Implementing a Flexible Intra-Group Data Management Contract for a Multinational Company

Introduction

Businesses with group entities based around the world face unique data protection challenges.

Our client was no exception. With a head office in the UK and subsidiary companies in North America and the Asia-Pacific region, it sought our assistance to ensure that its cross-border transfers of personal data complied with the UK GDPR.

Challenge

Our client had developed a complex, high-volume data analytics product. As a result, it was processing significant amounts of personal data, both as a data controller and as a data processor on behalf of its clients. This activity was supported by its subsidiary companies. 

In addition, some of its employee management and HR functions were offshored to a subsidiary. 

This meant that all four types of data transfers were in scope: 

(a) controller to controller, 

(b) controller to processor, 

(c) processor to processor, and 

(d) processor to controller. 

Following discussions with the client, it also became clear that there would be scenarios in which two client group entities would act as joint controllers.

Addressing these issues required us to analyse a complex set of data flows between multiple different client group entities and ensure that each contemplated flow was compliant with the UK GDPR. This was particularly challenging, because the UK GDPR does not treat corporate groups as a single entity – each individual group entity will be required to comply with the UK GDPR (or ensure that any entity subject to the UK GDPR does so). 

Solution

When considering data flows between separate entities with an international element, the core compliance requirement involves bringing together three separate strands of the UK GDPR:

• Article 28 requirements governing contracts between controllers and processors.
• Article 26 ‘arrangement’ between joint controllers. 
• Articles 44 to 50 relating to international data transfers.

Taken together, these provisions require a contract (or series of contracts) between entities that control how personal data is transferred, exported and/or processed. 

Given that our client’s corporate group was constantly evolving, entering into multiple separate agreements would be extremely cumbersome. 

Our solution was therefore to design a highly bespoke intra-group data management agreement that addressed all of these UK GDPR requirements within a single document. In essence, the agreement sets out contractual terms that apply depending on the relevant situation. For example: if a group entity was to transfer personal data outside the UK, the provisions around standard contractual clauses would apply, regardless of the transfer type. Similarly, if a group entity was a data processor for another group entity or group customer, the provisions relevant to that scenario would apply.

Importantly, we were able to put in place a contractual mechanism that allowed for the addition or removal of group entities on an ongoing basis, significantly reducing the administrative burden of contract management to a minimum. This approach also made the client’s compliance highly auditable: instead of having to pull together dozens of different contracts, only one was required. 

The client has since been able to use this agreement with new group entities in a seamless way. 

If your organisation requires assistance with the transfer of personal data between group entities, or with the UK GDPR compliance more generally, we would be happy to help. Please don’t hesitate to contact us here.