Data Protection

Who knows how much about whom – and what are they doing with this information? A question that is becoming increasingly relevant in the digital age. Cloud applications, smart devices, big data, digital transformation or Industry 4.0 are not only making innovative business models possible. At the same time, these technologies raise new legal issues that frequently pose a particular challenge for Digital Business. Data protection is always key where data can be related to individuals. This includes not only personnel data, but also data on customers and suppliers or the specific implementation of business processes. As a matter that is touching on several legal fields, data protection is an integral part of corporate reality. Even non-personal data is now classified as a central corporate asset and evaluated accordingly.


Our expertise in IT and Digital Business allow us to provide you with highly specialized advice in data protection law relating to specific topics such as Privacy and Virtual Reality, Artificial Intelligence and cryptocurrencies, redesigning and establishing digital business models and designing digital data-driven products in the fields of Big Data and Internet of Things.

Data protection is becoming increasingly important not only for new technologies, groundbreaking business ideas, and disruptive service offerings. Following the introduction of the GDPR in May 2018, the requirements for targeted analysis and needs-based design with practical experience for company-specific needs have also grown. Our law firm is extremely well prepared to meet these requirements. Since the introduction of the GDPR, our firm has comprehensively advised many larger companies and several international corporations. Our legal advisors are assisted by our firm’s experts in many associated fields of law, while offering highly specialized advice relating to data protection law. We comprehensively support the design of data protection measures, their practical organization, and their implementation in day-to-day business.

Our main advisory fields in data protection are:

Implementation of the General Data Protection Regulation (GDPR) in the company

  • Individualized gap analysis of data protection compliance in the company in accordance with the GDPR standard

  • Drafting tailor-made implementation proposals in the company, taking into account the risk-based approach of the GDPR and national accompanying legislation

  • Implementing a comprehensive data protection organization in the company and within the group

  • Drafting an internal corporate responsibility concept for the implementation of data protection obligations

Data protection organization in the company

  • Drafting and implementing simple or extended records of processing activity to meet the accountability requirements of the GDPR

  • Drafting and implementing a uniform risk model for company-wide understanding of data protection

  • Drafting a data breach notification plan

  • Crisis management for actual and alleged data protection violations

  • Identifying suitable technical and organizational measures to ensure compliance with the requirements of Article 32 GDPR

  • Individual implementation of the new requirements of the data protection impact assessment in accordance with Article 35 GDPR

  • Drafting design proposals to implement the new requirements of privacy by design and privacy by default

  • Advising on and supporting data protection audits

  • Advising internal data protection officers

  • Providing interim data protection officers or national representatives in accordance with Article 27 GDPR

  • Advising on setting up a group-wide data protection organization

Contract management

  • Drafting tailor-made model contracts for order processing from client and contractor perspectives

  • Drafting tailor-made framework agreements for implementing data protection requirements for the international movement of data, in particular for complex matrix structures

  • Reviewing and adapting third-party contracts and supporting contract negotiations

  • Drafting additional model documents for declarations of consent, NDAs and mandatory information

  • Guideline for the delimitation of order processing, joint controllership, and complex mixed structures

Dealing with the rights of data subjects

  • Drafting and implementing individual solutions for data protection-compliant implementation of the rights of data subjects in accordance with Article 12 et seqq. GDPR

  • Drafting individual erasure concepts in consideration of archiving and backup systems

  • Designing and implementing internal data protection guidelines, in particular on the handling of personal data by employees

  • Employee training adapted to the needs of the company’s specialist departments, such as HR, IT, Purchasing, Sales, Marketing, and Management.

  • Designing and implementing monitoring measures

  • Model letters for responding to inquiries (erasure/information. etc.)

  • Providing a guideline on how to deal with inquiries from data subjects (e.g., identification, etc.)

International data protection

  • Reviewing and data protection-compliant design of data transfers in international data protection

  • Data protection-compliant design of intra-group international data transfers with drafting of corresponding framework agreements

Intra-group data protection

  • Designing and implementing contracts for intra-group data transfer, in particular in matrix organizations

  • Advising on group-wide centralizing or diversifying of IT services

Employment data protection

  • Adapting old company agreements to the requirements of the GDPR

  • Designing and implementing rules for the use of operational IT infrastructure and private IT in the operational context

  • Identifying the need for declarations of consent in the employee context and drafting corresponding models

  • Drafting and implementing rules for video surveillance, employee tracking

  • Drafting and implementing whistleblowing systems

Designing digital business models in compliance with data protection requirements

  • Reviewing and advising on legally compliant redesign and new establishment of digital business models

  • Reviewing and advising on the legally compliant design of digital data-driven products in the areas of Big Data and Internet of Things

  • Drafting corresponding IT model contracts

Data protection litigation

  • Out-of-court conciliation negotiations

  • Representation before state courts up to the CJEU

  • Defending against material and immaterial claims for damages

  • Defending against claim registration actions of consumers against debt collection companies and credit agencies

Supervisory authorities

  • Conflict management with data protection regulators to avoid and reduce regulatory actions

  • Support at every stage of administrative proceedings towards data protection supervisory authorities

  • Legal representation towards data protection supervisory authorities

At SKW Schwarz, you are in good hands: Members of our IT & Digital Business department are working on leading commentaries on the new EU General Data Protection Regulation and are also involved in data protection issues on the federal government’s Industry 4.0 platform. Our claim is not to be up to date. We want to be ahead of our time. And actively shape the future.