The question that we at the DPO Centre spend a lot of our time answering for our clients, in one way or another, is “How does the GDPR affect my business?” The answer to this question will vary significantly based on a number of factors, such as industry sector; organisation size; amount and types of personal dataInformation which relates to an identified or identifiable natural person. being processed, the list goes on.
An important factor that often gets overlooked when considering the above question is company structure. Depending on the structure of your company, some of the rules within the GDPR (both the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation).) will apply differently and so your organisation’s responsibilities will differ. In this blog, we discuss several different company structures that exist in the UK and how data protection regulations apply to each.
Sole traders
Sole traders are self-employed individuals who are wholly responsible for their business and its debts. They are therefore entitled to keep all of the profits as income and are liable to pay tax and national insurance through self-assessment tax returns.
When the EU GDPR first came into effect back in 2018, there was a widespread misconception that it didn’t apply to small businesses. The truth is, sole traders, like other small businesses, still have data protection obligations that they must comply with. However, they do have fewer obligations than other types of organisations, one example being that sole traders are not required to appoint a DPO.
It is also worth noting that when it comes to marketing, under the UK’s Privacy and Electronic Communication Regulation (PECR), the more relaxed rules that usually apply to B2B marketing do not apply when marketing to sole traders. In the context of direct marketing, sole traders are treated as individuals and not as businesses. In other words, you cannot rely on Legitimate InterestsLegitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle. as a lawful basis, or the corporate subscribers exception, and can instead rely only on ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed..
To help sole traders navigate their data protection obligations, the Information Commissioner’s OfficeThe United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. (ICOThe United Kingdom’s independent supervisory authority for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.) has created an SME web hub with advice relevant to small organisations. It has also created a self-assessment tool which has been developed with small businesses and sole traders in mind to help improve their understanding of the UK GDPR and how to keep people’s information secure. You can view the ICO assessment here.
Partnerships, Limited Liability Partnerships and Limited companies
Partnerships involve two or more legal persons, who share responsibility for the business but retain their self-employed statuses. They share the risk, cost, responsibility and profits of running the business.
LLPs are similar to partnerships, but the liability is limited to their investments. They must also be registered at Companies House and with HRMC.
Limited companies are privately managed businesses, owned by the shareholders and run by directors. In this instance, the company is its own legal entity and so is responsible for itself and is separate from the owners.
When it comes to data protection obligations for these types of companies, they are more straightforward in that no special rules apply. All must follow the rules laid out in the UK and EU GDPRs and any other relevant data protection legislation, but how they apply will be influenced by other things such as industry sector and types of data processing.
Franchises
Franchise arrangements can vary between ‘traditional’ and ‘business formats’. Business format franchises are most common, with well-known brands like McDonalds, Subway, and Marriot Hotels all using franchising as a way to spread their reach worldwide. There are several different types of franchise, but all involve a franchisee paying a franchisor to be able to establish their own business using the franchisor’s trade name and business operating system.
Whilst there aren’t any data protection rules that apply specifically to franchises only, the key point to remember is that franchisors and franchisees are separate businesses. As such, where data is transferred between them, there needs to be contractual arrangements in place to ensure the appropriate handling of the personal data being shared; this will be either a Data Processing Agreement (DPA) or a Data Sharing AgreementA written agreement between data controllers that defines the purpose and lawfulness of data sharing, whilst establishing the roles and standards of the processing of such data (i.e. imposing requirements around security, re-use and further sharing). (DSA), depending upon the purpose for the sharing and the relationship between the parties in relation to the processing.
It is vital to remember that being a franchisor does not automatically grant you permission, in data protection terms, to access the personal data collected by a franchisee – even if this has been stated in the franchise agreement. A lawful basis must still be identified and data subjects should be informed through appropriate notices that the sharing is taking place.
In addition, if the transfers between franchises, or between franchisor and franchisee, involve cross-border data sharing, there has to be an appropriate transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanism in place, for example, Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries. (SCCs).
Holding/Parent companies and Subsidiaries
Holding companies are organisations that own one or more other companies, which are known as their subsidiaries. For example, Virgin Group Holdings Limited is the holding company for Virgin Money, Virgin Atlantic, and Virgin Mobile, to name but a few. A holding company’s main purpose is to have the ‘controlling stake’ in a company (51% of the shares or more).
Parent companies are in effect the same as a holding company, but whereas a holding company’s entire purpose is to own other companies, parent companies also function as a business in their own right. This business structure allows for companies to bring together multiple small businesses into one group, whilst limiting shared liability for any problems one of them may face.
As both holding and parent companies are likely to be majority share holders of their subsidiaries, they may control the majority of the voting rights. This gives them the power to effectively control the management of the subsidiaries, despite being separate legal entities.
Similar to franchises, appropriate contractual arrangements must be in place to allow the sharing of personal data between the subsidiary and its holding/parent company. This could be in the form of a normal DSA or DPA, or an intra-group data transfer agreement. Likewise, appropriate transfer mechanisms will also need to be considered where this sharing is international and, in the case of large corporate groups, Binding Corporate RulesA series of data protection policies adhered to by companies established in the EU allowing for transfers of personal data outside the EU within a group of undertakings or enterprises. BCRs provide adequate safeguards when making restricted transfers within an international organisation if both sender and receiver has signed up to the BCRs. Guide to Binding Corporate Rules | ICO (BCRs) may be an option in this respect.
Although holding/parent companies are separate legal entities to their subsidiaries, because they own the majority of the voting rights and so, in effect, control their subsidiaries, it is likely that a supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation. would consider them a ‘Controller in Common’ or, at the very least, a ‘Joint Controller’ with its subsidiaries for their data processing; this is especially true if the parent company holds 100% of the shares of the subsidiary. It is therefore possible that a parent/holding company could be held liable for any data breaches or other act of non-compliance by its subsidiary.
In addition to this, if a subsidiary is found to have breached data protection legislation in some way, its parent/holding company’s own turnover can be taken into account when a supervisory authority calculates the fine to be awarded. This was outlined by the Article 29 Working Party in its Guidance on applying administrative fines relating to the EU GDPR – “the concept of an undertaking is understood to mean an economic unit, which may be formed by the parent company and all involved subsidiaries”. Therefore, whilst this corporate structure is intended to limit holding company liability, it does not completely evade the possibility of a huge fine being levied at a subsidiary.
Conclusion
Whilst, with the exception of sole traders, the requirements to comply with both the EU and UK GDPR are essentially the same for all different types of companies, certain compliance obligations will require more careful consideration by some than others. Most notably, organisations that have a close relationship with other companies, whether that be as part of a franchise or a company group, need to think carefully about how they share data across company lines.
Whatever form your company takes, The DPO Centre can provide you with the help and support required to meet your compliance obligations. To find out how we can help, visit our services page or fill in the form below.
Fill in your details below and we’ll get back to you as soon as possible