The Interplay of EU Data Protection Roles within Groups of Undertakings

Bahm, Nicolás

The Interplay of EU Data Protection Roles within Groups of Undertakings

Mark

Bahm, Nicolás ^LU (2022) JAEM03 20221
Department of Law
Faculty of Law

Abstract: The GDPR is the EU’s latest instalment in the attempt to establish a harmonised data protection regime across the Union, something that started over 25 years ago with the Data Protection Directive. And although a milestone in European legislation for placing the respect for fundamental rights of individuals above the interests of powerful economic groups, it still has left some aspects not fully regulated.
From the perspective of a group of undertakings operating across several Member States and processing personal data, the imposition of responsibilities introduced at EU level has presented new challenges for their business operations and the need to take considerable measures to ensure compliance.
This work finds that, in the context... (More); The GDPR is the EU’s latest instalment in the attempt to establish a harmonised data protection regime across the Union, something that started over 25 years ago with the Data Protection Directive. And although a milestone in European legislation for placing the respect for fundamental rights of individuals above the interests of powerful economic groups, it still has left some aspects not fully regulated.
From the perspective of a group of undertakings operating across several Member States and processing personal data, the imposition of responsibilities introduced at EU level has presented new challenges for their business operations and the need to take considerable measures to ensure compliance.
This work finds that, in the context of groups of undertakings operating in the EU, the regime introduced by the GDPR may conflict with classic company law structures and the principle of separate legal personality, making it hard to identify which entity is finally responsible for compliance in relation to the processing activities. Considering also that these activities take place across several Member States, this may not only determine which national authority should enforce the regulatory compliance, but also hinder the possibilities of the data subjects when executing their rights. In this context, the lack of clear rules at EU level opens several interpretational possibilities in relation to which entity within a group is finally responsible for the data protection obligations.
This thesis attempts to understand which entity within a group of undertakings may be ultimately responsible for complying with the EU data protection legislation, while also identifying and analysing potential contradictions and conflicts between the responsibilities allocated by the GDPR and existing concepts of company law. (Less)

Please use this url to cite or link to this publication: http://lup.lub.lu.se/student-papers/record/9083656

author

Bahm, Nicolás ^LU

supervisor

Eduardo Gill-Pedro ^LU

organization

course

JAEM03 20221

year

2022

type

H2 - Master's Degree (Two Years)

subject

Law and Political Science

keywords

GDPR, Group of Undertakings, Data Protection, Company Law, Company Groups

language

English

id

9083656

date added to LUP

2022-06-13 10:52:02

date last changed

2022-06-13 10:52:02

@misc{9083656,
  abstract     = {{The GDPR is the EU’s latest instalment in the attempt to establish a harmonised data protection regime across the Union, something that started over 25 years ago with the Data Protection Directive. And although a milestone in European legislation for placing the respect for fundamental rights of individuals above the interests of powerful economic groups, it still has left some aspects not fully regulated.
From the perspective of a group of undertakings operating across several Member States and processing personal data, the imposition of responsibilities introduced at EU level has presented new challenges for their business operations and the need to take considerable measures to ensure compliance.
This work finds that, in the context of groups of undertakings operating in the EU, the regime introduced by the GDPR may conflict with classic company law structures and the principle of separate legal personality, making it hard to identify which entity is finally responsible for compliance in relation to the processing activities. Considering also that these activities take place across several Member States, this may not only determine which national authority should enforce the regulatory compliance, but also hinder the possibilities of the data subjects when executing their rights. In this context, the lack of clear rules at EU level opens several interpretational possibilities in relation to which entity within a group is finally responsible for the data protection obligations.
This thesis attempts to understand which entity within a group of undertakings may be ultimately responsible for complying with the EU data protection legislation, while also identifying and analysing potential contradictions and conflicts between the responsibilities allocated by the GDPR and existing concepts of company law.}},
  author       = {{Bahm, Nicolás}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{The Interplay of EU Data Protection Roles within Groups of Undertakings}},
  year         = {{2022}},
}

LUP Student Papers

LUND UNIVERSITY LIBRARIES

The Interplay of EU Data Protection Roles within Groups of Undertakings