Subsidiaries

Companies controlled by a parent company through majority ownership or controlling interest, creating corporate families with complex data protection relationships. In privacy contexts, subsidiaries raise questions about: whether they're separate data controllers or processors, how data flows between parent and subsidiaries should be structured, whether binding corporate rules or intragroup agreements are needed, who bears liability for compliance violations, and how to structure privacy governance across corporate groups. Under GDPR, each legal entity is generally a separate controller responsible for its own compliance unless it processes data solely on behalf of another group entity (making it a processor). Organizations should: clearly delineate controller/processor relationships within groups, implement intragroup data transfer mechanisms (Binding Corporate Rules, Standard Contractual Clauses, or relying on adequacy decisions), establish group-wide privacy governance while respecting separate legal entities, document data flows between entities, and ensure subsidiaries in different jurisdictions comply with local requirements. Subsidiary relationships affect jurisdiction, liability, representative requirements, and enforcement approaches.