The Legal 500 > Europe, Middle East & Africa > Germany > Data protection

For many clients, Baker McKenzie is ‘better than comparable firms in terms of quality, availability, flexibility, speed and pragmatism’; the ‘solution-oriented’ data protection team is also noted for its ‘very broad overall understanding’ and the ‘reduction of responses to what is essential in a manner that is also clear for non-lawyers’. The practice has notable expertise in the regulated industries, such as the finance, pharmaceutical, medical technology and telecoms sectors, and often handles cross-border and multinational matters. The team has expertise in areas such as fintech and big data and another key focus is the automotive sector and mobility. In addition to advising several clients on GDPR-related issues, the firm is also assisting an automotive manufacturer with a Europe-wide concept for data protection agreements for connected car services. Other highlights include acting for a large international telecoms company in a matter regarding the German Federal Network Agency’s order for the advance deletion of data; assisting an asset management company with data protection matters relating to the introduction of procedures for the global processing of personal data; and advising a global market research and consulting company in the pharmaceutical and healthcare sector on the implementation of a pan-European big data project regarding the handling of health data. Holger Lutz provides ‘solid’ advice and Michael Schmidl, who is frequently recommended by peers and clients alike, has ‘extremely deep expertise’ and is ‘pragmatic, always available, very well organised and connected, highly motived and an excellent negotiator’. Julia Kaufmann is also noted.

Bird & Bird is considered ‘traditionally strong across Europe’ for data protection matters and has ‘a very good market position’; clients note the ‘short turnaround and quick and precise responses’ as well as the ‘practical orientation and solid industry expertise’ of the ‘very engaged’ team. The group is advising Adidas, Flir and Nordzucker on GDPR compliance projects, as well as handling GDPR compliance matters for InfoSys. The team also handles sophisticated, often international data protection projects beyond the GDPR, including in connection with AI, the automotive and financial services sectors and IT security. It regularly advises Dexcom on GDPR matters, as well as issues concerning the use of Dexcom diabetes and tissue sugar measurement solutions on the basis of wearables and cloud solutions. Other clients include Microsoft, for which it handles data protection and IoT, SAP matters regarding data protection issues concerning global cloud projects, DekaBank, which it advises on domestic and international data protection and Kempinski. Practice head Fabian Niemann is ‘an excellent lawyer, who is willing to take a position and defend his view vehemently’; Henriette Picot is ‘a very congenial, good lawyer’ and the ‘extremely clever’ associate Simon Assion is considered a rising star, who ‘we will hear a lot of in the future’. The opening of an office in San Francisco in September 2018 following Kai Westerwelle’s arrival from Taylor Wessing, has further expanded its international strength in data protection matters.

Hogan Lovells International LLP’s data protection advice often has an international dimension; the practice saw a particular rise in US-projects, but also covers data protection-related disputes and topics such as cybersecurity and the connected car. With regard to the implementation of the GDPR, the firm acts for prominent clients in various sectors, ranging from the automotive industry and field of mobility to life sciences, construction, diversified industrials and the technology, media and telecoms sectors, but also increasingly in the finance industry and the consumer goods and food sectors; Daiichi Sankyo Europe and Standard Industries are just two examples. Markus Schreibauer assisted a multitude of clients with data protection issues concerning M&A transactions, including assisting Daimler with the establishment of a joint ventures with BMW for the pooling of the global mobility services of the two automotive corporations. The ‘engaged’ team consists of ‘competent and outstanding advisers’: Stefan Schuppert is ‘very experienced’ and Martin Pflüger and Christian Tinnefeld were promoted to partner at the start of 2019. The highly regarded Tim Wybitul joined Latham & Watkins LLP in October 2018.

