Data and Data Protection

How can data be used strategically in line with the respective business model and in compliance with the statutory limits?

Where “raw data” can be collected, processed and transferred by companies to the relevant parties in order to influence decisions in real time, the value of such raw data is maximised. This can only be successful, however, if the relevant applicable statutory limits are complied with, since data collected unlawfully must be deleted and may no longer be used. In order to be able to even initiate these processes, however, companies must record and evaluate their data inventory, and in particular so-called “dark data”, in a sort of stocktaking process. Such inventory analyses frequently open up new possibilities for alternative business models, eg in the “FinTech” or “InsurTech” fields.

Do you offer sufficient protection for third-party data?

Handling the personal data of employees, business partners and clients, for instance, properly and in a legally compliant manner – especially in a cross-border context with different data protection levels in different jurisdictions – has therefore become more important than ever and requires a tailor-made approach and effective data protection strategies.

The legal framework in the field of data protection in particular is subject to constant change, usually to become more rigid, both at a national and international level, eg currently under the General Data Protection Regulation (GDPR).

The lawyers in Allen & Overy's Data Protection Group have specialised in data protection law for many years and support companies at every step in the course of initialising, inventory-taking, evaluating, action planning for and implementing projects involving data protection issues. In this context, our expertise is not limited to data protection law as such, but also includes legal support in connected areas such as telecommunications and telemedia law as well as information security. Our goal is to support companies right from the start within the scope they need and specify. Our approach focuses on individual alignment in response to internal requirements and processes and on the integration of existing relationships with other service providers.

Data protection law is not only determined by national requirements, however. As the German Data Protection Group forms an integral part of the firm's Global Data Protection Group, clients can rely on our international network of leading experts in the field of data protection law, especially when it comes to complex data protection projects.

We cooperate closely with experienced experts from other practice areas such as Employment & Benefits, Corporate/M&A and Intellectual Property as well as Banking/Finance .

Allen & Overy's data protection lawyers advise on all aspects of national and European data protection law. The team has long-standing experience in the following key areas of advice in particular:

• Implementing and adjusting systems and processes to comply with amended statutory or regulatory requirements (eg General Data Protection Regulation, revised Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG-neu) or IT Security Act (IT-Sicherheitsgesetz))
• Advising on the compliant handling of data, data management systems and IT tools
• Data transfer and processing within corporate groups and cross-border data transfer (eg under EU standard contract clauses or binding corporate rules (BCRs))
• Data security and cyber security
• Data protection compliance
• External investigations, including in an international context (eg US/UK discovery proceedings)
• Internal investigations: analysis and evaluation of data in the case of legal breaches in the context of internal investigations
• Data protection requirements in M&A transactions
• Employee Data Protection
• Data litigation (communication with supervisory authorities and litigation, both in court and regulatory)
• Privacy notices and privacy policies
• Appointment of data protection officers
• Big data/data mining
• Outsourcing via cloud computing and commissioned data processing
• Data protection requirements and concepts related to “FinTech” and “InsurTech”
• Data reputation (securing appropriate market perception through cooperation with Germany's leading communications consultancy)
• Designing and implementing whistleblowing systems compliant with data protection law

In addition to traditional legal advice, we also offer our expertise in the context of presentations and seminars.

• A major European energy supplier in connection with a due diligence in respect of data protection law conducted for the numerous general terms and conditions documents for various group companies regarding compliance with the BDSG and the GDPR in connection with the largest European outsourcing project in the field of utilities. Advising on the transfer of various data categories to third countries, including other European countries, taking into account specific new requirements, e.g. the German Act on Operating Meters and Data Communication (Messstellenbetriebsgesetz; MsbG), and evaluating all IT-relevant works agreements (interface with employment law).
• A multinational pharmaceuticals group in connection with various projects related to data protection law.
• An Asian bank in connection with a global investigation project by coordinating and planning the internal investigations for Germany and cross-border consultations. Assessing various options for transferring data to the USA, preparing numerous contracts (agreement for contract data processing pursuant to section 11 BDSG; data transfer agreement with service provider, standard contract clauses with contract data processor, intra-group agreement with nine parties as data processors and data controllers). Preparing a works agreement on e mail screening and negotiations with the works council (interface with employment law).
• TUI AG on data protection issues in connection with the sale of the Travelopia division, which involved coordinating the data protection law teams from six countries in total (including the USA, UK, France and Australia) with a view to performing the due diligence and negotiating/drafting the SPA with a digital business model.
• One of the largest Asian internet companies in the world in respect of development cooperation with German industry partners in the field of mapping and navigation software for autonomous vehicles; the project is of strategic significance for all parties involved.
• A world-leading US social media platform in the context of the proposed acquisition of a German video editing startup. The project focuses on complex issues regarding rights ownership for software (and other IP) following spin-off from a university. In addition, the technology implemented by way of the relevant software is protected by multiple patents as a computer-implemented invention.