German Privacy Law Requirements for Centrally Organized Compliance Audits in Groups of Companies

Introduction

Audits are a common means of monitoring a company’s compliance with legal requirements (e.g. , exigencies deriving from data protection law, tax law, criminal law, environmental law, social law, etc.), on the one hand, and internal group policies (e.g., relating to the administration of personnel files, IT security, business entertainment and gifts, prevention of corruption, etc.), on the other. In groups of companies, such audits are often performed by specialized group companies or even the parent company (hereafter “Group Auditor”).

While the general regulatory framework of such audits is comprehensively discussed, their privacy implications are frequently overlooked. Privacy implications are triggered, inter alia, by the Group Auditor’s access to and (international) transfer of employee and customer data, especially to the extent sensitive data according to Sec. 3 (9) of Germany’s Federal Data Protection Act (hereafter “FDPA”) are concerned.

This article discusses the implications of centrally organized audits under the FDPA, and suggests a possible contractual solution for ensuring their compliance with the FDPA.

Privacy Implications of Centrally Organized Compliance Audits

On the occasion of a compliance audit, the Group Auditor either gains access to the data on the company’s premises or the company transfers the data to the Group Auditor. From a data privacy point of view, both measures (i.e., granting access to the relevant data or transferring them) are relevant and require permission according to Sec. 4 (1) FDPA.

In the light of Sec. 3 (7) FDPA, the company audited acts as controller of the personal data, having collected the data for its own purposes. According to Sec. 3 (4) no. 3 lit. a and lit. b FDPA, both disclosure through transmission to or disclosure through inspection by a third party constitute a transfer and thus a processing of personal data. The Group Auditor is a third party in terms of Sec. 3 (8) FDPA. The exemption contained in Sec. 3 (8) FDPA relating to intra-EU recipients does not apply, as it only comprises data recipients that act as processors on behalf of the controller. The intra-EU data processor is regarded as being part of the controller, since, according to Sec. 3 (7) FDPA, “controller” means any person or body collecting, processing or using personal data on its own behalf or commissioning others to do the same. However, the Group Auditor is not bound by the company’s instructions, but rather assumes an independent function by ensuring the compliance of all group companies, and therefore qualifies as data controller.

The thus defined processing of personal data requires permission in the light of Sec. 4 (1) FDPA. Such permission can be drawn from a declaration of consent by the data subjects or from a statutory permission or a law permitting or requiring the processing. An intra-group exemption for disclosures of personal data does not exist under German privacy law.

Permission by the data subjects’ consent is not conceivable. According to the prevailing opinion, an employee cannot give voluntary consent due to his dependency on his employer. Customer consent alone, though legally viable, would not allow for a comprehensive compliance audit.

However, the centrally organized compliance audit’s admissibility might be based on Sec. 28 (1) first sentence no. 2 FDPA, whereby the collection, storage, modification or transfer of personal data or their use as a means of fulfilling one’s own business purposes shall be admissible insofar as this is necessary to safeguard justified interests of the company and there is no reason to assume that the data subjects have overriding legitimate interests in their data being excluded from processing or use.

Particular problems arise, as Sec. 28 (6) FDPA states that, in the absence of consent, the processing of sensitive data (technically referred to as “special categories of data” in Sec. 3 (9) FDPA, i.e., information on a person’s racial and ethnic origin, political opinions, religious or philosophical convictions, union membership, health or sex life) shall be admissible only in a very limited number of situations. Sec. 28 (6) FDPA thus does not contain a statutory permission comparable to Sec. 28 (1) first sentence no. 2 FDPA. The list of statutory permissions contained in Sec. 28 (6) FDPA would hardly render the transfer of sensitive data admissible in the context of compliance audits. However, a compliance audit without the Group Auditor’s access to sensitive data, e.g., contained in the employees’ personnel files, is not conceivable.

It has to be noted that German data protection authorities have considered the transfer of personnel files containing sensitive data to extra-EU data providers admissible using Sec. 28 (1) first sentence no. 2 FDPA and following the same requirements, since Sec. 28 (6) FDPA was not designed to prevent the transfer of sensitive data as long as such transfer occurred within the framework of the general employment law-related data protection rules. This reasoning can be applied to the situation of centrally organized compliance audits as well, at least to the extent sensitive employee data are concerned. In the light of the non-existence of a sufficient statutory permission for the transfer of sensitive data mirroring the needs of groups of companies and the general non-acknowledgement of voluntary employee consent, any other solution would render centrally organized compliance audits inadmissible.

