Legal context – GDPR basics
Under the General Data Protection Regulation (GDPR), every organization processing personal data must ensure its security. Article 32 of the GDPR requires the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Furthermore, pursuant to Article 33 of the GDPR, in the event of a personal data breach, the Data Controller is obliged to report the incident to the supervisory authority within 72 hours of becoming aware of the breach and, in certain cases, to inform the data subjects.
Under the GDPR (Articles 32 and 33), the Data Controller—usually a local company—is responsible for ensuring the security of personal data and for reporting a breach to the supervisory authority within 72 hours of its detection. However, problems arise when systems are centrally managed by the parent company, and the local unit does not have access to logs, does not see incidents in a timely manner, and cannot implement security measures independently . This means that while formal responsibility rests with the local Controller, in practice it lacks the tools to fulfill its obligations under the GDPR .
This situation may lead to real violations of the regulation
• Reporting the incident too late because the special database headquarters did not provide the information on time – which violates the 72-hour deadline of Article 33 of the GDPR.
• Failure to implement appropriate security measures , because the local company has no influence on the system configuration, even though it should provide them in accordance with Article 32.
• Lack of transparency towards data subjects if the local Administrator does not know the scale of the breach and cannot reliably inform the injured parties.
• Lack of a valid processing entrustment agreement when the relationship with the headquarters has not been formally regulated – which means that the data is processed without a legal basis.
As a result, a local company, although subordinated to the decisions of the headquarters, may be held liable for violating regulations over which it de facto had no influence.
Who is who in the structure of the capital group?
In practice, we often encounter the following balance of power within capital groups and the IT systems used:
• Subsidiary company / local branch – acts as the Controller of personal data, as it decides on the purposes and means of data processing;
• The parent company (foreign) – provides and manages IT systems for the entire group. In this case, it generally acts as the Processor, as it processes data on behalf of its subsidiaries.
According to the GDPR definition, the Controller decides on the purposes and methods of data processing. However, in practice, within corporate groups, this role is often limited. The parent company – as the system provider – imposes specific technological solutions that are already permanently integrated into the group's business model. Consequently, local companies have no real option to choose an alternative data processing method, as their operations depend on the use of specific IT systems.
As a result, the Controller's task often comes down to accepting pre-defined processing goals and methods, which are de facto already defined by functionalities imposed by headquarters. A good example of this phenomenon are corporate HR, ERP, and CRM systems, whose structure, data flows, integrations, and security mechanisms are designed and implemented at the parent company level, with no room for modification by subsidiaries.
Example 1: A local company uses a headquarters-implemented HR system that automatically collects employee biometric data upon entering the office. Although local regulations require consent for such processing, the company has no technical means of disabling this feature without headquarters' approval.
Example 2: The headquarters mandates the use of a cloud-based CRM platform whose data retention policy does not address local regulations on personal data archiving. The local administrator has no influence on the platform's configuration, although they are responsible for compliance with local law.
The biggest challenges and problems
A. Delayed communication
In the event of a security incident (e.g., data leak, unauthorized access, system failure), the subsidiary – as the Controller – often learns of it with a delay. Why? Because:
• The main company has access to system logs;
• It analyzes network traffic and incidents;
• There is a lack of clear and quick reporting channels to local companies;
Example: In a centrally managed HR system by a parent company, unauthorized access to employee profiles occurs via a technical administrator account. The local company only learns of the breach a week later, when an employee notices suspicious activity.
B. Limited decision-making power of the Administrator
The data controller should have control over how data is processed. In the meantime:
• There is no complete knowledge of system configuration.
• Cannot react independently (e.g. block accounts, change settings).
• Must wait for the Processor to respond.
Example: A vulnerability exists in the sales system, allowing unauthorized individuals to view customer data. A local company cannot apply the security patch itself – it must report the issue to headquarters and wait several days for the patch to be implemented.
C. Lack of data processing agreement (or its incompleteness)
It sometimes happens that a corporate group lacks a formal Data Processing Agreement (DPA), or it is too general. What are the consequences?
• Lack of guidelines for reporting incidents.
• No penalties for delayed response.
• Difficulties in enforcing obligations.
Example: Customer data is exposed at a company due to a CRM system integration error. It's unclear who is responsible for reporting the incident – the local company doesn't have access to full login details, and the headquarters doesn't treat the situation as a breach, leading to the failure to report the incident to the supervisory authority.
D. Cultural and linguistic differences
Cooperation between the head company and local branches can be difficult due to language differences and lack of knowledge of local law and business customs.
Example: The head office in Asia sends technical incident notifications in a format and language incomprehensible to European branches, which results in the local Administrators not responding for several hours.
E. Lack of consistency in incident assessment and limited access to information
A common problem in corporate groups is that subsidiaries receive only limited information about incidents, often in the form of official statements prepared by headquarters. This results in:
• Difficulties in making an independent risk assessment.
• No access to technical documentation and logs.
• The need to adapt the content of the notification to PUODO to the version agreed by the headquarters.
Example: A ransomware attack occurs on a shared HR system. After 48 hours, the parent company submits a summary report that does not indicate any data loss. The Local Administrator does not receive detailed technical data and is unable to independently assess the need to report the incident to the Office for Personal Data Protection (PUODO), even though their employee data was processed.