No intra-group data transfer of employee data?
Data protection practical tip on LG Bochum, judgment of 22.01.2020, Ref. 2 O 186/19, I-2 O 186/19
Internal data transfer between different companies of a group is nothing new in times of extensive technical and personal networking. It is sometimes taken for granted that employee data is transferred from one group company to another for the purpose of payroll processing, personnel administration or for tax reasons, stored there and used for the respective purpose. It is obvious that personal data relevant under data protection law, i.e. employee data, is processed in the process. However, it is often unclear on what legal basis the intra-group data transfer is based and whether it is actually permissible under data protection law in the specific case. The Bochum Regional Court addressed this question (in excerpts) in a decision from 2020 and determined - this much should be anticipated - that a data transfer of personal (employee) data was not covered by the employer's "legitimate interest" in the case at issue.
The verdict
The subject of the ruling was the transfer of personal data (employee data), in particular on the amount of the plaintiff's annual gross salary, information on bonuses and on other benefits from her employer, a company within a group of companies, to another subsidiary (defendant) of the same group of companies. The purpose of this data transfer was to create a database with comparative values on salaries for new employment contracts to be concluded.
In addition to the defendant's obligation to delete all data affected by the transfer, regardless of the type of storage medium (cloud, database, Excel, tablets, cell phones, business PCs, etc.), the court also awarded the plaintiff (non-material) damages in the amount of €8,000 (Article 82 (1) GDPR). The court based its decision on the argument that the defendant could not invoke a suitable legal basis for the data transfer carried out. Consent (Article 6 (1) (a) of the GDPR) was ruled out from the outset as a basis for authorization - this was undisputed between the parties - since no such consent had been given in the present case. In addition, the defendant could not invoke its "legitimate interests" under Article 6 (1) (f) of the GDPR for the data transfer, since the interests of the plaintiff had to be weighed against those of the defendant. This applies irrespective of the question of whether the defendant benefits from the so-called "small group privilege" in this case, since a balancing of interests must also be carried out in this regard. In terms of content, the specific transfer of data already fails due to its necessity. Recital 39 p. 9 of the GDPR provides that personal data may only be processed if the purpose of the processing cannot reasonably be achieved by other means. In the case at hand, according to the court, the creation of a comparative database on salaries of new employees could also have been implemented by creating a new database without "legacy data" of existing employment contracts or with employee data that had been pseudonymized or anonymized before being transferred. An aggravating factor in the weighing process was that the plaintiff had expressly objected to the data transfer after the fact (but before the legal proceedings), so that deletion of the data at the defendant should have taken place at that time in any case.
Effects on practice
The consequences of the ruling for internal company data transfers are certainly of great relevance. For example, it shows that the unintended internal exchange of employee data between several group companies should by no means be classified as "daily business", but must always be examined on a case-by-case basis in terms of content, taking into account the purpose pursued. This sometimes requires a precise weighing of the interests of the employee and his or her right to informational self-determination as well as the business information interests of the employer. It would be short-sighted to assume that employee data is merely pseudonymized prior to transmission, since pseudonymized data continues to be subject to the scope of application of the GDPR and the facts of the case at issue were based on the fact that the plaintiff expressly informed the defendant that she agreed to the pseudonymization of the data required to create the comparison database. It is therefore doubtful whether pseudonymization is sufficient without prior agreement with the employee. To "play it safe", employers should therefore anonymize personal data of their employees before transferring data within the group. This applies in particular to cases such as the creation of a statistical database for salary comparisons in which the purpose of the data processing can also be achieved by data without direct reference to individuals.
There are further legal concerns regarding the transfer of employee data within the Group on the basis of consent obtained in advance from the employee (Article 6 (1) (a) of the GDPR). The legislator assesses the lawfulness of such consent as a suitable legal basis for data processing, among other things, according to its voluntary nature. This is based on the idea that the actors involved in data processing, the data subject and the data processor, face each other in a structural equilibrium and can decide, free from external or internal constraints, whether or not to give consent without having to fear negative consequences. In contrast, an employment relationship is naturally characterized by an asymmetry of power between the employer as the party authorized to give instructions and the employee as the party bound by instructions. As a result, consent for data processing in the employment relationship will generally not constitute a suitable legal basis.
Under data protection law, on the other hand, it would be legitimate to transfer employee data to third parties if this is necessary for the performance of the employment relationship (Art. 6 (1) lit. b DSGVO). This principle is, for example, the basis for publishing employee names on a website or passing on business cards in the case of employees "with external effect". Further required is, for example, the receipt of applicant data, its internal transmission to the competent body and the temporary storage of this data for the purpose of decision-making. In contrast, a database of employee salaries at another (group) company for the purpose of improving the recruitment process of future employees is not necessary for the performance of the employment relationship with a particular (existing) employee. The creation of a salary database for new employees does not directly affect the already existing employment relationship of the employee affected by the data transfer, nor is it relevant for the future performance of the employment relationship. Accordingly, it is apparent that an intra-group data transfer of data not absolutely necessary for the employment relationship cannot be based on the legal basis under Art. 6 (1) lit. b DSGVO.
Apart from the question of a suitable legal basis for the transfer of data within the group, the amount of the (immaterial) claim for damages awarded deserves to be mentioned. At €8,000, the amount awarded for the transfer of data relating to a single employee, which did not involve any sensitive data, is definitely high. In this respect, the Bochum Regional Court confirms the general trend, according to which the courts do not "fob off" the claims for damages from affected parties with a few hundred euros, but sometimes also award amounts in the upper four-digit range.
Outlook
There is no question that employers within a group structure have to process employee data and do so to a certain extent. However, in its decision, the Bochum Regional Court impressively demonstrated that the transfer of data within a group is by no means an unobjectionable business transaction at any time, but rather imposes legal requirements on all group companies involved in the transfer. If a company affiliated with the employer ignores these requirements, it not only faces an obligation to delete the data, but also incurs liability for damages.
In this respect, it is advisable to determine and check from the outset within several group companies which employee data must necessarily be transmitted within the group and to do this - if necessary - without reference to individuals.