In the weighing of interests on the grounds of Sec. 28 (1) first sentence no. 2 FDPA, the recourse to an external auditing department provided by the Group Auditor represents a legitimate interest. However, the centrally organized compliance audit is justified only insofar as the disclosure of personal data is necessary to achieve the auditing purposes and purpose limitation according to Sec. 28 (5) FDPA is ensured.

Some German data protection authorities have requested a contractual framework, which can be provided by concluding a Privacy Agreement that offers a contractual determination of the parties’ purposes and reflects the legal privacy requirements (hereafter “Privacy Agreement”).

An appropriate basis for such Privacy Agreement is provided by the privacy principles contained in Annex A to European Commission Decision 2004/915/EC, which contains an alternative set of standard contractual clauses for the transfer of personal data to third countries.

Structure and Contents of Privacy Agreement in Compliance with German Privacy Law

The following illustrates the potential content and structure of a Privacy Agreement based on Annex A of the Standard Contractual Clauses Set II as contained in Commission Decision 2004/915/EC.

By way of introduction, each of the parties has to be named and defined as controller of the personal data transferred. The denominations “Data Exporter” and “Data Importer” used by the standard contractual clauses can be employed.

Purpose Limitation (Sec. 1 of Annex A)

As provided for in Sec. 1 of Annex A, the Privacy Agreement has to safeguard that all data transferred may be processed and subsequently used or further transferred only for the purposes described in the agreement itself, e.g., in an annex:

Data subjects in respect of this Privacy Agreement are:

• employees of the Data Exporter and persons applying for employment with the Data Exporter;

• employees of customers of the Data Exporter; and

• other natural persons whose personal data have been lawfully collected by the Data Exporter.

Data in respect of this Privacy Agreement is personal data belonging to one of the following categories of lawfully collected data:

• contact data;

• information relating to the arrangement and accomplishment of the employment relationship;

• information relating to the customer relationship;

• information relating to performances provided; and

• information relating to crimes and administrative offenses committed (insofar as this information has been collected by compliance audits, e.g., to prevent corruption).

Purposes in respect of this Privacy Agreement are the following:

Monitoring and review by the Data Importer if the Data Exporter meets

• all requirements of applicable law (e.g., data protection law, tax law, criminal law, environmental law, social law);

• internal group regulations (e.g., regulations relating to the administration of personnel files, training and instruction, IT security, business entertainment and gifts, and prevention of corruption); and
• sensitive data as defined by Sec. 3 (9) of the FDPA.

Whereas Sec. 1 of Annex A provides an exemption to the purpose limitation where the data subject has authorized the processing for other purposes, in the context of centrally organized compliance audits, it appears preferable to substitute the data subject’s approbation with the company’s authorization, as the audit management will typically not include a direct communication between the Group Auditor and the data subjects:

The personal data transferred by the Data Exporter may be processed and subsequently used or further transferred only for the purposes described in the Exhibit or subsequently authorized by the Data Exporter in a legally effective manner.

Data Quality and Proportionality (Sec. 2 of Annex A)

To ensure data quality and proportionality in the context of centrally organized compliance audits, the wording of Sec. 2 of Annex A can be included in the Privacy Agreement:

Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

To provide for situations in which the Group Auditor might collect additional data to achieve its monitoring purposes, the above-mentioned clause should be amended accordingly.

Transparency (Sec. 3 of Annex A)

Sec. 3 of Annex A contains adequate wording to ensure data transparency. Further exemptions to the obligation to inform the data subjects may be included, for example, in cases where the data subjects have already obtained sufficient information otherwise or where legal provisions require non-disclosure:

The data subjects must be provided with information about all circumstances regarding data utilization necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless (i) such information has already been given, (ii) it can be reasonably assumed that data subjects have already disposed of the information or (iii) a legal exception applies.

Security and Confidentiality (Sec. 4 of Annex A)

Data secrecy has to be provided for according to Sec. 4 first sentence of Annex A:

The parties shall take the appropriate technical and organizational measures that are appropriate to the risks presented by the processing, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (“Data Security Measures”). Data Security Measures have to be adapted to the technical and organizational advancement during the term of the agreement. Substantial changes have to be notified to the Data Exporter in written form.

