Data and Data Protection
Is your data sufficiently protected? Are you exploiting the full potential of your data inventory?
Data is referred to as the “new oil of the 21st century” and can have the same disruptive and asset-building effect as the “black gold” of the last century. Today, efficient and cost-effective real-time data collection, processing and transfer inevitably constitute an integral part of a company's assets. The apparently unlimited possibilities open up manifold prospects, including for future business models, but they also bring certain risks. Effective data protection management and cyber security are of central importance in a world of increasing digitisation and networking (keywords: “Smart Home” and “Internet of Things”). In the light of the importance of data for companies, it is surprising that value of a company's data or data inventory is not yet explicitly reported in its annual financial statements or balance sheet.
How can data be used strategically in line with the respective business model and in compliance with the statutory limits?
Where “raw data” can be collected, processed and transferred by companies to the relevant parties in order to influence decisions in real time, the value of such raw data is maximised. This can only be successful, however, if the relevant applicable statutory limits are complied with, since data collected unlawfully must be deleted and may no longer be used. In order to be able to even initiate these processes, however, companies must record and evaluate their data inventory, and in particular so-called “dark data”, in a sort of stocktaking process. Such inventory analyses frequently open up new possibilities for alternative business models, eg in the “FinTech” or “InsurTech” fields.
Do you offer sufficient protection for third-party data?
Handling the personal data of employees, business partners and clients, for instance, properly and in a legally compliant manner – especially in a cross-border context with different data protection levels in different jurisdictions – has therefore become more important than ever and requires a tailor-made approach and effective data protection strategies.
The legal framework in the field of data protection in particular is subject to constant change, usually to become more rigid, both at a national and international level, eg currently under the General Data Protection Regulation (GDPR).
The lawyers in Allen & Overy's Data Protection Group have specialised in data protection law for many years and support companies at every step in the course of initialising, inventory-taking, evaluating, action planning for and implementing projects involving data protection issues. In this context, our expertise is not limited to data protection law as such, but also includes legal support in connected areas such as telecommunications and telemedia law as well as information security. Our goal is to support companies right from the start within the scope they need and specify. Our approach focuses on individual alignment in response to internal requirements and processes and on the integration of existing relationships with other service providers.
Data protection law is not only determined by national requirements, however. As the German Data Protection Group forms an integral part of the firm's Global Data Protection Group, clients can rely on our international network of leading experts in the field of data protection law, especially when it comes to complex data protection projects.
We cooperate closely with experienced experts from other practice areas such as Employment & Benefits, Corporate/M&A and Intellectual Property as well as Banking/Finance .
Scope of services
Allen & Overy's data protection lawyers advise on all aspects of national and European data protection law. The team has long-standing experience in the following key areas of advice in particular:
- Implementing and adjusting systems and processes to comply with amended statutory or regulatory requirements (eg General Data Protection Regulation, revised Federal Data Protection Act (Bundesdatenschutzgesetz; BDSG-neu) or IT Security Act (IT-Sicherheitsgesetz))
- Advising on the compliant handling of data, data management systems and IT tools
- Data transfer and processing within corporate groups and cross-border data transfer (eg under EU standard contract clauses or binding corporate rules (BCRs))
- Data security and cyber security
- Data protection compliance
- External investigations, including in an international context (eg US/UK discovery proceedings)
- Internal investigations: analysis and evaluation of data in the case of legal breaches in the context of internal investigations
- Data protection requirements in M&A transactions
- Employee Data Protection
- Data litigation (communication with supervisory authorities and litigation, both in court and regulatory)
- Privacy notices and privacy policies
- Appointment of data protection officers
- Big data/data mining
- Outsourcing via cloud computing and commissioned data processing
- Data protection requirements and concepts related to “FinTech” and “InsurTech”
- Data reputation (securing appropriate market perception through cooperation with Germany's leading communications consultancy)
- Designing and implementing whistleblowing systems compliant with data protection law
In addition to traditional legal advice, we also offer our expertise in the context of presentations and seminars.
A few references
- A major European energy supplier in connection with a due diligence in respect of data protection law conducted for the numerous general terms and conditions documents for various group companies regarding compliance with the BDSG and the GDPR in connection with the largest European outsourcing project in the field of utilities. Advising on the transfer of various data categories to third countries, including other European countries, taking into account specific new requirements, e.g. the German Act on Operating Meters and Data Communication (Messstellenbetriebsgesetz; MsbG), and evaluating all IT-relevant works agreements (interface with employment law).
- A multinational pharmaceuticals group in connection with various projects related to data protection law.
- An Asian bank in connection with a global investigation project by coordinating and planning the internal investigations for Germany and cross-border consultations. Assessing various options for transferring data to the USA, preparing numerous contracts (agreement for contract data processing pursuant to section 11 BDSG; data transfer agreement with service provider, standard contract clauses with contract data processor, intra-group agreement with nine parties as data processors and data controllers). Preparing a works agreement on e mail screening and negotiations with the works council (interface with employment law).
- TUI AG on data protection issues in connection with the sale of the Travelopia division, which involved coordinating the data protection law teams from six countries in total (including the USA, UK, France and Australia) with a view to performing the due diligence and negotiating/drafting the SPA with a digital business model.
- One of the largest Asian internet companies in the world in respect of development cooperation with German industry partners in the field of mapping and navigation software for autonomous vehicles; the project is of strategic significance for all parties involved.
- A world-leading US social media platform in the context of the proposed acquisition of a German video editing startup. The project focuses on complex issues regarding rights ownership for software (and other IP) following spin-off from a university. In addition, the technology implemented by way of the relevant software is protected by multiple patents as a computer-implemented invention.
News & insights
Publications: 30 MARCH 2020
The Covid-19 coronavirus is creating a need for organisations to process personal data, for a variety of specific purposes (including managing and protecting their workforce, customers and the public). Many of these processing activities are not part of “business as usual”, so established policies and protocols may not exist. Organisations face a challenge to ensure that this processing complies with data protection and privacy laws, particularly given the urgency behind some of these processing activities and other pressures, which means there is limited time available for consideration and consultation.Read more
News: 27 MARCH 2020
Allen & Overy has advised One Peak on its investment in DataGuard, a leading European provider of privacy, compliance and IT security services.Read more
Publications: 18 MARCH 2020
The Covid-19 coronavirus has had a significant impact on businesses across all sectors and we have received various requests for urgent advice from a Luxembourg perspective. We have decided to share a list of the main topics raised by our clients, so that it might help others to prepare. We will update this as the days and weeks go by – this is of course a rapidly evolving situation.Read more
Publications: 16 MARCH 2020
In order to contain the Coronavirus the German federal states as well as the German government have put strict measures into place. Schools and kindergartens have been closed as well as borders to most neighbouring states for private travel. In order to mitigate the economic consequences, the German government announced a comprehensive package of measures.Read more
Recognised for its experience advising on compliance issues and data breaches. Often assists companies with the drafting of data protection policies and cross-border data transfers. Many of the firm's clients are involved in emergent technology.
Chambers Global 2017 (Data Protection)
The firm has a strong team.
Client, Chambers Europe 2016 (Data Protection)
Excellent service standards that meet all requirements.
Legal 500 2015 (Data Protection)
Jens Matthes is "a leader in his field".
Chambers Global 2015