Select Page

GDPR in company groups

Can we share our mailing lists?

Even almost one year after the GDPR went into effect numerous critical questions are rather unanswered than unambiguous. Especially in multi-structured companies a lack of clarity regarding mailing list sharing and the ownership of consent is creating many sleepless nights to marketing departments.

As it is not very clear how GDPR compliance in company groups works, we did some research and provide you the most important facts you need to know.

Consent conditions

While most companies understood that prior consent is necessary before sending marketing-related emails, not everyone is also aware of the consent conditions. That’s why we will start this article with some basics about consent.

Explicit consent, in order to be valid, has to meet the following requirements:

  • It has to be given out of free will and has to be actively chosen. The given consent has to be clearly comprehensible also to a later time. Consumers who don’t agree must not be disadvantaged.
  • Transparent information about why and how the data processing takes place is mandatory.
  • More importantly, consent is given to a particular purpose. In case your business is asking clients for their permission to send newsletters for blog posts, you are not allowed to send marketing emails with special offers.

In addition to that, the person who gave the consent needs to have at any time the option to withdraw it.

Attention, consider also the prohibition of coupling. We will give you a brief example:
A customer is buying new shoes on your website and agrees with a checkbox the purchasing contract. Here it is not allowed to ask for GDPR consent.
“Yes, I want to purchase the shoes for price XY and agree to receive marketing emails.”

Instead, contract declarations and data processing permissions have to be separated.
Checkbox one: “Yes, I want to purchase the shoes for price XY.”
Checkbox two: “Yes, I agree to receive marketing emails.”


But who is the owner of the consent and consequently the private data?
In general, a single company asks the client for consent and when received, is the owner of it. How is the situation within company groups, though?

Mailing list sharing within or outside a company group and holdings

Obvious brand differentiation

Let’s take Nike as an example. Who didn’t know it before, Converse and Hurley International are among others, subsidiaries of Nike Inc. There might be a good possibility that people who buy certain kinds of Nike shoes could also be interested in a new collection of Converse sneakers as well and vice versa. Performing cross-marketing activities might be tempting. Nevertheless, the sharing of email lists, neither within companies of the same group nor outside is permitted. To do so, it is needed to ask each individual’s specific consent for being contacted by other group companies – be it parent or subsidiaries – for marketing purposes.

Brand identification unclear

Subsidiaries within a group might have similar business purposes and the same industries. Let’s take Nike again. As already described in the example above, Converse is owned by Nike Inc. Their business type is quite similar. However, there are other subsidiaries as Nike New Zealand Co, Nike Deutschland GmbH, Nike Thailand and many more, which by most customers might not be identified as single entities.

Are there, for example, important marketing offers to promote which concern all the just mentioned subsidiaries in Germany and Co., every one of them has to ask consent to their own customers. Still, any of them has to send the email separately. 

The same applies to companies using different trading names. As consumers cannot be expected to have an awareness of brand connections, they most likely did not opt-in to receiving marketing offers from every brand.

At this point, it is important to mention that GDPR infringement fines in multi-structured organizations can affect other parent and subsidiaries.

A fine “can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.”

Group fines for GDPR breach

For this situation, GDPR is speaking of a group of undertakings. Recital (37) of the Regulation provides here some somewhat confusing explanation.

“A group of undertakings should cover a controlling undertaking and its controlled undertakings, whereby the controlling undertaking should be the undertaking which can exert a dominant influence over the other undertakings by virtue, for example, of ownership, financial participation or the rules which govern it or the power to have personal data protection rules implemented. An undertaking which controls the processing of personal data in undertakings affiliated to it should be regarded, together with those undertakings, as a group of undertakings.”

Let’s clarify first what is actually an undertaking under GDPR. For interpretation of this term, Articles 101 and 102 in the Treaty on the Functioning of the European Union have to be considered. Therefore, it can be understood that an undertaking is a group of enterprises who are engaged in a joint economic activity while being a part of the same undertaking.

Now let’s dive in again into Recital 37. The Regulation states that a group of undertakings should have a controlling undertaking which can have the ownership of the group, participate financially or takes control over the implementation of data protection rules.

As a group of undertakings is seen as one entity, the GDPR breach of one single company can result in a calculation of the fine based on the annual turnover of the whole group.

Would you like to talk about GDPR with us? Don’t hesitate to contact us!

Best Practice

The key is transparency. The Best practice would be the holding or parent company contacting on behalf of the subsidiary with an email which

  • explains the company structure in a comprehensible way and make it clear that the brand is part of a group or holding
  • lists other subsidiaries (for big players it might make sense to group them according to their purpose) or a statement that data sharing takes place between companies inside the group
  • and above all provide separate opt-ins for each company/brand

Please remember that the popular pre-ticked boxes trick of marketers are no longer allowed. To be on the safe side, we recommend to use double opt-in: firstly the consumer is filling his/her data into a form on your website and secondly receives an email to verify his/her consent.

It may seem now a backfiring step, but it also brings advantages such as more effective marketing targeting and one storing and controlling instance. And from a monetary perspective, it ensures compliance with GDPR regulations and thus fines for the whole company group will be avoided.

And as the last word …

Don’t forget to think about your customer. Legally the parent company/ holding is allowed to send emails on behalf of the subsidiaries. However, it does not always make sense, especially when the industries are too diverse.

An energy marketing campaign for a customer who thought to subscribe to a fashion brand marketing newsletter

In this case, it’s recommended to treat every subsidiary as a single entity but having an eye on their GDPR compliance.

If you want to learn more about GDPR in B2B companies, have a look at our article.