Skip to content

Data Protection Law


As soon as your company processes personal data of customers, end customers or employees, you must observe the regulations and requirements of data protection law. In this respect, the data protection law applies to all industries and independent of the company’s own core activities.

In order to avoid fines, claims for damages and damage to your image, we advise companies from Germany and abroad on all questions of German and European data protection law. In the area of employee data protection and at the interface with competition law, our experts, who are certified as data protection officers, work in interdisciplinary cooperation with specialists from other departments of our firm in order to be able to offer you the most practicable solutions.

In doing so, we not only provide selective assistance in clarifying complex legal issues, but also accompany your business operations in the long term in order to maintain the level of data protection. For this purpose, we will be happy to put you in touch with an external data protection officer who will keep an eye on current developments in jurisdiction and legislation for you.


Irrespective of whether long-term advice is desired or not, we will determine the data protection status quo in your company on request. On the basis of a preliminary analysis, we prioritise all data protection law processes in your company according to the level of risk to the rights and freedoms of the persons affected by the data processing.

Taking into account the technical and organisational measures identified in your company, we help you to improve identified weaknesses and thus make data processing legally compliant.

Furthermore, we will draw up the record of processing activities required by law on a regular basis. In advance, we will check whether your company may exceptionally not need to keep a record of processing activities. The record summarises the essential information on all data processing activities and must be submitted to the supervisory authority on request. In addition to enabling the supervisory authority to check the processing operations based on the record, the record also serves the company as a basis for mandatory information texts.

In order to maintain the transparency desired by the European legislator, some disclosure requirements regarding data processing must be met. We will help you to comply with the requirements of the General Data Protection Regulation (GDPR) and the national legal provisions.

In cooperation with our labour law department, our data protection specialists draw up tailor-made shop agreements on data protection for your company.

Since data processing is often complex and costly, controllers often outsource data processing to external service providers, who then usually act as processors, Art. 4 (8) of the GDPR. The controller and the processor must conclude a data processing agreement in accordance with the legal requirements. We would be pleased to draw up a model contract for your company or support you in negotiating agreements. In advance, we will check whether the business matter actually represents processing according to the GDPR.

If certain processing operations are envisaged, the controller must carry out a so-called data protection impact assessment. Together with you, we carry out data protection impact assessments in accordance with Art. 35 (1) of the GDPR and examine whether the data processing is likely to present high risks to the rights and freedoms of natural persons by virtue of its nature, scope, circumstances and purposes.

The General Data Protection Regulation was originally intended to be accompanied by another EU Regulation. The ePrivacy Regulation, which is still at the draft stage, is intended to ensure the protection of personal data in electronic communications. We are keeping an eye on what provisions will soon apply to your company’s data processing in connection with over-the-top services (OTT services) and online tracking.

We draw up suitable contracts for your company to secure the transfer of personal data within your group of companies in a form that complies with legal requirements.

Many companies rely on cloud service providers based in so-called third countries, i.e. countries outside the EU/EEA. In some cases, the data protection supervisory authorities have not established an adequate level of data protection for these countries. We support you in cross-border data traffic in order to implement all data protection requirements and to make data transmission secure.

In addition to the indispensable IT security, the GDPR stipulates that the controller must take suitable organisational measures in a verifiable form to ensure compliance with the provisions of the GDPR and to prevent infringements in the best possible way. To this end, companies must document clear processes from which, in addition to process descriptions, personal responsibilities in particular are derived. In close cooperation with you, we develop a data protection management system in order to comply with these documentation and accountability obligations and thus to minimise the risk of possible fines.

Operational data protection only works if employees are sufficiently sensitised to the protection of personal data and informed about relevant data protection processes in the company. We would be happy to support you in familiarising your employees with the basic principles of data protection law and explaining personal obligations in regular in-house or distance training courses.

In the event of a “personal data breach” pursuant Art. 33 of the GDPR, there is no time to lose in order to comply with the tight response deadlines of the GDPR. A data breach occurs when unauthorised persons gain access to a data collection. It is irrelevant whether the security breach is due to a technical or organisational fault or whether it was intentional or unintentional.

If the breach involves a “risk” to the rights and freedoms of the data subjects, the controller must report it to the competent supervisory authority without delay and, if possible, within 72 hours of the incident becoming known. If the data breach is likely to pose a “high risk” to the rights and freedoms of the data subjects, the controller shall inform them of the incident without delay.

We help you to classify risks and to process the obligations associated with data breaches quickly and as legally compliant as possible. If you wish, we can take over the communication with supervisory authorities and/or affected persons for you.

Geht mit der Verletzung ein „Risiko“ für die Rechte und Freiheiten der Betroffenen einher, hat der Verantwortliche diese unverzüglich und möglichst binnen 72 Stunden ab Bekanntwerden des Vorfalls an die zuständige Aufsichtsbehörde zu melden. Lässt die Datenpanne ein „hohes Risiko“ für die Rechte und Freiheiten der Betroffenen erwarten, informiert der Verantwortliche diese unverzüglich über den Vorfall.

Wir helfen Ihnen dabei, Risiken einzuordnen und die mit Datenpannen einhergehenden Pflichten zügig und möglichst rechtssicher zu bearbeiten. Auf Wunsch übernehmen wir für Sie die Kommunikation mit Aufsichtsbehörden und/oder Betroffenen.

Trust is a sales argument especially for companies with a focus on data processing. This is why companies often have themselves certified. We help you choose the best suitable certification centre for your company. On request, we will prepare your company for the upcoming certification and accompany audit appointments to preserve your interests.

According to Art. 82 of the GDPR, those affected have the right to compensation for damages. If you have suffered material or immaterial damage as a result of a breach of provisions of the GDPR, we will help you to assert your claims for compensation either extrajudicially or in court.

If you or a company affiliated with your company have breached the provisions of the GDPR and you are now being sued for damages under Art. 82 of the GDPR, we will also support you in defending yourself against these claims extrajudicially or in court. If the compensable damage is due to the actions of a joint controller or processor, we will examine whether your company is entitled to recourse and enforce this for you.

Haben Sie oder ein mit Ihrem Unternehmen verbundenes Unternehmen Ihrerseits gegen die Bestimmungen der DS-GVO verstoßen und werden Sie nunmehr auf Schadenersatz nach Art. 82 DS-GVO in Anspruch genommen, unterstützen wir Sie auch dabei, sich gegen diese Forderungen außergerichtlich oder gerichtlich zu verteidigen. Ist der ersatzfähige Schaden hierbei auf die Handlung eines gemeinsam Verantwortlichen oder Auftragsverarbeiters zurückzuführen, prüfen wir, ob Ihrem Unternehmen Regressansprüche zustehen und setzen diese für Sie durch.

Kennen Sie schon
• Gesetzestext DS-GVO
• Gesetzestext e-Privacy-VO
• Gesetzestext e-Evidence-VO


We are looking forward to your questions on this and other topics!


GDPR stands for: General Data Protection Regulation and refers to the basic data protection regulation which has been directly applicable in all EU member states since 25.05.2018. We would like to briefly highlight the essential aspects of the new regulations for you and present our consulting approach.