In addition to advising on numerous GDPR-related matters, Latham & Watkins LLP continues to focus on representing clients in data protection disputes, consumer protection agencies and data protection authorities. The firm is representing Facebook in abuse proceedings at the German Federal Cartel Office regarding the interaction between data protection regulations and antitrust law and also regularly advises Schufa on data protection compliance and litigation. The team also has expertise in crisis management in the context of data protection scandals and cybercrime; Ipswitch is a client in this space. The team acted for BayWa and clients from Asia and the US on GDPR implementation; it also advises on lobbying activities. Other work includes providing data protection advice to Iqvia (formerly IMS HEALTH) on information services in the healthcare sector, and handling data protection matters for DZ Bank and the German Dialog Marketing Association DDV. Ulrich Wuermeling is ‘quite simply one of the most foremost data protection experts’; he divides his time between London and Frankfurt. The group also welcomed the ‘virtually omnipresent’ and well-known Tim Wybitul from Hogan Lovells International LLP in October 2018; he is noted ‘particularly for his excellent work in employee data protection’.

‘Very good IT boutique’ SSW Schneider Schiffer Weihermüller ‘enjoys an excellent reputation’ for data protection advice, which ranges from GDPR projects to global data transfer concepts, cloud-related data protection and industry 4.0 platforms, especially regarding the transfer and deletion of data. The firm predominantly advises on international data protection matters, including assisting a US big data and cloud provider with anonymity concepts and contract data processing, and an international publicly listed pharmaceutical manufactuer with consent in line with the data protection regulations in the healthcare area as well as international traffic and data protection on the internet. The team also advises a leading international e-commerce provider on the establishment of a global production register according to the GDPR, on concepts for international data transfer within the corporation and on IT-security matters. In another highlight, it is representing an insurance company at court in the context of data protection-compliant rights to information. The firm also acts for municipal businesses and utilities and for German statutory health insurers, such as GKV. The ‘excellent’ and ‘very available’ Isabell Conrad is considered the ‘engine’ of the practice and provides ‘top advice’. Counsel Maria-Urania Dovas is also very active. Elke Bischof joined MAYBURG Rechtsanwaltsgesellschaft mbH as of counsel.

DLA Piper’s ‘excellent, large and international team’ advises on data protection matters ranging from strategic GDPR projects and GDPR compliance to the development of data protection risk indexes, employee data protection and matters regarding client data, cloud services and websites. It also represents clients in proceedings at the data protection authorities. Clients include large, international corporations in various industries, including the automotive, pharmaceutical, food and technology sectors, but also banks and insurance companies. Jan Pohle and Jan Geert Meents constitute the core team and counsel Verena Grentzenberg focuses in particular on data protection advice in connection with new business models. The team was strengthened by the arrival of university professor Jürgen Taeger as of counsel in February 2019.

Eversheds Sutherland has notable expertise handling cross-border projects – with a recent focus on GDPR implementation in large compliance projects – but also provides general advice on data protection management and international data transfer. The firm is assisting Aspen Pharma with GDPR implementation involving over 19 European locations and US thermal management company Modine with GDPR implementation in all of its European locations, including advice on its acquisition of the business group Luvata and the introduction of a data protection compliance system. In the context of transactions, the team also advised Nasdaq-listed US REIT CyrusOne on data protection and IT law aspects during its acquisition of Zenium’s data processing centre. Another focus is data protection advice concerning the design and development of digital products and business models as well as cybersecurity. Alexander Niethammer, who has particular industry expertise in the automotive sector, is assisting Autoliv with the data protection evaluation of offered products in the area of autonomous driving and with IT-security measures. The team is also advising Philip Morris on the implementation of the GDPR particularly with regard to employee data protection, which is another area of expertise; the group is handling a similar matter for new client Rohde & Schwarz. Lutz Schreiber continues to act for key client Microsoft. Nils Müller was promoted to counsel in May 2018.

Jones Day’s ‘very strong data protection team’ is considered ‘a good partner for multinational corporations due to the high number of offices and the quality of the practitioners’. With ‘excellent response times and extremely good industry expertise’, the group advises on cross-border compliance and data transfer projects, cybersecurity, data protection infringement in the context of internal investigations and in the area of eHealth as well as GDPR implementation. Clients also appreciate that the team ‘always offers good alternative solutions’. The team frequently provides data protection advice on transactions, including assisting Cardinal Health with the acquisition of Cordis from Johnson & Johnson and the acquisition of business units Patient Care, Deep Vein Thrombosis and Nutritional Insufficiency from Medtronic for $6.1bn; it also advises the same client on GDPR implementation. For Cylance, the team is handling data protection and contractual matters concerning the distribution of cloud-based AI IT security measures. Litigation is another strength and the team regularly represents Icann in negotiations with data protection authorities regarding data protection requirements and is handling injunction proceedings at the regional court of Bonn against Epag Domainservices concerning the issue of what personal data registrars such as Epag have to collect and save in the context of the award of internet domains according to the GDPR. Key figure Undine von Diemar is ‘really good’.

