Data Economy & Data Protection
Data is one of the most crucial resources of the digital economy. Across the globe, the quantity of available data has been growing rapidly for years. The data economy is becoming an enormous source of potential value creation. At the same time, the unrelenting flood of new legal requirements governing the handling of data is bringing major challenges for all those involved. We navigate our clients through the regulatory jungle guided by a strong sense of purpose and sound judgment.
Legal challenges when handling data have long since not just arisen from data protection law. Together with rules governing the protection of personal data, which continue to play a central role, a range of other European legislation has meanwhile emerged to form a more extensive data regime also governing the handling of non-personal data. Beyond the legislative acts essentially focusing on data, European and national requirements for handling significant data also exist under IT security, anti-trust and competition, product liability and product safety law as well as sales and distribution law. Breaches of the statutory rules often lead to official investigations and measures (public enforcement) and increasingly civil claims in connection with private enforcement. Our experts from all the relevant legal fields join together to form a competence team covering the entire spectrum of data compliance.
Our services
At Noerr, data law is not just a field of law secondary to other practice areas, but an important advisory field of its own. Our data law experts focus on this very dynamic and fast developing legal area. We provide highly specialised and efficient advice on all data issues, also extending to contentious matters such as disputes with authorities and competitors.
Data compliance by design: data-compliant design of (digital) business models and processes
A series of directly applicable EU regulations, together with numerous other pieces of legislation, form the highly complex new European data regime. Following the General Data Protection Regulation (GDPR) in 2016 and the Data Governance Act (DGA) in 2022, European legislators set two further milestones for the regulation of data and artificial intelligence in the European Union in 2024 with the Data Act (DA) and the Artificial Intelligence Act (AIA). The regulatory requirements for artificial intelligence and accessing, exchanging and using both personal and non-personal data overlap and intermingle with the already established data privacy requirements. New European statutes emerging in the future will serve to make the regulatory framework for data and AI even more opaque.
When it comes to data security, the regulatory requirements under IT security law also have to be observed. On top of this, antitrust and competition law imposes strict rules on how data is handled. The instruments of European data law do not provide a general safe harbour for antitrust infringements such as engaging in the prohibited exchange of sensitive competition-related information. Besides this, the requirements of product liability law apply, which is now also being extended to cover digital products, software and production files, and likewise product safety law, for instance when data has an influence on the safe use of a product. Finally, when commercialising data, sales and distribution law also has to be taken into account along the entire value chain.
Adherence to statutory rules is one of the key components of data compliance, regardless of what line of business a company is involved in or its size. Data compliance basically covers all the applicable rules companies have to adhere to when processing personal and non-personal data, including statutory requirements, contractual terms and conditions, certifications, codes of conduct, industry standards and likewise binding corporate rules and internal guidelines or policies.
The extensive requirements under data law form the regulatory framework for setting up business processes and designing and using applications and systems within an organisation. But efficiency and sustainable success can only be achieved by proactively considering the legal requirements for data by way of “data compliance by design” at an early stage when developing new business processes and products.
By referring to our “Map” of European data law (bookmark: europeandatalaw.com), which is regularly updated, our clients are able to find their bearings in the jungle of data rules and regulations. By using our Data Compliance Compass, you can navigate safely through the data landscape.
Our advice focuses on
- adapting business processes, products and business models to the requirements under data law
- preparing documentation required under data law such as data protection agreements, privacy policies, legality audits, consent forms and privacy impact assessments (PIAs)
- analysing the gap between a client’s existing data structures and the structures required under data law and implementing the necessary changes while applying a risk-based approach
Data compliance governance: structures and processes for data compliance
To be able to manage the multitude of data compliance requirements in practice, robust and efficient data compliance governance is essential. This involves establishing effective organisational structures and practicable processes for implementing data compliance requirements featuring clearly defined roles and responsibilities.
Data compliance management systems (DCMS) complement and enhance already established data protection management systems (DPMS). Together, these systems are designed to systematically plan, implement, continuously monitor and improve measures to comply with regulatory requirements for both personal and non-personal data as well as for artificial intelligence.
