The exchange of data within a group of undertakings (previously also covered by the term Konzernprivileg (i.e. "group privilege") is not really facilitated by the GDPR. Rec. 48 (1) GDPR at least clarifies that internal administrative purposes "may" constitute a legitimate interest:

“Controllers that are part of a group of undertakings or institutions affiliated to a central body may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of clients’ or employees’ personal data.”