Data Protection Law

Some have it, and others would like to get their hands on it – personal data. Nowadays, personal data has become the key basis for effective marketing, making it into a major business asset. But corporate interests in gathering and processing this data are up against restrictive data protection laws – and rightly so. The individual’s right to determine what happens with his or her own data is an important basic right, and one which requires comprehensive protection, given the rapid pace of change and expanding options on the technological front.

Provisions under data protection legislation are spread across numerous general and area-specific statutes and regulations, making it hard to maintain an overview. It is difficult to appreciate the schematic system that lies behind them. A further complication is that the legislation relating to data protection is becoming increasingly internationalised. Which data am I allowed to collect and process without problems? For what things do I need the consent of the data subject? What are the purposes for which I can use the data I have gathered, and to whom – and for what purposes – am I allowed to pass on that data? There are very few companies who do not find themselves repeatedly faced with these questions. The age when data protection and data security were some “exotic territory” that was the preserve of management under its compliance obligations is long gone. On the one hand, it takes little imagination to realise that competitors, competition authorities and consumer protection organisations alike both can and will challenge companies over breaches of privacy law. That brings with it the threat of high fines and, in extreme instances, prosecution under the penal code. On the other hand, any failure to comply with data protection now constitutes a primary entrepreneurial risk. Especially in dealings with consumers, a veritable "data protection scandal" (potentially covering everything from loss of sensitive data to a poorly worded privacy policy) can not only do considerable harm to a company's image, but also directly cost the company customers.
We are on hand to advise on all issues relating to the processing and protection of personal data. Matched to your requirements, we develop strategies and solutions in line with statutory requirements for data protection compliance. We maintain a focus on your commercial objectives and interests throughout. If necessary, we can bring about early agreement with the responsible authorities.
We attach particular importance to keeping up with the times. As enthusiastic users of today’s technologies ourselves, data protection statements (privacy policies) are by no means just a set of abstract formulations for us. We are interested in which tools gather and evaluate which data, why it happens and who is doing it – and we are able to set that out accordingly in legal terms. Mobile apps are not some present-day work of the devil for us, but software applications for particular operating systems, the use of which (generally) requires exchanging data via the Internet. Accordingly, we have an understanding of what information needs to be given to the user, and why.
However, data protection law involves more than just satisfying statutory obligations towards those covered by it; to a large degree, it is also contract law. Data processing and data use agreements of all kinds determine the “backend”, i.e. legal relations between the companies that either have legal responsibility for collecting, processing and using the data, or that actually carry out those tasks. The contracts that have to be concluded for this work need to reflect – accurately and completely – what in some cases are highly detailed statutory provisions (key phrase: contract data processing), and they always need to be drawn up with a constant eye to rules and regulations under data protection law. We have the overview and the experience to steer you through the hidden depths of legislation.
A further stumbling-block, and one which is becoming ever more important in practice, is the sending of personal data abroad – either because the parent company has its head office elsewhere, or because the technical aspects of data retention and processing are better or more cost-efficient in other countries. Here there are many scenarios where the “usual suspects” – consent forms filled in by data subjects, and EU standard agreements – cannot simply be used as they stand. We help you to find the right approach to achieve your corporate goals.

 

Thorsten Feldmann LL.M.
Julian Höppner, LL.M.