Intra-group trans­fer of employee data under the GDPR?

The que­sti­on of the trans­fer of employee data (employee data) within the group of com­pa­nies ari­ses very often. In Switz­er­land Art. 328b OR rele­vant (work­place refe­rence of the data). Accor­ding to the cur­rent case law of the Fede­ral Supre­me Court Howe­ver, Art. 328b CO is not to be under­s­tood as a pro­hi­bi­ti­on rule, but rather as an employment con­tract con­cre­tizati­on of the data pro­tec­tion pro­ce­s­sing prin­ci­ples of pur­po­se limi­ta­ti­on and pro­por­tio­na­li­ty. Art. 328b OR can the­r­e­fo­re not a prio­ri pre­vent a dis­clo­sure, but requi­res – via data pro­tec­tion law – a Weig­hing of inte­rests in indi­vi­du­al cases.

Accor­ding to the GDPR, the dis­clo­sure of employee data within the group requi­res a legal basis like any other form of pro­ce­s­sing (i.e., the dis­clo­sure and also the sub­se­quent pro­ce­s­sing requi­re a legal basis, wher­eby the dis­clo­sure by the employer is also sub­ject to employee data pro­tec­tion law and the sub­se­quent pro­ce­s­sing by the recei­ving third-par­ty com­pa­ny is only sub­ject to gene­ral data pro­tec­tion law). Art. 6 para. 1 lit. f DSGVO, the legi­ti­ma­te inte­rest, comes into que­sti­on. This is also indi­ca­ted by reci­tal 48, which men­ti­ons, among other things, inter­nal admi­ni­stra­ti­on within the group as a pos­si­ble legi­ti­ma­te interest:

(48) Per­sons respon­si­ble for Part of a group of com­pa­nies or a group of enti­ties that are assi­gned to a cen­tral body may have a legi­ti­ma­te inte­rest in dis­clo­sing per­so­nal data to within the group of com­pa­nies for inter­nal manage­ment pur­po­ses inclu­ding the pro­ce­s­sing of per­so­nal data of cus­to­mers and employees. The basic prin­ci­ples for the trans­fer of per­so­nal data within groups of com­pa­nies to a com­pa­ny in a third coun­try remain unaffected.

Howe­ver, this does not mean that every dis­clo­sure within the Group is per­mis­si­ble if it ser­ves inter­nal manage­ment pur­po­ses – the­re always needs to be a Weig­hing of inte­rests in indi­vi­du­al cases, which must (and not only should) be docu­men­ted accor­ding to the GDPR dif­fer­ent­ly than accor­ding to the revDSG.

The The Hig­her Regio­nal Court ofHamm (OLG Hamm) has now ruledthat a spe­ci­fic dis­clo­sure was not com­pa­ti­ble with Art. 6(1)(f) of the GDPR, essen­ti­al­ly becau­se anony­mi­zed or pseud­ony­mi­zed data is also suf­fi­ci­ent. had. The case con­cer­ned a manage­ment con­tract with a group parent com­pa­ny, which had a veto right for employment con­tracts with a wage abo­ve a cer­tain limit. In order to deter­mi­ne the num­ber of cor­re­spon­ding con­tracts, the parent com­pa­ny car­ri­ed out a sur­vey of the group com­pa­nies, asking, among other things, for the names of the employees concerned.

Also no legal basis was § 26 BDSG, the par­al­lel stan­dard to Art. 328b OR in the Ger­man Fede­ral Data Pro­tec­tion Act, which in prin­ci­ple per­mits the pro­ce­s­sing of employee data inso­far as this is “is neces­sa­ry for the decis­i­on on the estab­lish­ment of an employment rela­ti­on­ship or, after the estab­lish­ment of the employment rela­ti­on­ship, for its imple­men­ta­ti­on or ter­mi­na­ti­on or for the exer­cise or ful­fill­ment of the rights and obli­ga­ti­ons of the repre­sen­ta­ti­on of employees’ inte­rests resul­ting from a law or a coll­ec­ti­ve agree­ment, a works agree­ment or a ser­vice agree­ment (coll­ec­ti­ve agree­ment)”. § Sec­tion 26 of the BDSG takes pre­ce­dence over the GDPR on the basis of Artic­le 88 of the GDPR, but dis­clo­sure was not neces­sa­ry in the pre­sent case.

The decis­i­on of the OLG is not sur­pri­sing. Abo­ve all, it shows that alter­na­ti­ves must be serious­ly con­side­red in the always neces­sa­ry pro­por­tio­na­li­ty test – the often some­what swee­ping objec­tion of “busi­ness” that a pro­ce­s­sing pur­po­se can­not be achie­ved with anony­mous data should the­r­e­fo­re often be questioned.