Our advice focuses on
- structuring, establishing and implementing data compliance governance in companies or groups, including data protection governance
- internal data compliance policies, for example on data-compliant design of business processes and systems, handling of data by employees, dealing with data incidents and handling data-related requests by data subjects (e.g. requests for access)
Data disputes/data litigation: data-related disputes
The regulations regarding data, and especially data protection, are accompanied by far-reaching enforcement and dispute resolution mechanisms at European and national level and also private enforcement. In this context, the new European legislative acts provide the competent authorities with a range of steep penalties, following the example of the GDPR. One focus is on administrative proceedings and court actions against decisions by such bodies before the national and European courts. Existing alongside this is private enforcement, which is playing an ever-greater role throughout Europe due to new collective legal actions and can entail significant economic risks for companies. As a result, we advise in integrated teams benefiting from a bird’s eye view of all the conceivable possibilities and risks. We plan an overall strategy for your company designed to avoid the risks of public and private enforcement as well as possible. If the worst comes to the worst, we will of course use our wide-ranging experience to assist you in implementing our jointly agreed strategy to defend your rights before authorities and courts, acting for you in collective actions and efficiently managing mass proceedings.
Our support for companies encompasses all fields of data protection litigation (page in German only):
- representing clients in administrative proceedings with data protection authorities (DPAs), e.g. injunctions
- defending clients in relation to the imposition of regulatory fines
- representing clients in civil and mass actions, e.g. against claims for non-physical damage suffered by data subjects due to violations of data protection law
- assisting in the preparation of requests for detailed information (“DSAR readiness”) and the preparation of responses to requests (“DSAR reaction”), cases involving the imposition of fines and other measures imposed by supervisory authorities; in addition, handling extra-judicial claims as well as law suits instigated by data subjects seeking information and damages (“DSAR defence”)
Data breach management: dealing with data incidents
Dealing with data incidents (especially filing reports to au-thorities and informing people who are effected), including support with cyber incidents
International data transfers and corporate privacy
- Advising clients on how to organise data transfers in compliance with data protection legislation, especially when relying on external service providers for outsourcing and cloud computing
- Providing advice on centralising group-wide IT infrastructure and IT services
- Drafting binding corporate rules
Data lifecycle management and guidelines for erasing data
Implementing guidelines for erasing data (rights and obligations to retain data versus obligations to erase data (“right to be forgotten”) under data protection law)
Employee data protection
- Providing advice on organising HR processes so that they comply with data protection legislation and advising on their digitalisation
- Drafting arrangements for the (personal) use of company IT infrastructure and personal IT in a company context
- Drafting rules for (CCTV) employee surveillance
- Designing whistleblowing systems and assisting with their implementation
Data protection in advertising and digital marketing
- Reviewing digital offerings and advertising in e-commerce, including (behavioural) targeted advertising, to ensure compliance with data protection legislation
- Designing and assisting with the implementation of customer relationship management systems and customer loyalty programmes
Training courses
Conducting training and data protection workshops for company employees (including e-learning) tailored to the client’s specific requirements
Audits
Developing and assisting in the implementation of monitoring measures and data protection audits
Selected projects
- Federal Ministry for Economic Affairs and Energy
Evaluating hurdles and operating latitude available under data protection law for testing innovative business models as part of the German Regulatory Sandbox Strategy - Global Foundries
Providing ongoing advice to data protection officers on all issues relevant in the context of an international corporate group - Incubator for a leading German car manufacturer
Providing advice on data protection law for the design of a web-based “peer-2-peer-charging” platform for managing charging infrastructures for electric vehicles - McDonald’s Germany
Providing ongoing advice on data protection law in a complex franchise and group-structure environment, e.g. on implementing a new customer loyalty programme - Microsoft
Advising Microsoft on data protection law in relation to specific topics, such as the use of tracking and analysis tools or the use of biometric methods - HeyCar
Advising Mobility Trader GmbH extensively on data protection issues in relation to its used car platform “heycar” - Europcar/Buchbinder
Advising the client on dealing with a data leak which attracted significant attention in the German press - from representing the client in investigations launched by the supervisory authorities to handling requests for information and complaints from data subjects - EVE Germany GmbH
Advising the Chinese group on privacy issues in the context of its entry to the EU market, including the implementation of a governance structure from a privacy perspective as well as the preparation of data protection information for employees, business partners and the group’s website - Federal Ministry for Economic Affairs and Climate Action
Analysing the legal framework for AI in the finance, mobility, administration, health, legal services and climate/energy sectors, and assessing the hurdles to be overcome and the requirements to be met before AI can be used - Ada Health GmbH
Providing data protection law advice to the company on the interface between the regulation of medical devices and AI, including assisting in the international rollout of a medical device
“The team [...] has many years of experience and is ideally equipped to support its clients in establishing and improving their data protection structures. [...] In addition, work in this field involves a large number of official procedures and requests for information so that the team’s good relationship with the data protection authorities is a real bonus.”
JUVE HandbookEvents
Alle anzeigen“The quality of their legal work is excellent in every respect and so is the value for money.”
Client, Legal 500 DeutschlandRelated topics
Well
informed
Subscribe to our newsletter now to stay up to date on the latest developments.
Subscribe now