Luther Rechtsanwaltsgesellschaft mbH’s ‘absolutely professional advice’ on data protection is ‘reliable and trustworthy’ and of ‘a very high standard’. The firm provides ‘very good professional and also interdisciplinary teams’ and advises listed corporations, mid-sized companies and public authorities on IT compliance and IT security. The team advises clients including thyssenKrupp, Miele, E.ON, IKB, Klosterfrau and longstanding client Evonik on GDPR issues and implementation. For gematik (Gesellschaft für Telematikanwendungen der Gesundheitskarte), the team prepared an expert opinion on data protection responsibilities in the telematics infrastructure space in accordance with the GDPR and the new Federal Data Proection Act (BDSG). The firm also advised E.ON Business Services on SAP standard cloud services and the assessment of the data protection admissibility of the use of various tools. Other clients include InfoSys and Landesbetrieb IT.Niedersachsen. Peers and clients alike recommend Michael Rath, who has ‘excellent expertise and is very service oriented’; he is also an ISO/IEC 27001 certified lead auditor and therefore an expert in information security management systems. Silvia Bauer acts as external data protection officer for a multitude of companies.

For many clients Noerr is the ‘first contact’ for data protection advice and the ‘very active’ practice is ‘highly professional’ and handles GDPR projects, data protection compliance on individual issues and data protection matters pertaining to digitalisation projects, IoT and the automotive and eMobility sectors. In the last area, the firm is advising a multinational company on a project for the mobile recording of traffic in the context of the development of autonomous driving systems, and a new manufacturer of electric cars on the implementation of the GDPR, the processing and use of data pertaining to the car and on data exchange with service partners during maintenance services. The team is also assisting a large B2B platform with GDPR adjustments and cloud projects and handles particular data protection issues concerning the distribution of medicines required to be sold through pharmacies for a leading international online marketplace. In other work, the group is advising an online car rental platform operating across Europe on the establishment and introduction of the platform. The practice also frequently advises clients in the banking sector, such as an international banking group in the area of transport finance regarding GDPR implementation. Daniel Rücker in Munich heads the data protection group, which was newly formed in 2018. In Frankfurt, Joachim Schrey and Tobias Kugler are two key partners.

A recent focus for White & Case LLP is GDPR-related work and the firm advises prominent domestic and international companies on implementation projects, as well as providing advice at the intersection with data security and cyber security. It frequently handles matters with cross-border elements and the team has strengthened its cooperation with the firm’s US offices. International data transfers and internal investigations are other areas of focus. The firm provided data protection advice to Controlexpert, an innovative technology service provider for the insurance and automotive industries and a European InsurTech company, in the context of its strategic partnership with General Atlantic. It also submitted an amicus curiae letter for a non-profit association in US v. Microsoft regarding the US authorities’ access to data saved in Ireland. Detlev Gabel ‘does a great job’ and local partner Sylvia Lorenz is also particularly active.

KNPZ Rechtsanwälte focuses on data protection advice in the context of transactions, ongoing data protection matters, GDPR compliance projects and in particular the data protection-related assessment of business-critical issues. The firm is advising Otto on strategic questions about its business model concerning the GDRP and on the data protection aspects of M&A transactions. The team also provides regular data protection advice to Hanoverian public transport utility Üstra and is representing the client at the Federal Administrative Court in model proceedings pertaining to video surveillance in buses and trains. New mandates include a GDPR compliance project for a prominent automotive manufacturer and advice on GDPR issues and whistleblowing policies for a globally operating fashion and accessories corporation. The practice also expanded its work in the venture capital area, including acting for venture capital fund Project A on data protection matters, including in the context of M&A transactions and VC investments. Other clients include Ströer, Körber, Bauer Media Group and a prominent large bank. The well-regarded Kai-Uwe Plath is the key figure.

