Your benefits
-
Expertise in the corporate group structure
The group data protection officer has many years of expertise in setting up a data protection organization across the entire corporate group.
-
Specialized knowledge in an international context
We are a tried-and-tested consulting partner when it comes to dealing with country-specific issues and structural differences.
-
Integrated solutions
We ensure a uniform level of data protection within the group that regulates processes within the corporate group in a legally secure and economically sensible manner.
Professional data protection management for corporations
Organizing data processing globally and thus minimizing corporate risks is a major challenge in a corporate group structure. In order to centralize data protection, a group of companies can appoint one person as its group data protection officer. The Group Data Protection Officer performs the tasks in accordance with Article 39 of the GDPR. In doing so, he centrally controls and monitors the implementation of the GDPR in the group.
We, intersoft consulting services AG, have been supporting corporate groups in data protection for more than a decade and always follow a hands-on approach. Our group data protection officers are lawyers with a great deal of technical understanding. An external group data protection officer of intersoft consulting ensures uniform data protection standards within the group of companies and also includes individual differences in the cross-national consulting. The external group data protection officer can quickly capture complex issues, always maintains an objective view and is a professional contact for authorities and affected parties. He or she works with you as part of a team and is absolutely confident in leadership and negotiating skills.
Together with you, we centrally ensure data protection-compliant processing within your group structure with the external group data protection officer. In doing so, we always take into account individual business interests and structural conditions. In his function, your external Group Data Protection Officer reports to the highest management level of the corporate group.
In the beginning, the external group data protection officer carries out an analysis of the current situation. The status of the implementation of data protection throughout the group is determined and, in the event of deviations, a risk assessment is carried out and recommendations for action are identified. The results also serve as a basis for ongoing activities in the role of the group data protection officer.
As part of our ongoing consulting services, we provide support for you in setting up a global data protection organization – using the so-called coordinator model. Data protection coordinators or data protection champions are appointed in the individual group companies to support the group data protection officer. Within their area of responsibility, the data protection coordinators support the management and the Group Data Protection Officer in implementing data protection regulations and act as an interface between local authorities and data subjects and the centrally located group data protection officer. We have had very good experience with the coordinator model for many years, have excellent expertise and proven best practices.
This is how we can support you
- Position of an external group data protection officer
- Establishment of a global data protection organization
- Carrying out a state analysis (data protection check)
- Establishment of a data protection management system based on the GDPR
- Training of data protection coordinators and consulting during ongoing operations
- Development of strategic data protection documents such as data protection guidelines / privacy policies, templates, or a data protection concept
- Advice on data transfers abroad in compliance with data protection requirements and on the exchange of personal data within the group
- Design of data protection processes such as information and complaint management or notification of data protection violations
- Monitoring the implementation of data protection regulations
Frequently asked questions about the group data protection officer
We’ll tell you what you should know about the role of the group data protection officer.
A significant challenge for data processing within different corporate groups is that there is no so-called “group privilege” in data protection law. This means that if personal data is transferred to a third party, i.e., outside the company itself, it does not matter whether this third party is a third party or a company within the group structure.
The GDPR provides some relief in group data protection for data transfers based on a legitimate interest of the companies involved. According to Recital 48 of the GDPR, data controllers that are part of a group of companies may have a legitimate interest in transferring personal data within this group for internal administrative purposes. Due to the lack of group privilege in the area of data protection, it is important to ensure that a legal basis exists for any intra-group exchange of personal data. Our experienced data protection consultants will be happy to help you implement data transfers within the corporate group that comply with data protection requirements.
The lack of group privilege poses challenges for group companies. Outsourcing certain corporate areas (e.g., accounting, human resources management or payroll) and centralizing data processing at the group parent will not be possible without further ado.
When introducing and using a group database, it must be clarified, for example, which company is actually “responsible” or whether “joint responsibility” between the participating group companies can even be considered. Under certain circumstances, commissioned processing may also be considered. In addition, companies are under an obligation to base each intra-group transfer of personal data on a valid legal basis. If a group company involved is located in a third country, additional requirements have to be fulfilled. If the group company independently processes employee data that it receives from a group company from the EEA area, the standard contractual clauses provided by the European Commission require supplementary regulations for data protection-compliant data transfer of employee data.
According to Art. 37 (2) GDPR, a group of companies may appoint a joint data protection officer, provided that the data protection officer can be reached from each branch. This was already permissible and customary under the German Federal Data Protection Act (BDSG). The GDPR makes this even easier. A significant advantage of appointing a group data protection officer is the establishment of a uniform level of data protection in the entrepreneurial group through the central organization.
Various models are available to achieve this purpose. Under the so-called single model, one and the same person can hold the function of data protection officer for several or all group companies. In this case, each group subsidiary has properly appointed this person as Group Data Protection Officer. The larger the corporate group, the more resources and employees the Group Data Protection Officer requires in the single model.
An alternative to this is the so-called coordinator model. In this model, each company in the group appoints its own data protection officer, while the group-wide data privacy organization is coordinated by a Group Data Protection Officer. What both models have in common is that all the threads come together at one expert office in order to find uniform solutions for cross-company issues in data privacy.
Competence of more than 60 consultants
- Fully qualified lawyers (2 state examinations), including attorneys with doctorates
- Specialists in IT law, intellectual property law, copyright and media law, insurance law and social law
- Master of Laws in IT law, media law, intellectual property law and industrial property law
- Bachelor of Laws in information law and business law
- TÜV‑certified data protection officers and data protection auditors
- Certified Information Privacy Manager (CIPM), Certified Information Privacy Professional (CIPP/E)
- IT‑Compliance Manager (ISACA) and Compliance Officer (TÜV)
- Data Protection Officer following association criteria (BvD)
- BSI certified audit team leader for ISO 27001 based on IT baseline protection and IS auditor
- ISO/IEC 27001 Lead Auditor, ISO/IEC 27001 Implementer, ISO/IEC 27001 Practitioner
- GIAC Certified Forensic Examiner, GIAC Advanced Smartphone Forensics, GIAC Reverse Engineering Malware, GIAC Cyber Threat Intelligence, GIAC Certified Incident Handler, GIAC Penetration Tester, GIAC Battlefield Forensics and Acquisition
- IT Security Officer (TÜV)
- Computer scientist and business information scientist
- Master of Engineering IT Security and Forensics
- Bachelor of Science General and Digital Forensics
- Cyber Security Practitioner (ISACA), IT Information Security Practitioner (ISACA)