may be financially expedient but will most likely not be necessary for the execution of the individual employment relationship. If the necessity is denied, it may be possible to legitimize the data transfer by means of another legal authorization. If the data processing is based on the employee’s consent instead, this should be examined particularly critically, since in an employment relationship increased requirements apply to proof that the consent was granted voluntarily.
The second stage is the Intra Group Data Transfer Agreement (IGDTA). This is a contractual agreement between the various group entities that regulates (international) data transfers within the group. If personal data is transferred to a third country, i.e., a country outside the EU or EEA, this international data transfer is subject to further requirements. The aim is to ensure an equivalent level of protection of personal data in the third country. The GDPR provides for various options for this: among others, an adequacy decision by the European Commission for the respective country, the establishment of binding internal data protection rules ("Binding Corporate Rules") or the agreement of Standard Contractual Clauses (SCCs).
If no adequacy decision for the relevant third country has been issued, in practice many companies choose the latter option and enter into an Intra Group Data Transfer Agreement in which they agree on the applicability of the SCCs. As previously noted, the SCCs are contractual clauses published by the European Commission that contain provisions designed to ensure adequate data protection safeguards. On June 4, 2021, the European Commission published new SCCs that must be applied immediately for new agreements (IGDTAs). Existing legacy agreements should be subject to an inventory, as the "old" SCCs must be replaced by December 27, 2022.
In the IGDTA, the relationship between the respective companies, i.e., in which role they act (data controller or processor), must be determined and regulated. Then the appropriate of the four different modules of the SCCs must be chosen and made subject to the IGDTA (e.g., as an annex). However, the mere conclusion of an IGDTA or the agreement of the SCCs alone is not sufficient to comply with data protection law.
Finally, the SCCs — as decided in particular in the Schrems II ruling of the ECJ — must also be worth the paper they are written on. To ensure this, the SCCs stipulate, among other things, that the company must review the level of data protection in the third country and ensure it by taking additional protective measures. This review is carried out through the mandatory performance of a so-called "Transfer Impact Assessment" (TIA), which analyzes the risk of data transfer, taking into account the legal situation in the third country. This requires a detailed examination of the law applicable in the third country. In addition, the specific measures taken to protect the data must be considered and evaluated. This is not a one-time task, but rather a dynamic process that requires constant review and adjustment. This is also accompanied by the company's obligation to constantly implement protective mechanisms, such as technical and organizational measures, to be able to permanently guarantee a comparable level of data protection in the third country and to refrain from transferring data if this can no longer be guaranteed. The recommendation of the European Data Protection Committee (EDSA) can be used as an aid to action.
Group companies should pay increased attention to international data transfers, otherwise they could face significant fines under the GDPR. The implementation of the new SCCs should be executed by December 27, 2022. This needed course of action should be used as an opportunity to review the current data flow and the associated contractual framework and to (re)assess the respective risk on the basis of the TIA.