Norton Rose Fulbright’s data protection advice has ‘a high level of expertise, good knowledge of the economic underpinnings and a business sense’. The team focuses on international matters and cross-border advice. It handles large international GDPR projects in close collaboration with the firm’s offices in the US, London and Asia, advises on issues related to products based on the processing of data, and on data infringements, and has been notably active recently in cybersecurity matters. Jamie Nowak and Christoph Ritzer, who ‘does a good job’, are the names to note.

With ‘superior expertise in EU data protection’, Orrick, Herrington & Sutcliffe LLP provides ‘reliable, business-friendly and practical advice’. The ‘extremely knowledgeable’ team is ‘able to explain complex legal matters in an easily graspable manner, so both legal and economic decisions can be made’. The newly formed cyber, privacy and data innovation practice predominantly advises on international matters, often in connection with the GDPR, but also in the context of M&A transactions and data protection regulatory proceedings. The team also saw an increased workflow in advising clients on cyber attacks directed against service providers, regulatory authorities and affected parties. The ‘patient’ Christian Schröder is recommended for his ‘data protection expertise, quick comprehension and his business acumen’. He advised US software provider Flexera on data protection aspects in the context of its acquisition of the German-Swiss Brainware Group. Together with colleagues in the US and London, he is also providing comprehensive advice to globally operating technology company Nvidia – known for graphic cards, AI cloud services and autonomous driving – and is assisting cruise line Carnival with global data protection issues, internal company group agreements and (especially recently) GDPR questions. The firm also advises numerous US and German mid-sized start-ups on data protection matters.

With ‘expertise in a multitude of legal areas that is comparable to international firms’, SKW Schwarz Rechtsanwälte’s team provides ‘entrepreneurial and pragmatic advice’, including on data protection matters, and is noted for its ‘very structured and precise feasibility studies’ and its ‘efficient working method’. Clients include Schufa, SAP and Tinder. Practice head Matthias Orthwein is a data protection adviser for Giesecke & Devrient; he has a core focus in the area of new data models, in the context of the digital transformation of business models and on international projects. Oliver Hornung is assisting numerous large corporations with the implementation of the GDPR, including Commerzbank, Bosch Thermotechnik, Bosch Sicherheitstechnik and SGL Carbon. The team also has expertise advising on data transfer within European corporate structures and those from Europe to third countries as well as on the use of patient data and data protection issues in connection with the automotive industry. Johann Heyde, who was promoted to partner in January 2018, has ‘broad experience in all aspects of media, data protection and regulatory law as well as in the areas of IP, technology, telecoms and contract design’. The team was further bolstered by the promotion of Nikolaus Bertermann to partner in January 2019 and its ‘talented associates’ also stand out.

Within its TMT practice McDermott Will & Emery Rechtsanwälte Steuerberater LLP also increasingly covers data protection matters. Ralf Weisser notably advises on data protection in the context of outsourcing transactions and Wolfgang von Frentz coordinates the global data protection practice with expertise in litigation. He is assisting Professor Flöther with the sale of the Unister Group, including several online travel portals, is advising the client on the transfer of millions of customer data to various buyers and is defending the client at court regarding the controversial admissibility of this kind of customer data transfer. He is also handling data protection matters for Celanese Europe, including GDPR compliance, in connection with internal investigations and cross-border data traffic. A new client is GEA. Counsel Claus Färber is particularly active.

Pinsent Masons Germany LLP opened its first German office in 2012 and over the years has built a by now significant data protection practice. A focus lies on GDPR compliance: the firm advises various companies in the energy supply sector on implementation projects and, in cooperation with an energy supply association and a Düsseldorf-based Legal Tech start-up (smartvokat), has developed a tool for the execution of data protection audits according to the GDPR. Together with some of the firm’s other European offices, Stephan Appt assisted Do&Co, a catering company, with its GDPR implementation project. The firm is advising Wirecard on data protection issues in connection with the development and introduction of innovative payment methods. The practice also often covers data protection matters in the context of projects surrounding connected car and automonmous driving and in connection with cloud projects. Other expertise lies in public and social data protection law and employee data protection. Data protection expert Kirsten Wolgast was promoted to partner in May 2017.