Introduction to Data Protection
The protection of personal data is of central importance in today’s increasingly digitalized world. With the EU’s General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), there are clear and binding rules on how companies and corporations must handle the data of customers, employees, and business partners. Particularly in a corporate group consisting of multiple companies, it is crucial that data processing procedures within the group are legally compliant. The GDPR and BDSG regulate how personal data may be collected, stored, and processed to protect the privacy and rights of the individuals concerned. Companies and corporations are therefore obliged to consistently comply with these regulations to maintain the trust of those affected and to avoid legal risks.
Corporate Group and Data Protection
A corporate group is an association of several companies under unified management. The corporate management is responsible for ensuring that the requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) are observed throughout the entire group. This applies to all levels and companies within the group—from the parent company to the subsidiaries. The collection, storage, and processing of personal data must be conducted group-wide in accordance with legal requirements. Corporate management must ensure that all companies within the group understand and implement the data protection requirements to guarantee the security and protection of data. Only then can a consistent and legally sound data protection level be achieved throughout the group.
Responsible Party and Data Protection Officer
Within a corporate group, the responsible party is the person or entity deciding on the purposes and means of processing personal data. The data protection officer, on the other hand, is responsible for monitoring compliance with data protection regulations in all companies within the group. They advise the corporate management and individual companies on all data protection issues, train employees, and serve as a contact for affected individuals regarding their rights in connection with the processing of their personal data. Close cooperation between the responsible party and the data protection officer is essential to ensure compliance with data protection regulations throughout the group and to effectively protect the rights of those affected.
Federal Labor Court on the Transfer of Personal Data within a Corporate Group – Ref. No. 8 AZR 209/21
Data protection also plays a central role in employment law. This concerns not only the handling of employees’ personal data in relation to third parties but also within a corporate group. The Federal Labor Court made it clear with its ruling of May 8, 2025, that the requirements of the General Data Protection Regulation (GDPR) must also be observed when transferring data within the corporate group (Ref. No. 8 AZR 209/21).
Authorities have an important role when applying the General Data Protection Regulation (GDPR): They must ensure compliance with data protection laws, including state data protection laws, and implement measures for data collection and protection of personal data on the internet. In certain cases, these tasks and measures are regulated by relevant articles of the regulation to uphold the rights of the affected individuals—such as citizens, users, and the public—and to ensure transparency.
From application to termination of employment, numerous employee data are collected and processed at the workplace. Employers must particularly observe the regulations of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG), according to the commercial law firm MTR Legal Rechtsanwälte, which provides advice in data protection law.
GDPR must be considered for intra-group data transfer
The GDPR requirements must also be observed in the intra-group transfer of data, as demonstrated by the Federal Labor Court’s ruling of May 8, 2025. The Federal Labor Court clarified that an employee may be entitled to compensation for damages due to a GDPR violation.
In the case at hand, the employer had transferred an employee’s personal data within the group to a parent company because a new cloud-based software for personnel management was to be tested. The software was intended to introduce a new personnel management system group-wide.
The preliminary test operation of the new personnel management system had previously been regulated in a company agreement. According to the agreement, names, start of employment, company, place of work, as well as business phone numbers and email addresses could be transmitted. However, the employer also provided information on salary, date of birth, marital status, social security number, tax ID, and the employee’s private address to the corporate group.
The application of the GDPR and relevant articles applies not only to companies but also to authorities to protect the rights of users, those affected, and citizens. Measures and actions toward data collection and the protection of personal data on the internet, as well as compliance with state data protection laws, are significant tasks to guarantee transparency to the public.
Data transmitted without sufficient legal basis
The plaintiff opposed this. He argued that his data was processed without sufficient legal basis because using real data during the test phase was not necessary and thus violated the principles of data minimization and purpose limitation according to Art. 5 GDPR. Moreover, the processing was not covered by the existing company agreement. He claimed compensation for non-material damages due to a violation of the GDPR according to Art. 82 Para. 1 GDPR.
After the lower courts dismissed his suit, it finally reached the Federal Labor Court. Initially, the Federal Labor Court referred the matter to the European Court of Justice. The ECJ clarified with its ruling of December 19, 2024, that data processing provisions in a company agreement must comply with the requirements of the GDPR. The Federal Labor Court concurred with this jurisprudence and decided that the plaintiff was entitled to compensation for damages.
The application of relevant articles of the GDPR and state data protection laws is of central importance for the tasks and fulfillment of duties of authorities and the protection of affected citizens and users in all cases. Measures for data collection and the protection of personal data on the internet must also be implemented with regard to transparency to the public.
Claim for non-material damages
The employer had provided more data to the parent corporation than permitted by the company agreement. This was not necessary and constituted a violation of the GDPR, the Federal Labor Court made clear. Through the transfer of personal data to the parent corporation, the plaintiff lost control over his data and thus suffered non-material damage, the Federal Labor Court further clarified.
The ruling shows that data transfer within a corporate group should always be examined concerning data protection law. The data protection requirements of the GDPR must be fully observed. This includes, in particular, the principles of data minimization, purpose limitation, and transparency.
Implementing suitable measures and consistently applying the GDPR and relevant articles are essential for protecting affected parties, such as citizens and users, and for fulfilling the tasks and duties of authorities in all cases. This includes data collection on the internet, compliance with state data protection laws, and transparency towards the public.
Requirements for processing personal data in employment
In principle, the processing of personal data in the employment relationship is only permissible if there is a corresponding legal basis. This applies, for example, if data processing is necessary to fulfill the employment contract. Beyond that, data processing is permissible if the employee has given consent. It is important that the consent is given voluntarily, is specific, and can be revoked. Data processing can also be permissible if the employer can demonstrate a legitimate interest in safeguarding the security of the company, and there are no overriding interests or fundamental rights of the employee opposing it.
The judgment of the Federal Labor Court underscores the importance of handling employee data responsibly and the need to integrate data protection aspects early and comprehensively into operational processes.
MTR Legal Rechtsanwälte advises on employment law and data protection law.
Please feel free to contact us!
The application of the GDPR and relevant articles, as well as the implementation of suitable measures for data collection on the internet and compliance with state data protection laws, are of central importance for the protection of affected parties, citizens, and users, as well as for fulfilling the tasks and duties of authorities in all cases and towards the public.
