This white paper was written by Dr. Gerlind Wisskirchen of CMS Germany, and covers some of the issues of sharing HR data under European law. It’s a potentially thorny issue for employers and is backed up by stiff fines and other penalties. I’ve excerpted the first part of the paper below. You can download the full version here. (CUE member login only)
The group headquarters’ e-mail seemed unspectacular at first glance: “Please provide us with a complete list of all employees working at your company including details regarding age, entry date, position and remuneration by tomorrow, COB.” The HR department addressed was able to quickly compile the list and sent it to headquarters without further inquiry. It was overlooked – as is often the case – that this transfer entails significant risks under European data protection law. Data transfers between group companies are often regarded as “internal matter.” This holds true, in particular, when the parent company cites reasons for the inquiry that seem plausible: be it conducting a due diligence review, introducing group-wide knowhow databases or group-wide staff development.
The transfer of personal (employee) data between legally independent companies of a group is not necessarily permissible under data protection law. The European Data Protection Law permits the collection, processing and use of personal data only if this is permitted by law or if the data subjects have given their consent. Corporate and economic connections and links between the sender and the receiver of personal data are not taken into consideration; companies belonging to the same group, especially, are not considered one entity. If the transfer of personnel data does not satisfy the requirements under data protection law, it may e.g. in Germany result in fines of up to EUR300,000.
This cannot be dismissed as a purely theoretical problem (any more). The supervisory authorities have intensified their activities and increasingly imposed fines – on companies and on the acting employees and the responsible managing directors and board members as well.
The problem is aggravated by the EU General Data Protection Regulation, which will be applicable as of 25 May 2018. According to the General Data Protection Regulation, even fines of up to EUR20 million or 4 percent of the annual turnover – possibly of the entire group – may be imposed.