Do you need to obtain the data subject’s consent when transferring personal data within a corporate group in the UK?
In the UK, the Data Protection Act 1998 (DPA) primarily governs the collection and use of personal data, with the Office of the Information Commissioner (ICO) responsible for its enforcement. Practically speaking, any business operating in the UK which holds information about any individuals (eg employees, customers or anyone else) is affected by the DPA. Breaches of data protection laws can result in civil and/or criminal liability with the added consequence of adverse publicity.
Data Control and Processing
Obligations under the DPA fall on the ‘data controller’, being the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For example, a company will be the controller of the data that is processed in respect of its employees or customers. An entity may be a data controller even if the information concerned is held by a third party (for example regarding employee information where the administration of the payroll function has been outsourced to a third party).
Companies in the same group may use the same information but for different purposes, and could therefore be different data controllers or data processors depending on what they do with the data. It is possible to have more than one data controller even with respect to the same data. A transfer of personal data from one group company to another would therefore normally constitute an act of data processing to which the DPA applies.
“Processing” is very widely defined and as a result it is easy to fall within the category of a data processor. A data processor processes personal data only on behalf of a data controller (eg a third party to whom the payroll administration function is outsourced would usually be a data processor). The DPA does not impose obligations directly on a data processor, but it does require the data controller to pass on obligations to the data processor.
Schedule 1 of the DPA sets out the eight data protection principles that data controllers must comply with. Under the first principle, data controllers must ensure that all personal data is processed fairly and lawfully. Accordingly all processing must be based on one of the legal grounds set out in Schedule 2 of the DPA and the consent of the data subject is one of those grounds. However, in the absence of consent it may be possible to rely on the following:
the intra-group transfer is necessary to perform a contract with the individual, or for taking steps to comply with a request made by the individual with a view to entering into a contract (for example, to meet orders placed by the individual, to process a job application or to administer employee pensions or payroll)
the intra-group transfer is necessary to comply with a legal obligation of the data controller (other than a contractual obligation), and
the intra-group transfer is necessary for the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
The consent of the data subject is therefore not always required for an intra-group transfer of personal data within the UK provided that the transfer is justified by one of the other legal grounds.