Skip to content
Digital data vaults
Digital data vaults

Data and Data Protection

Is your data sufficiently protected? Are you exploiting the full potential of your data inventory?

Data is referred to as the “new oil of the 21st century” and can have the same disruptive and asset-building effect as the “black gold” of the last century. Today, efficient and cost-effective real-time data collection, processing and transfer inevitably constitute an integral part of a company's assets. The apparently unlimited possibilities open up manifold prospects, including for future business models, but they also bring certain risks. Effective data protection management and cyber security are of central importance in a world of increasing digitisation and networking (keywords: “Smart Home” and “Internet of Things”). In the light of the importance of data for companies, it is surprising that value of a company's data or data inventory is not yet explicitly reported in its annual financial statements or balance sheet.

Our offering in Germany

Your challenges

Your challenges

How can data be used strategically in line with the respective business model and in compliance with the statutory limits?

Where “raw data” can be collected, processed and transferred by companies to the relevant parties in order to influence decisions in real time, the value of such raw data is maximised. This can only be successful, however, if the relevant applicable statutory limits are complied with, since data collected unlawfully must be deleted and may no longer be used. In order to be able to even initiate these processes, however, companies must record and evaluate their data inventory, and in particular so-called “dark data”, in a sort of stocktaking process. Such inventory analyses frequently open up new possibilities for alternative business models, eg in the “FinTech” or “InsurTech” fields.

Do you offer sufficient protection for third-party data?

Handling the personal data of employees, business partners and clients, for instance, properly and in a legally compliant manner – especially in a cross-border context with different data protection levels in different jurisdictions – has therefore become more important than ever and requires a tailor-made approach and effective data protection strategies.

The legal framework in the field of data protection in particular is subject to constant change, usually to become more rigid, both at a national and international level, eg currently under the General Data Protection Regulation (GDPR).

Our expertise

Our expertise

The lawyers in Allen & Overy's Data Protection Group have specialised in data protection law for many years and support companies at every step in the course of initialising, inventory-taking, evaluating, action planning for and implementing projects involving data protection issues. In this context, our expertise is not limited to data protection law as such, but also includes legal support in connected areas such as telecommunications and telemedia law as well as information security. Our goal is to support companies right from the start within the scope they need and specify. Our approach focuses on individual alignment in response to internal requirements and processes and on the integration of existing relationships with other service providers.

Data protection law is not only determined by national requirements, however. As the German Data Protection Group forms an integral part of the firm's Global Data Protection Group, clients can rely on our international network of leading experts in the field of data protection law, especially when it comes to complex data protection projects.

We cooperate closely with experienced experts from other practice areas such as Employment & Benefits, Corporate/M&A and Intellectual Property as well as Banking/Finance .

Scope of services

Scope of services

Allen & Overy's data protection lawyers advise on all aspects of national and European data protection law. The team has long-standing experience in the following key areas of advice in particular:

  • Implementing and adjusting systems and processes to comply with amended statutory or regulatory requirements (eg General Data Protection Regulation, revised Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG-neu) or IT Security Act (IT-Sicherheitsgesetz))
  • Advising on the compliant handling of data, data management systems and IT tools
  • Data transfer and processing within corporate groups and cross-border data transfer (eg under EU standard contract clauses or binding corporate rules (BCRs))
  • Data security and cyber security
  • Data protection compliance
  • External investigations, including in an international context (eg US/UK discovery proceedings)
  • Internal investigations: analysis and evaluation of data in the case of legal breaches in the context of internal investigations
  • Data protection requirements in M&A transactions
  • Employee Data Protection
  • Data litigation (communication with supervisory authorities and litigation, both in court and regulatory)
  • Privacy notices and privacy policies
  • Appointment of data protection officers
  • Big data/data mining
  • Outsourcing via cloud computing and commissioned data processing
  • Data protection requirements and concepts related to “FinTech” and “InsurTech”
  • Data reputation (securing appropriate market perception through cooperation with Germany's leading communications consultancy)
  • Designing and implementing whistleblowing systems compliant with data protection law

In addition to traditional legal advice, we also offer our expertise in the context of presentations and seminars.

A few references

A few references

  • A major European energy supplier in connection with a due diligence in respect of data protection law conducted for the numerous general terms and conditions documents for various group companies regarding compliance with the BDSG and the GDPR in connection with the largest European outsourcing project in the field of utilities. Advising on the transfer of various data categories to third countries, including other European countries, taking into account specific new requirements, e.g. the German Act on Operating Meters and Data Communication (Messstellenbetriebsgesetz; MsbG), and evaluating all IT-relevant works agreements (interface with employment law).
  • A multinational pharmaceuticals group in connection with various projects related to data protection law.
  • An Asian bank in connection with a global investigation project by coordinating and planning the internal investigations for Germany and cross-border consultations. Assessing various options for transferring data to the USA, preparing numerous contracts (agreement for contract data processing pursuant to section 11 BDSG; data transfer agreement with service provider, standard contract clauses with contract data processor, intra-group agreement with nine parties as data processors and data controllers). Preparing a works agreement on e mail screening and negotiations with the works council (interface with employment law).
  • TUI AG on data protection issues in connection with the sale of the Travelopia division, which involved coordinating the data protection law teams from six countries in total (including the USA, UK, France and Australia) with a view to performing the due diligence and negotiating/drafting the SPA with a digital business model.
  • One of the largest Asian internet companies in the world in respect of development cooperation with German industry partners in the field of mapping and navigation software for autonomous vehicles; the project is of strategic significance for all parties involved.
  • A world-leading US social media platform in the context of the proposed acquisition of a German video editing startup. The project focuses on complex issues regarding rights ownership for software (and other IP) following spin-off from a university. In addition, the technology implemented by way of the relevant software is protected by multiple patents as a computer-implemented invention.

News and insights

image of swooping bokah lights coming towards the screen at a angle

Publications: 03 April 2024

China passes provisions to relax the cross-border data transfer regime

China has passed provisions which relax the current cross-border data transfer mechanisms. This comes as welcome news to the international business community, especially those with the need to export…

Read more

Publications: 01 April 2024

Allen & Overy’s Anna Rudawski on the increased liability pressures impacting Chief Information Security Officers

Anna Rudawski, cybersecurity response partner at Allen & Overy, discussed how the recent SEC rulings and increased liability pressures are impacting Chief Information Security Officers (CISOs), with…

Read more

Blog Post: 10 January 2024

CJEU rules that a credit score constitutes automated decision making under the GDPR

On 7 December 2023, the Court of Justice of the European Union (CJEU) issued a landmark judgment on Article 22 of the General Data Protection Regulation (GDPR), focused on decision making based solely…

Read more
World map with graph information overlaid

Blog Post: 13 September 2022

Germany – Schrems II: German court overturns presumption of international data transfer from EU-subsidiary to non-EU parent company

On 13 July 2022, the Public Procurement Chamber of the German state of Baden-Württemberg (the Public Procurement Chamber) issued a decision confirming that personal data processed by an EU subsidiary…

Read more

Digital maturity

Two women sitting at a boardroom table, floor to table windows and sunlight coming in

Law is code. We speak both. Today, every company is a technology company. That includes us.

Fluent in tech, experts in law—Allen & Overy helps clients navigate the complex landscape of technology. Move beyond digital transformation to true digital maturity with a firm that’s backed by global experience and expertise.