Data Economy & Data Protection

A series of directly applicable EU regulations, together with numerous other pieces of legislation, form the highly complex new European data regime. Following the General Data Protection Regulation (GDPR) in 2016 and the Data Governance Act (DGA) in 2022, European legislators set two further milestones for the regulation of data and artificial intelligence in the European Union in 2024 with the Data Act (DA) and the Artificial Intelligence Act (AIA). The regulatory requirements for artificial intelligence and accessing, exchanging and using both personal and non-personal data overlap and intermingle with the already established data privacy requirements. New European statutes emerging in the future will serve to make the regulatory framework for data and AI even more opaque.

When it comes to data security, the regulatory requirements under IT security law also have to be observed. On top of this, antitrust and competition law imposes strict rules on how data is handled. The instruments of European data law do not provide a general safe harbour for antitrust infringements such as engaging in the prohibited exchange of sensitive competition-related information. Besides this, the requirements of product liability law apply, which is now also being extended to cover digital products, software and production files, and likewise product safety law, for instance when data has an influence on the safe use of a product. Finally, when commercialising data, sales and distribution law also has to be taken into account along the entire value chain.

Adherence to statutory rules is one of the key components of data compliance, regardless of what line of business a company is involved in or its size. Data compliance basically covers all the applicable rules companies have to adhere to when processing personal and non-personal data, including statutory requirements, contractual terms and conditions, certifications, codes of conduct, industry standards and likewise binding corporate rules and internal guidelines or policies.

The extensive requirements under data law form the regulatory framework for setting up business processes and designing and using applications and systems within an organisation. But efficiency and sustainable success can only be achieved by proactively considering the legal requirements for data by way of “data compliance by design” at an early stage when developing new business processes and products.

By referring to our “Map” of European data law (bookmark: europeandatalaw.com), which is regularly updated, our clients are able to find their bearings in the jungle of data rules and regulations. By using our Data Compliance Compass, you can navigate safely through the data landscape.

Our advice focuses on

• adapting business processes, products and business models to the requirements under data law
• preparing documentation required under data law such as data protection agreements, privacy policies, legality audits, consent forms and privacy impact assessments (PIAs)
• analysing the gap between a client’s existing data structures and the structures required under data law and implementing the necessary changes while applying a risk-based approach

To be able to manage the multitude of data compliance requirements in practice, robust and efficient data compliance governance is essential. This involves establishing effective organisational structures and practicable processes for implementing data compliance requirements featuring clearly defined roles and responsibilities.

Data compliance management systems (DCMS) complement and enhance already established data protection management systems (DPMS). Together, these systems are designed to systematically plan, implement, continuously monitor and improve measures to comply with regulatory requirements for both personal and non-personal data as well as for artificial intelligence.

Our advice focuses on

• structuring, establishing and implementing data compliance governance in companies or groups, including data protection governance
• internal data compliance policies, for example on data-compliant design of business processes and systems, handling of data by employees, dealing with data incidents and handling data-related requests by data subjects (e.g. requests for access)

The regulations regarding data, and especially data protection, are accompanied by far-reaching enforcement and dispute resolution mechanisms at European and national level and also private enforcement. In this context, the new European legislative acts provide the competent authorities with a range of steep penalties, following the example of the GDPR. One focus is on administrative proceedings and court actions against decisions by such bodies before the national and European courts. Existing alongside this is private enforcement, which is playing an ever-greater role throughout Europe due to new collective legal actions and can entail significant economic risks for companies. As a result, we advise in integrated teams benefiting from a bird’s eye view of all the conceivable possibilities and risks. We plan an overall strategy for your company designed to avoid the risks of public and private enforcement as well as possible. If the worst comes to the worst, we will of course use our wide-ranging experience to assist you in implementing our jointly agreed strategy to defend your rights before authorities and courts, acting for you in collective actions and efficiently managing mass proceedings.

Our support for companies encompasses all fields of data protection litigation (page in German only):

• representing clients in administrative proceedings with data protection authorities (DPAs), e.g. injunctions
• defending clients in relation to the imposition of regulatory fines
• representing clients in civil and mass actions, e.g. against claims for non-physical damage suffered by data subjects due to violations of data protection law
• assisting in the preparation of requests for detailed information (“DSAR readiness”) and the preparation of responses to requests (“DSAR reaction”), cases involving the imposition of fines and other measures imposed by supervisory authorities; in addition, handling extra-judicial claims as well as law suits instigated by data subjects seeking information and damages (“DSAR defence”)

Dealing with data incidents (especially filing reports to au-thorities and informing people who are effected), including support with cyber incidents

• Advising clients on how to organise data transfers in compliance with data protection legislation, especially when relying on external service providers for outsourcing and cloud computing
• Providing advice on centralising group-wide IT infrastructure and IT services
• Drafting binding corporate rules

Implementing guidelines for erasing data (rights and obligations to retain data versus obligations to erase data (“right to be forgotten”) under data protection law)

• Providing advice on organising HR processes so that they comply with data protection legislation and advising on their digitalisation
• Drafting arrangements for the (personal) use of company IT infrastructure and personal IT in a company context
• Drafting rules for (CCTV) employee surveillance
• Designing whistleblowing systems and assisting with their implementation

• Reviewing digital offerings and advertising in e-commerce, including (behavioural) targeted advertising, to ensure compliance with data protection legislation
• Designing and assisting with the implementation of customer relationship management systems and customer loyalty programmes

Conducting training and data protection workshops for company employees (including e-learning) tailored to the client’s specific requirements

Developing and assisting in the implementation of monitoring measures and data protection audits