The GDPR defines a group of undertakings as 'a controlling undertaking and its controlled undertakings'. Where the processing is carried out by a group of undertakings, the main establishment of the controlling undertaking should be considered to be the main establishment of the group of undertakings, except where the purposes and means of processing are determined by another undertaking.
Controllers that are part of a group of undertakings may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients' or employees' personal data.
The general principles for the transfer of personal data, within a group of undertakings, to an undertaking located in a third country remain unaffected. A group of undertakings should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
In your app's data mapping, where your legal basis for transfers outside the EU is 'binding corporate rules', you will be linked with the appropriate EC site which provides all details necessary for the establishment and approval of your organisation's Binding Corporate Rules.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018