Data processing agreements between group companies – what does the GDPR require?

View as Markdown
2 mins read • Simon • GDPR • 25 August 2025
  1. When is a processor agreement required? Guidance from a GDPR lawyer

A common misconception is that companies within the same corporate group do not need to enter into data processing agreements with one another. However, under the General Data Protection Regulation (GDPR) it is not the group structure that determines whether such an agreement is required, but whether one company processes personal data on behalf of another.

This often arises where an intra-group function provides IT, HR or finance services. Where that function is organised in a separate legal entity, it will act as a processor. In such cases, a data processing agreement under Article 28 GDPR is required, even if both companies sit within the same group or share ownership. This analysis depends on roles in the processing and the definition of controller under GDPR, not on internal ownership charts.

The Data Protection Agency and other European supervisory authorities have been clear: it is the actual role in the processing – not legal ownership – that determines obligations under the GDPR. If no agreement is in place in these scenarios, the processing may be deemed non-compliant with the GDPR, with exposure to administrative fines.

When is a processor agreement required? Guidance from a GDPR lawyer

In practice, group companies commonly share resources across organisational boundaries, but that does not change the GDPR requirements. If one group company gains access to or processes personal data on behalf of another, roles must be clearly defined and documented. A data processing agreement then serves as formal evidence that responsibilities are allocated and that processing is carried out in line with the GDPR. This is closely linked to the definition of controller under GDPR and the distinction between controller and processor.

A data processing agreement is required between companies in the same group where:

  • One company processes personal data on behalf of another company.
  • The processing company does not itself determine the purposes of the processing.
  • There is a service arrangement between the companies, for example via a shared service function.
  • Processing occurs through shared IT systems or cloud services.
  • There is no joint controllership under Article 26 GDPR.

Internal routines and policies are not enough – there must be a formal data processing agreement that meets the requirements of Article 28. This is particularly important for groups operating across multiple geographies or sectors subject to differing regulatory requirements.

At Morling Consulting, our GDPR specialists support companies in analysing intra-group data flows and ensuring agreements meet the GDPR’s standards.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more