Data protection law

On 25 May 2018, the European General Data Protection Regulation (GDPR), concretised by the amended German Federal Data Protection Act (BDSG neu), came into force. One of the new features is that very high fines can be imposed for violations, which is why data protection is now clearly being taken more seriously.

Both Attorney Nourney and Attorney Knigge are certified data protection officers (datenschutz.com Akademie).

For the implementation of data protection laws in your business, we have designed an all-inclusive offer package for you.

Obligation to appoint a data protection officer

You have an obligation to appoint a data protection officer (DPO) if your company employs at least 10 people (employees, interns, free-lancers, etc.) who are constantly involved in the automated processing of personal data. This description is subject to interpretation, but in today’s working reality, it can be assumed that it is true for at least everyone in the company who uses a computer.

Even if you don’t meet the 10-person criteria, there are additional situations where you need to appoint a DPO. In particular, if you regularly process sensitive data, such as about health, sexual self-determination, or trade union membership, you need a DPO.

And of course, you are free to appoint a data protection officer independently of these obligations.

 Other obligations under the GDPR/BDSG Neu

Irrespective of the appointment of a data protection officer, most companies must provide the following:

  • Written commitment of employees to uphold the data protection law
  • Securing of technical and organisational measures for the protection of data (TOM)
  • Creation of an internal and external directory of processing activities (this regulates in particular which data you collect and where you store it)
  • Contract with an order data processor if you have data distributed by external companies
  • Data protection and transparency declaration on your website
  • Consent for data processing that is not permitted without express consent

 Cookies and tracking procedures

Very often we are consulted about the legal position of cookies and tracking procedures (e.g. Google AdWords, Facebook Pixel). The question arises as to whether an explicit declaration of consent will be required for this in the future or whether the practice hitherto followed in Germany is sufficient. This question has unfortunately not yet been answered. The new provision of Article 6 (1) (f) of the GDPR could be relevant, but is formulated very vaguely and, in the absence of case law, it is not yet clear whether it will allow the use of cookies without express consent. In addition, the European Parliament has adopted the so-called ePrivacy Regulation, which stipulates that cookies may not be used in future without an explicit declaration of consent. However, this regulation has not yet been adopted by the European Council, and it is currently not certain whether or with what amendments this will be done.

At the present time, we therefore believe that there are two options for those who want to use cookies and other tracking methods. Either this is only done with explicit consent – the safe way –  or one remains with the current German handling until either case law on the GDPR exists or the ePrivacy Regulation has been ratified. However, we must point out that other EU countries already have stricter regulations than those in Germany, so that under certain circumstances, depending on who the website is aimed at, a distinction would have to be made here.

Our services in data protection law

  • Provision of training materials for you and your employees

  • Determination of whether or not you need a data protection officer

  • Form for the declaration of commitment of your employees to uphold the data protection law

  • Examination of the technical and organizational measures (TOM) in your company and subsequent consultation on the need for optimization

  • Establishment of an internal and external register of data processing activities

  • Checking of the compliance of the contract for commissioned data processing, if you have data processed by external companies

  • Review and adjustment of the privacy policy on your website

  • Determination of whether or not you need explicit consent

We also offer you service as external data protection officer, where we will keep a constant eye on the legal situation and advise you on any changes.

Our services as external data protection officer

  • Designation as data protection officer to the relevant supervisory authority

  • Permanent contact person for you and your employees for questions concerning data protection

  • Constant monitoring and updating of data protection documents

  • Development of processes for data subject rights and reporting to supervisory authorities

  • Representation during inspections by the supervisory authority

  • Monitoring of data protection in your company at regular intervals in consultation with you to ensure compliance with data protection laws

Your lawyers for data protection law

David Nourney
David NourneyLL.M. Intellectual Property Law, Attorney at Law, Copyright and Media Law, Intellectual Property Law (admission suspended pursuant to section 47 (1) BRAO)
Ernst Henning Knigge
Ernst Henning KniggeLL.M. EUR., lawyer, banker, mediator, specialist lawyer for copyright and media law, certified data protection officer (datenschutz.com Akademie)

non-binding cost enquiry or appointment

contact us
contact us