Data Protection Law

Industry 4.0, Business 4.0, big data, car data, internet of things (IoT), cloud computing, smart home, smart car or e-health: personal data and the way it is being used is becoming an increasingly important part of existing or completely new business areas. At the same time, as digitalisation advances, there is always a situation of potential conflict between economic innovation and the protection of personal data. Compliance with and the violation of data protection laws are thus increasingly becoming the focus of public attention. This means that companies need to find their way around the conflict between their business interests and the legal requirements by ensuring their data protection is very well organised. Our pragmatic and solution-oriented team that specialises in data protection law can help you ensure that this succeeds as best as possible.

The processing of personal data is highly regulated. In addition to the EU General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG-neu), which has been amended to accord with EU law, sector-specific laws such as the German Telecommunications Act (TKG) or the German Act Against Unfair Competition (UWG) regulate how personal data is handled. Compliance and liability risks must be considered and safeguarded with regard to the exploitation of personal data, which offers attractive business opportunities for companies. The public sector, too, must take into account the special data protection requirements within the framework of the German Federal Data Protection Act.

Together with our clients, we develop the best industry-focused data protection solution for the respective client, tailored to this client’s individual corporate needs, on the basis of the current legislation, jurisprudence and the announcements made by the data protection supervisory authorities. This strategy is constantly being updated and is already taking into consideration the consequences of possible future developments.

We work with our clients to implement the requirements for complying with data protection law and develop processes to ensure such compliance is maintained in the long term. In particular, we verify compliance with the requirements under data protection law regarding the security of data transfers, taking into account current case law and developments in EU legislation, such as the ECJ’s Schrems II judgment or the new standard contractual clauses.

When implementing data protection management systems or new technologies, such as the digital twin or autonomous driving, we can support our clients based on our many years of experience.

Our range of advisory services:

International data transfers to third countries
  • Analysing actual international data transfers to external contractual partners and advising on the conclusion of data protection compliant agreements
  • Identifying intra-group transfers and helping draft contractual clauses containing additional guarantees
  • First-aid kit for “Schrems II” compliance
GDPR administrative fine map
  • Compiling information about fines already known
  • Providing an overview of the offences committed
  • Presenting the information in an overview by federal state
Data protection in the public sector
  • Advising on all matters pertaining to data protection law, particularly taking into account the special requirements in the public sector 
  • Advising on organising matters in a data protection compliant way and on maintaining such organisation
  • Defending against claims for information with the protection of personal data in mind
Data protection in the company
  • Providing comprehensive data protection law advice for national and international companies and for internal data protection officers
  • Appointment as an external data protection officer and providing support as such
  • Advising on introducing and implementing data protection organisation
  • Advising on introducing data protection compliant business models and processes
  • Advising on carrying out data protection impact assessments, e.g. in connection with video surveillance or big data applications
  • Drafting and updating relevant documents under data protection law, such as data protection policies, data protection notices or agreements
  • Advising on setting up, implementing and maintaining data protection compliance in the company
  • Advising on international data transfers involving countries outside the EU, taking into account the new EU standard contractual clauses and other appropriate safeguards
  • Advising on implementing authorisation and deletion concepts
  • Representation vis-à-vis data protection supervisory authorities
  • Risk management in the event of data protection incidents
  • Providing representation in judicial disputes regarding breaches of data protection law
  • Carrying out national and international data protection audits
Data protection management/data protection compliance
  • Ascertaining the current situation and examining compliance management systems
    • Checking on the existing data protection management
    • Comparing the existing processes with the requirements under data protection law
    • Advising on introducing a new, data protection compliant data protection management system
  • Examining processes, policies and other procedures for their conformity with the GDPR
  • Drafting and updating data protection management records and other documentation
  • Applying the IDW PS 980 auditing standard
  • Making the required adjustments to ensure compliance with the Schrems II judgment
  • Implementing new standard contractual clauses
Employee data protection
  • Advising, for example, on introducing whistleblowing programmes, human resources or assessment systems at national and international levels
  • Advising on drafting and negotiating works agreements on the basis of the EU General Data Protection Regulation (GDPR) and the new German Federal Data Protection Act (BDSG-neu)
  • Training courses and workshops (e.g. employee workshops)
Data protection for IT projects and web-based applications
  • Data protection-compatible design when using new technologies, such as smart home, car data or health apps
  • Transactional advice
  • Advising on setting up websites, online shops and cookie walls and on using tracking and analysis tools
Cross-border data transfer and cloud computing
  • Advising regarding cross-border data processing both for intra-group data exchange and with external parties
  • Drafting and negotiating the necessary contracts
  • Advising on introducing binding corporate rules (BCRs)
  • Carrying out national and international data protection audits


06.09.2023 Press Release
Brewery group Haus Cramer on course for growth: Luther advises on participation in online beer trade
27.01.2022 Press Release
The Legal 500 Germany – Luther again in the Top Tier twice
22.11.2021 Press Release
Luther advises Eneco on acquisition of energy direct marketer Nordgröön
08.06.2021 Press Release
Sustainability: Luther advises Greek ballast water treatment specialist on acquisition of RWO GmbH
27.04.2021 Blog
Abdicability of TOMs - Note by HamBfDI of 18 February 2021

Key Contact >>

Key Contact

Silvia C. Bauer


T +49 221 9937 25789

Dr Stefanie Hellmich, LL.M.


T +49 69 27229 24118

Dr Michael Rath


T +49 221 9937 25795

Dr Kay Oelschlägel


T +49 40 18067 12175