Writtten agreements
Intra-Group Data Sharing Agreement (IGA)
An Intra-Group Data Sharing Agreement (IGA) is appropriate to establish when there is data sharing between companies within a group of companies, including sharing of personal data.
Data sharing within a group of companies
Within a group of companies, it is common for companies to share information, such as personal data, with each other for various reasons. However, it is important to keep in mind that personal data sharing cannot take place in any way. In the GDPR, there is no exception that means that the sharing of personal data between group companies may take place freely. Instead, the same rules apply as for other personal data sharing covered by the GDPR. Therefore, it is good for the companies within the corporate group to enter into an Intra-Group Data Sharing Agreement with each other, to ensure that the intra-group sharing of personal data takes place in accordance with the GDPR.
Before there is internal sharing of personal data, the company that performs the data sharing must:
- Have a legal basis for carrying out the data sharing;
- Document the legal basis and purpose of the data sharing;
- Inform data subjects about the sharing of data. This is usually done via the company’s privacy notice;
- Comply with the other rules of the GDPR such as the principles of purpose limitation and data minimisation.
When it may be appropriate to establish an Intra-Group Data Sharing Agreement
- If common IT systems are used throughout the group by the various group companies.
- If customer records, including customers’ personal data such as contact details, are shared within the group.
- When marketing, involving the processing of personal data or profiling, takes place at group level.
Role allocation according to GDPR within a group
The allocation of roles under the GDPR between the parties to an Intra-Group Data Sharing Agreement may be one of the following, or a combination of the following:
All parties are independent data controllers for a certain data sharing that takes place internally between the group companies.
At least one party is the data controller and at least one other party is the data processor for a certain data sharing that takes place internally between the group companies.
At least one party is a data processor and at least one other party is its sub-processor for a particular data sharing that takes place internally between the group companies.
Minimum two parties are joint controllers.
What content should an Intra-Group Data Sharing Agreement have?
Purpose
What is the reason and purpose for which the personal data needs to be shared internally within the group? For example, for group-wide governance, fulfilling a legal obligation, streamlining work within the group, coordination of systems or similar. Please note that the purpose must be specific and clear.
Personal data
What categories of personal data are shared within the group? Personal data may be ordinary or sensitive personal data. The agreement should also regulate what volumes of personal data are transferred, who the personal data belongs to (that is, who are the data subjects), etc. It is important to have such an overview, in order to make a good risk assessment and implement security measures accordingly.
Legal basis
What is the legal basis for the transfer pursuant to Article 6 of the GDPR? Companies must have a legal basis to be able to transfer and share personal data. This also applies to data sharing internally within the company, as well as to other companies within the group. For example, a legal basis may be a legal obligation or legitimate interest. Consent is not usually used for data sharing in a group context.
Technical and organisational security measures
Companies must implement adequate technical and organizational security measures to protect the personal data being processed. This should also be done in order to comply with the other rules of the GDPR, such as fulfilling the rights of data subjects upon request. It is good to describe what security measures are taken in connection with data sharing. For example, encryption of personal data, segmentation of sensitive personal data, implemented written procedures, policies, etc.
Personal data breaches
The more companies involved in data sharing and data reception, the more the complexity of personal data breaches increases. Therefore, it is good for the parties to regulate who is responsible for contacting data subjects, national data protection authority, how the parties should report the incident between them, etc. Please note that reporting to the national data protection authority must take place within 72 hours from the discovery of the breach.
Rights of data subjects
The companies in the group must be clear about which of them receives rights requests from the data subjects, fulfills the rights on request, communicates between each other on requests, time frames, etc. If not, there is a risk that the data subjects end up in a "no-man's-land" and do not know who to contact or be referred back and forth between the parties.
Storage period
The different group companies may have different retention periods for the personal data that is processed intra-group. It is therefore good that the company regulates this in more detail in the Intra-Group Data Sharing Agreement. In other words, how long the personal data may be processed by the group companies, how the personal data should be erased and which of the parties bears the ultimate responsibility for erasing the personal data.
Prohibition
It shall be regulated in the Intra-Group Data Sharing Agreement whether there are any prohibitions or not. For example, that the personal data may not be shared with any third party outside the group, unless there is a written supplementary agreement. Another prohibition that is good to regulate is that the personal data may not be used for any other purposes than the original ones.
Third country transfers
Many groups operate both within and outside the EU/EEA area. If there is a transfer of personal data from a country within the EU/EEA to a country outside, it constitutes a data transfer to a third country. In such cases, a Data Transfer Impact Assessment (DTIA) to third countries may be necessary, before any data sharing takes place.
One Data Protection Officer (DPO) for the entire corporate group
It is possible for a group of companies operating in several EU/EEA countries to have only one Data Protection Officer, instead of one individual Data Protection Officer for each company in each country. However, it can be problematic in some cases, especially for large groups of companies with millions of customers. The Data Protection Officer must be able to carry out his or her duties, such as answering questions from data subjects concerning the processing of their personal data. This can be difficult to do if there is only one Data Protection Officer.
Learn more
Data Sharing Agreement (DSA)
It is not uncommon for two or more companies to share personal data with each other, but have their own purposes of processing and are thus independent data controllers. Each such party also determines the legal basis for its own processing of the personal data, and is responsible for ensuring that the processing is carried out in accordance with the GDPR. In such cases, it is useful to establish a Data Sharing Agreement (DSA) between two independent controllers, in order to regulate the data sharing and responsibility between the parties. Please note that a Data Sharing Agreement (DSA) and a Data Processing Agreement (DPA) are not the same. They are suitable for different types of relationships and divisions of roles between the parties to the agreement.