GDPR corporate groups compliance is one of the most demanding organisational challenges in data protection. Each company within a group is a separate legal entity — and therefore, as a rule, a separate data controller under GDPR. You cannot manage compliance centrally as if the entire group were a single organisation, yet the cost and effort of managing each entity individually can quickly become unmanageable.

In practice, the questions most frequently asked by those responsible for GDPR in multi-entity structures are:

• Does each company need its own record of processing activities?
• When are group companies controllers in relation to each other, and when are they processors?
• Can a single DPO be appointed for the entire group?
• How do you manage GDPR documentation across several or dozens of entities simultaneously?

This article answers each of those questions practically.

GDPR corporate groups — each company is a separate controller

The foundational rule is straightforward: every legal entity in a corporate group is a separate data controller within the meaning of Article 4 GDPR. Each company independently determines the purposes and means of processing personal data — and independently bears responsibility for compliance.

In practice this means:

• each company maintains its own record of processing activities,
• each company fulfils its own information obligations towards the individuals whose data it processes,
• each company is responsible for personal data breaches within its own scope,
• fines imposed by supervisory authorities may be issued against each company separately.

A common mistake is assuming that a single GDPR implementation at the level of the parent company somehow “covers” the entire group. This approach does not satisfy the requirements of the regulation.

Data flows within the group — controller or processor?

One of the most frequent practical problems in corporate groups is determining the basis on which companies exchange personal data with each other, and in what capacity.

Three scenarios are possible:

Scenario 1 — Company A as processor for Company B. If one company processes data on behalf of and under the instructions of another, it acts as a data processor. This requires a data processing agreement under Article 28 GDPR. A typical example: a group headquarters providing centralised HR and payroll services to subsidiaries.

Scenario 2 — Joint controllership. If two or more companies jointly determine the purposes and means of processing the same personal data, they become joint controllers within the meaning of Article 26 GDPR. This requires a joint controllership arrangement and informing data subjects about it. A typical example: a shared customer database or a shared CRM platform used across the group.

Scenario 3 — Separate, independent processing. If two companies process data independently for different purposes, each is an independent controller with no additional agreements required between them — provided any transfer of data between them rests on an appropriate legal basis.

For every data flow within the group it is essential to clearly establish which scenario applies and to document this in the record of processing activities of each entity concerned.

A single DPO for the entire group — is it possible?

Yes — GDPR explicitly permits the appointment of a single Data Protection Officer for a group of undertakings, provided the DPO is easily accessible from each establishment (Article 37(2) GDPR).

In practice this means the DPO may serve the entire group centrally, but must:

• be accessible to employees and data subjects across all entities,
• monitor GDPR compliance in each company separately,
• maintain documentation that reflects the specific circumstances of each entity,
• be formally designated by each company that is legally required to appoint a DPO.

Appointing a single DPO for the group does not mean documentation can be merged into one document. Each company still requires its own record of processing activities, its own privacy notices, and its own risk assessments.

Binding Corporate Rules — for whom and when

If a corporate group operates across multiple countries and transfers personal data between entities located outside the European Economic Area, one mechanism for ensuring the lawfulness of those transfers is Binding Corporate Rules (BCR).

BCR are an internal data protection policy approved by a supervisory authority, binding on all entities within the group. This is a comprehensive solution but a demanding one — the approval process is multi-stage and time-consuming. BCR are primarily relevant for large, international groups.

For groups operating entirely within the EEA, internal transfers between group companies do not require BCR — properly identifying the legal basis and putting appropriate agreements in place between entities is sufficient.

Managing GDPR documentation across multiple entities simultaneously

This is the greatest operational challenge in corporate groups. Managing GDPR across several companies using spreadsheets or separate files for each entity is inefficient, error-prone, and difficult to sustain over time.

The key areas requiring coordinated management are:

Records of processing activities — each company maintains its own record, but many processing activities share a similar structure across the group (e.g. HR, supplier management, CCTV). Standardising templates and shared dictionaries significantly accelerates the work.

Processing agreements and joint controllership arrangements — the number of agreements grows proportionally with the number of entities and their interrelationships. Without a central register it becomes difficult to track expiry dates and the scope of each agreement.

Data processing authorisations — employees of different group companies may have access to shared systems. Managing authorisations without a central tool quickly becomes unmanageable.

Risk assessments — each company should have a completed risk assessment for its processing activities. Across the group, many activities are similar — standardising the assessment methodology is both possible and advisable.

Personal data breaches — each company has its own obligation to report breaches. A central incident register enables consistency and timely reporting.

GDPR in corporate groups and outsourced DPO services

Many corporate groups — particularly those where subsidiaries are relatively small — choose to outsource the DPO function to an external provider. Law firms, consultancies, and specialist data protection providers can serve as DPO for multiple companies simultaneously.

In this model, the external provider manages documentation for several or dozens of data controllers in parallel — which demands a system capable of handling multiple controllers efficiently in one place.

Summary

GDPR in corporate groups requires an approach that combines central coordination with respect for the legal independence of each entity. There is no single GDPR document that covers the entire group — but standardising methodology, templates, and tools across the group is both possible and strongly advisable.

Key principles:

• each company is a separate controller and maintains its own record of processing activities,
• data flows within the group require processing agreements or joint controllership arrangements,
• a single DPO can serve the entire group but must be accessible to every entity,
• managing documentation across multiple entities simultaneously requires a system that supports multiple controllers in one place,
• BCR are an option for groups with transfers outside the EEA — for European groups, properly structured agreements are sufficient.