Data Protection / Privacy Law and Compliance

Data protection and privacy have long since lost their image as a niche topic.  Any company doing business in an IT environment must address data protection issues, particularly in these times of  Social Media, Big Data and  virtually unlimited technical possibilities.

We provide you with comprehensive and business-oriented advice in all of the questions relating to data protection and privacy law and IT security law.

  • If more than nine of your employees handle personal data, you must appoint a company data protection officer. We can assume this function for you; we have been acting as an external data protection officer for clients for many years. We are also happy to advise and support your in-house data protection officer in his function. This also includes advice on drafting technical and organizational data protection concepts under Sec. 9 Federal Data Protection Act, drafting directories of procedure and reviewing and pre-monitoring procedures and processes for compliance with data protection law.
  • We provide advice on how to operate your website to be compliant with data-protection law, including the use of marketing tools such as Facebook and Google-Remarketing, Custom-Audience-programs, statistics and analysis tools and the limits when handling customer data. We draft and review your data protection declarations under Sec. 13 Telemedia Act and your data use consent forms. We also advise on the requirements and aspects under data protection law relating to App and software development and remote maintenance services for client systems such as under the scope of contract data processing.The use of service providers outside of the E.U., particularly the use of Cloud providers in the United States, poses special challenges under data protection law. In the age of Big Data there are applications and countless analysis functions that exceed the limits of what is lawful under data protection law.  But even in these cases we will find pragmatic and legally sound approaches for you.
  • Internal business processes cast up data protection issues. We advise on the opportunities for using and monitoring business E-mail and Internet access and on topics such as "bring your own device“ (BYOD), always taking into account employment law aspects and in consultation and agreement with your works council if so desired.

Our advisers have many years of professional experience in handling data protection issues and are specialists for IT law who act as external data protection officers (some of whom have "TüV" certification).

Particularly with a view to the EU General Data Protection Regulation (GDPR) which is to come into effect by 25.05.2018,  we will prepare you in good time for future requirements so that they can be integrated into the relevant business models and products in good time.



The fields of compliance, particularly IT compliance, are of overriding importance to data protection law and present particular challenges to the security of IT systems and business processes, but also to compliance with statutory and the increasing number of regulatory requirements. It would be too short-sighted to limit IT compliance merely to the handling of liability risks such those resulting from the violation of the duty by a joint stock company to maintain a compliance system (cf. District Court of Munich,  judgment of December 10, 2013, file no.: 5 HKO 1387/10). The users of complex IT systems have long since come to expect special compliance requirements  such as the possibility of non-editable archiving in storage systems (compatibility with GDPdU, GoBS, CompTIA CDIA+, etc.). From a legal standpoint, IT compliance is partially composed of general, in some cases industry-specific, statutory requirements (in the financial services sector, for instance),  such as in the Telecommunications Act (TKG), the Federal Data Protection Act (BDSG), the Control and Transparency of Businesses Act (KonTraG), and in the field of IT security this has most recently been the IT Security Act as related to critical infrastructures. In addition to these national regulations, there are also European directives and regulatory requirements (e.g. Basel II  and Basel III) and international provisions (e.g.  the U.S. Sarbanes-Oxley Act , which also applies to European companies if they are listed on a stock exchange in the United States).

The specialists at TCI Rechtsanwälte for Data Protection / Privacy Law and Compliance are

Carsten Gerlach

Attorney admitted to practice in Germany, certified specialist for information technology law

TCI Rechtsanwälte Berlin

Dr. Michael Karger

Attorney admitted to practice in German , certified specialist for information technology law, certified specialist for administrative law

TCI Rechtsanwälte München

Stephan Schmidt

Attorney admitted to practice in Germany, certified specialist for information technology law

TCI Rechtsanwälte Mainz

Markus Schmidt

Attorney admitted to practice in Germany

TCI Rechtsanwälte Berlin

Dr. Thomas Stögmüller, LL.M. (Berkeley)

Attorney admitted to practice in Germany, certified specialist  for information technology law

TCI Rechtsanwälte München

Christian Welkenbach

Attorney admitted to practice in Germany, certified specialist for information technology law and intellectual property law

TCI Rechtsanwälte Mainz
  • Pragmatic solutions tailored to your company using existing standards wherever possible.
  • On request, direct collaboration and communication with you, your technicians, developers and IT security officers to facilitate that pragmatic technical and organizational data protection concepts are drafted quickly.

  • Many years of experience as advisers on data protection law, including practical experience as external data protection officers
  • High level of IT and technical competence and thus

    • ability to better judge the ramifications of technical processes on data protection  
    • fast and uncomplicated communication with your technicians and developers
    • discovery of practical ways to solve legal problems

  • Act as external data protection officer
  • Advise on data protection law issues when new functions and processes are launched and implemented
  • Provide comprehensive advice on data protection law relating to online services
  • Advise on data protection law and competition law relating to informative and advertising measures (e.g. E-Mail newsletters, circular letters, telephone advertising)
  • Represent you at regulatory authorities
  • Advise on how to address claims to the disclosure of information and to objections by interested parties
  • Draft, review and negotiate agreements for contract data processing under Sec. 11 BDSG
  • Advise on in-house data protection, e.g. drafting of shop agreements on E-mail/Internet use at work and „bringing your own device“ (BYOD)
  • Provide training to employee
  • Advise on the co-determination rights of works councils relating to data protection
  • Advise on the use of E.U. standard contract clauses
  • Many years of experience as external data protection officers for clients that include companies in market research and opinion surveys, eCommerce/startups, software manufacturers, data processing centers and Cloud computing service providers.
  • Counsel to clients in data protection law litigation and in disputes with the regulatory authorities
  • Drafting of data protection law opinions for insurance companies and federal and state authorities and others