Sharing personal information

Sharing inside a group of companies

Each company is a separate responsible party — intra-group sharing needs a ground like any other disclosure, usually legitimate interests.

Published Last reviewed 6 min read

Written by

Martin Kotze

Attorney, Conveyancer & Notary Public

About
Quick answer
POPIA has no group-of-companies exemption: each company in a group is a separate responsible party, so passing personal information from one group company to another is a disclosure needing a lawful ground — usually legitimate interests — plus compatibility and the conditions. Cross-border intra-group flows can be covered by binding corporate rules under section 72, and each subsidiary must register its own information officer.

On this page

Each company stands alone

Corporate groups feel like one business, but POPIA sees juristic persons — and each is “a public or private body or any other person which... determines the purpose of and means for processing” in its own right. Information moving from OpCo to HoldCo is therefore a disclosure to a third party, and the three checks apply exactly as they would for an outsider: ground, compatibility, conditions. What the group relationship changes is how easily those checks pass — not whether they apply.

The grounds that carry group flows

Legitimate interests does most of the work: consolidated reporting, group risk and fraud management, shared compliance functions, centralised HR and IT. Contract carries flows the customer’s own agreement contemplates (the group entity that actually delivers part of the service). Legal obligation carries statutory group reporting. The balancing leg is helped by transparency — group sharing your privacy notice discloses sits within reasonable expectations; group sharing nobody mentioned does not.

Cross-border: binding corporate rules

Where the group crosses borders, section 72 adds its gate — and was written with groups in mind. The first gateway covers a recipient subject to “binding corporate rules” providing substantially similar protection, defined as:

Source — the actual words

“’binding corporate rules’ means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country”

Protection of Personal Information Act 4 of 2013, s 72(2)(a)Read it on Dept of JusticePDF

One well-drafted group data-protection policy, genuinely adhered to, covers the recurring offshore flows — no per-transfer consent needed. The wider transfer rules are on the cross-border page.

Group housekeeping

Three items keep group sharing defensible. Document the architecture — which entity is responsible party for which processing, and where one entity serves the others as an operator, put the section 21 contract in place. Tell people — every notice in the group should disclose intra-group flows. Register every information officer — the Regulator’s Guidance Note requires each subsidiary to register its own (see information officers).

Frequently asked questions

Can our subsidiaries share one customer database?

Yes, with structure: each participating company needs a ground (typically legitimate interests for group administration), the privacy notices must disclose group sharing, and the arrangement should be documented — who is responsible party for what.

Do shared HR or IT services within a group breach POPIA?

No — centralised services are a classic group legitimate interest. Where the service company processes purely on the others’ instructions it acts as their operator, which calls for a written intra-group operator agreement (s 21).

Can one privacy notice cover the whole group?

A shared template works, but each responsible party must make its own data subjects aware of the s 18(1) items — including that information moves within the group. A notice naming only the holding company hides the ball.

Does each group company need its own information officer?

Yes. The Regulator’s Guidance Note requires each subsidiary in a group to register its own information officer — one registration for the holding company does not cover the stable.

Sources

See the full POPIA source library for every Act, regulation, guidance note and enforcement document cited across this hub.

Why you can trust this: Martin Kotze has been an admitted Attorney of the High Court of South Africa, registered Conveyancer, and Notary Public since 2014, practising from Pretoria. The firm is regulated by the Legal Practice Council under firm registration F17333.

This guide is general information, not legal advice for your specific matter.

Keep reading · Sharing personal information

Related guides

Work with an attorney

Get POPIA right for your business

Martin Kotze advises on privacy and data protection — grounds mapping, privacy notices, operator agreements, marketing compliance and breach response. General guidance on this page is not a substitute for advice on your facts.

Talk to us about POPIAAsk a question on WhatsApp
Back to the POPIA hub