Data Protection & Data Security

Our lawyers in the field of Data Protection & Data Security support you in implementing the requirements under data protection law and assist you in establishing data security.


If you have any questions, please do not hesitate to contact us.

Send email

With their many years of experience in data protection law, our data protection experts advise in particular on complex issues of implementation and on legally compliant conduct after a cyberattack.

Data forms the basis for successful and efficient corporate management and is considered the currency of the future. The digital transformation of businesses requires the use of large amounts of data.

You can also find more information on this on our cybersecurity topic page:


    We support you in developing future-proof and legally compliant data use concepts to achieve your objectives in the use of new technologies. Almost every database contains personal data such as email address, IP address, or administrator name. We therefore advise our clients to ensure compliance under data protection law prior to using new technologies such as

    • Blockchain
    • Cyber-physical systems (Industry 4.0)
    • Augmented Reality
    • Artificial Intelligence
    • 3D printing

    Our advisory approach relating to data protection & data security

    Our Data Protection lawyers advise on all issues of corporate data protection: from reviewing and assessing technical and organizational measures to conducting data protection impact assessments and offering support in handling data protection incidents. We always focus on legal protection for our clients to protect them from the risks of unlawful data processing.

    Legal protection faces complexity specifically where personal data is transferred to third countries, in particular if they are considered to have a low level of data protection, such as the USA, China, or India. Following landmark decisions by the European courts, it is evident that very high legal requirements must be placed on such data transfers, which companies frequently find difficult to achieve. We assist you in carrying out international data transfers legally compliant and in avoiding any pitfalls. Such data protection violations may be sanctioned with fines of up to EUR 20 million or 4% of global annual revenue.

    The processing of personal data on web servers also requires comprehensive legal review. Under current law, any tracking tool requires the prior consent of data subjects, and any data collection requires the existence of a comprehensive privacy policy. When operating platforms, these transparency obligations are even further increased, necessitating a detailed breakdown and assessment of individual processing operations.

    Legally compliant data processing: data protection in employment law

    The processing of employee data is governed by Section 26 German Federal Data Protection Act as a special provision and places demands on German companies that are higher than in other EU member states. A separate legal review is therefore essential where employee behavior is recorded, for example by video surveillance, timekeeping, or location services. It may even be mandatory to conduct a data protection impact assessment in some instances.

    Our data protection experts collaborate closely with our Employment lawyers on these legal issues and regularly find pragmatic yet legally compliant solutions to enable the use of such technologies. Advice is particularly required on the following topics:

    • negotiating and concluding technology-related company agreements
    • drafting and reviewing technology-related employee policies
    • legally compliant responses to requests for information from (former) employees
    • legally compliant access to business email correspondence where private use is permitted

    Dealing with data protection incidents – reporting cyberattacks

    Cyberattacks on companies have enormously increased in recent years. It is important to be prepared for such attacks and to take appropriate measures in advance. Under certain circumstances, you are required to report the incident without delay, usually within 72 hours, to the data protection authorities – and, where necessary, also to notify the data subjects.

    It is not uncommon for such reports to lead to monitoring measures by the authorities. Since even inadequate wording may entail negative consequences, the notification to the authorities should be drafted by lawyers specializing in data protection law. We have legally advised on a large number of data protection incidents and our experts will gladly assist you.

    Our Data Protection & Data Securityadvisors are leaders in their field and are regularly recognized by the relevant industry media. They collaborate closely with lawyers in other fields to examine legal issues relating to digital transformation (see here for more information) from all sides and to resolve them by involving specialists from the following fields:

    • Corporate (Corporate 4.0)
    • M&A (technology transactions)
    • Antitrust (platforms)
    • IP (patents, trademarks)
    • Health Care (digital medical devices)
    • Energy (smart metering)

    Selected Distinctions

    Legal 500 Germany 2023

    Legal 500 Germany 2022

    GDR 100 2021

    kanzleimonitor 2020/2021

    Legal 500 Deutschland 2020

    Legal 500 EMEA 2019

    Current Publications

    AI Act: Preliminary result of the trilogue negotiations leaked
    Update IP, Media & Technology No. 90 & Update Data Protection No. 168,
    together with Dominik Eickemeier, Dr. Hans Markus Wulf
    Data protection violations as a reason for dissolving the works council
    Update Data Protection No. 167 & Update Employment Law January 2024,
    together with Antje Münch, LL.M., Carina Bart

    Current Lectures

    Der Entwurf des Cyber Resilience Act und dessen Konsequenzen für KMUs
    IHK Cologne, March 14, 2023
    Zahlreiche DSGVO-Seminare - Das neue Datenschutzrecht (DSGVO), Datenschutz im Marketing, Datenschutz in Einkauf und Vertrieb und Beschäftigtendatenschutz – bei der Akademie Würth
    since 2018, Künzelsau-Gaisbach
    Machen Analytics und KI den Datenschutz und Haftung obsolet?
    Digital Health Germany, Impulsvortrag, March 16, 2022
    Schrems II: Endlich mittelstandsgerechte und datenschutzkonforme Cloud- und EDGE-Verträge?
    Lecture held in the framework of the event „Daten vom Zentrum an den Rand - Die EDGE-Revolution?", Cologne, October 11, 2021

    You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.