Pursuant to Sec. 4 second sentence of Annex A, purpose limitation as provided for in correspondence with Sec. 1 of Annex A (see above) has to be secured for each person acting under the authority of the Group Auditor. Moreover, Sec. 5 FDPA asks for the Group Auditor’s personnel to be obliged to data secrecy:

Any person acting under the authority of the Data Importer, including a processor, must not process the personal data transferred by the Data Exporter except on instructions from the Data Importer. The Data Importer shall ensure that any personnel under his responsibility that may have contact with personal data transferred by the Data Exporter have undertaken to comply with the principle of data secrecy.

Equal provisions as those contained in the Privacy Agreement have to apply where the Group Auditor engages a subcontractor:

Where the Data Importer engages subcontractors to achieve the purposes as described in this Agreement, he must ensure that those are duly selected and audited, paying particular attention to the technical and organizational measures taken by the subcontractors. The Data Importer shall be obliged to pass on his contractual obligations hereunder to such subcontractors.

Rights of Access, Rectification, Deletion and Objection (Sec. 5 of Annex A)

Sec. 5 of Annex A provides for the data subjects’ rights of access, rectification, deletion and objection relating to their personal data and the processing by the Group Auditor:

The data subjects have the right to obtain, either directly or via a third party, access to the personal data about them that the Data Importer holds, except for requests which are manifestly abusive, based on unreasonable intervals or their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the Data Exporter. Provided that the authority has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the Data Importer or other organizations dealing with the Data Importer and such interests are not overridden by the interests for fundamental rights and freedoms of the data subject.

The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the data subject would be violated, unless the data subject has an overriding interest warranting protection.

The data subjects must be able to have the personal data about them rectified, amended, or deleted where it is inaccurate or processed against the provisions of this Agreement. If there are compelling grounds to doubt the legitimacy of the request, the organization may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the personal data have been disclosed need not be made when this involves a disproportionate effort. Instead of erasure, personal data shall be blocked insofar as (i) preservation periods prescribed by law, statutes or contracts rule out any erasure, (ii) there is reason to assume that erasure would impair legitimate interests of the data subject or (iii) erasure is not possible or is only possible with disproportionate effort due to the specific type of storage.

The data subjects must also be able to object to the processing of the personal data relating to them if there are compelling legitimate grounds relating to their particular situation. The burden of proof for any refusal rests on the Data Importer, and the data subjects may always challenge a refusal before the authority.

To ensure the enforcement of the data subjects’ above-mentioned rights, another related provision has to be included in the Privacy Agreement:

The Data Exporter remains the universal contact person for the data subjects relating to the personal data transferred to the Data Importer (in particular regarding employee data). The data subject shall be entitled to enforce his/her right of access, correction, erasure and objection regarding data stored by the Data Importer also against the Data Exporter. In this case the Data Importer assists the Data Exporter meeting the entitled claims of data subjects.

Sensitive Data (Sec. 6 of Annex A)

As sensitive data require special precautions against the dangers arising from the processing, Sec. 6 of Annex A provides:

The Data Importer shall take such additional measures (e.g., relating to security) as are necessary to protect sensitive data.

Additional Provisions

If automated decisions are effected by either party to the Privacy Agreement, a contractual clause corresponding to Sec. 8 of Annex A would have to be included. Further clauses might relate to 1) the right to terminate the Privacy Agreement, 2) the requirements for subsequent changes and amendments to the Privacy Agreement, 3) consequences of a part of the Privacy Agreement being void or 4) the primacy of one of the language versions of the Privacy Agreement in case the Privacy Agreement is used in a multilingual version.

Conclusion and Outlook

Centrally organized compliance audits require a contractual framework ensuring their compliance with applicable data protection law. This can be provided for by concluding Privacy Agreements based upon the data processing principles contained in Annex A to the alternative set of standard contractual clauses for the transfer of personal data to third countries (Commission Decision 2004/915/EC).

This proposed solution provides an adequate framework for compliance audits if a Group Auditor situated within the European Union or another country with an adequate level of data protection performs the compliance audit. However, if the Group Auditor is situated in a third country, the parties additionally have to make sure that the Data Importer provides for an adequate level of data protection as per Directive 95/46/EC.

Prof. Dr. Michael Schmidl is a Partner with Baker & McKenzie, Munich, and a member of the World Data Protection Report Editorial Board. Uta Kühn is an Associate with Baker & McKenzie, Munich. The authors may be contacted at michael.schmidl@bakermckenzie.com and uta.kuehn@bakermckenzie.com.