Data protection in Germany

Baker McKenzie

Baker McKenzie remains a top player with its highly active IT and data protection practice. The diverse expertise of practice heads Michael Schmidl and Holger Lutz reflects the breadth of group's entire portfolio. A strong focus lies on regulated industries, including the financial, pharmaceutical, medical device and telecoms sectors, and highlight matters are often cross-border in their nature. The team is further expanding its data protection advice in connection with areas such as fintech and big data, the automotive sector and mobility. Contentious matters are increasingly part of the portfolio and the team is seeing more activity in the legal tech segment. Michaela Nebel, who provides data protection advice to multiple financial institutions, was promoted to partner in July 2018 and Julia Kaufmann  is also widely recognised. She has particular expertise in data protection in the pharmaceutical context.

Practice head(s):

Michel Schmidl; Holger Lutz

Other key lawyers:

Julia Kaufmann; Michaela Nebel


‘Very profound knowledge of European and US data protection law as evidenced by several seminars and practical cases.’

‘The firm’s offices in both Frankfurt and San Francisco are characterised by practice-oriented solutions and neat legal subsumption.’

The team are responsive, accurate and provide commercially minded advice. Given the nature of the area of a law, some firms have a tendency to be overly cautious and provide advice which – if implemented – would create significant issues in terms of cost and impact to the business.

‘The team always provided pragmatic solutions whilst navigating the challenges in the legislation. They recognised the challenges of companies that do not have unlimited budgets but want to comply with the law.

‘Michaela Nebel has excellent specialist knowledge. She is quick and solution-oriented.’

‘Both Holger Lutz and Michaela Nebel are very competent, precise, effective, practice-oriented and pleasant to work with.’


Work highlights

  • Advised a call centre and IT service provider on the implementation of the GDPR in Europe and the US
  • Provided comprehensive advice to a German bank on data protection law and issues surrounding the centralisation and digitalisation of its archive system in numerous jurisdictions.
  • Provided comprehensive advice to an Asian car manufacturer on data protection, telecoms and contract law and on telematic data services, particularly regarding global IT systems and the relationships with subsidiaries and car dealers.

Bird & Bird LLP

Bird & Bird's data protection competencies are the result of 20 years' experience in this segment. The firm advises DAX 30 and other market leading companies in the retail, healthcare, telecoms, automotive and media sectors on data protection with regard to the GDPR, international data transfers and the use of data. The broad practice is successfully expanding not only within Germany but also globally in strong collaboration with the firm's international offices. Recently the team saw particular growth in data protection advice in connection with new business models and hot topics such as IoT, digitalisation, the cloud and big/smart data. Noteworthy is also the firm's contribution to the development of the legal framework for data protection by participating in various industry associations and committees and government initiatives. Frankfurt-based Fabian Niemann, who is widely recognised as leading by competitors, heads the practice. Recently the Hamburg office in particular was strengthened with the arrival of Hartmut Hörner from Deloitte Legal Rechtsanwaltsgesellschaft mbH and the promotion of Miriam Ballhausen to counsel. Associate Simon Assion also enjoys a good reputation in the market and so does Lennart Schüßler with his comprehensive data protection knowledge.

Practice head(s):

Fabian Niemann

Other key lawyers:

Alexander Duisberg; Jörg-Alexander Paul; Lennart Schüßler; Simon Assion

Key clients






FLIR Systems

Henry Schein








tata Communications


Work highlights

  • Continued to provide advice to adidas on its GDPR compliance project, queries by data subjects, GDPR compliant contract design and international data transfers.
  • Advised EMnify GmbH on the drafting of contracts and data protection for an IoT platform.
  • Provided comprehensive advice to FLIR Systems, including the management and coordination of its GDPR compliance project and conflicts with European and US requirements.

Latham & Watkins LLP

Latham & Watkins LLP's comparatively small data protection team nevertheless constitutes one of the market leaders in this segment. Towards the end of 2018 the firm received significant attention due to its representation of the chat portal in the first fine proceedings due to GDPR breaches in Germany. The practice is now well-equipped for increased legal actions in form of data protection disputes and damage claim proceedings. Besides representing clients in litigation, including at the Federal Court of Justice, Federal Labour Court and Federal Constitutional Court, the firm's range of services also includes GDPR implementation in company structures and data protection advice in connection with M&A transactions as well as internal investigations and international pre-trial discovery procedures. Through the close collaboration with the firm's compliance practice the team was also able to strengthen its competencies in crisis management in the case of data protection scandals and cyber crime. Practice head Tim Wybitul, who joined from Hogan Lovells International LLP in October 2018, and Frankfurt and London-based Ulrich Wuermeling are both considered leading in the German market.

Practice head(s):

Tim Wybitul

Other key lawyers:

Ulrich Wuermeling; Joachim Grittmann

Key clients

CrossLend GmbH

Daimler AG

Deutsche Bank AG

Deutscher Dialogmarketing Verband e.V.

DZ Bank


Indeed, Inc.

IQVIA Commercial

Knuddels GmbH

Dr. Ing. h.c. F. Porsche AG

SCHUFA Holding

SHL Telemedizin

Toscafund Asset Management LLP


Work highlights

  • Represented Daimler as defendant in a trailblazing action at the Federal Labour Court  (BAG) regarding the right to access of employees according to the GDPR. This is the first publically known case in which a German court is deciding on the extent of the law on the right of access and the receipt of a copy according to article 15 of the GDPR.
  • Provided continued data protection advice to CrossLend in connection with its market-based lending platform.
  • Presented Facebook in proceedings at the Federal Cartel Office due to suspected abuse of a market-dominating position in connection with data protection and antitrust laws.


Noerr only established a data protection group in 2018, but the firm's expertise in this field rests on longstanding experience, not least thanks to the expertise of practice head Daniel Rücker. With a consistently growing portfolio the firm advises German and international companies from its offices in Munich, Berlin and Frankfurt on data protection compliance issues, the processing and use of data and the introduction of data protection management structures and governance processes. Clients stem from the automotive, fashion, IT and finance sectors, among others. The team works particularly closely with the firm's Digital Business Group and is strengthening its ties with the compliance and litigation practices. Associate Sebastian Dienst is highly active in data protection matters and already recognised in the market and Benjamin Jahn, who focuses on data protection in an employment law context, was promoted to partner at the start of 2019.

Practice head(s):

Daniel Rücker

Other key lawyers:

Joachim Schrey; Tobias Kugler; Pascal Schumacher


Very high capabilities in data protection and information technology-related matters paired with agile working methods.

Daniel Rücker:  excellent lawyer, who always keeps an eye on the overall perspective of the business, provides high quality legal advice and at the same time finds pragmatic solutions.

Sebastian Dienst: Excellent knowledge of the GDPR. Easily reachable, pragmatic and pleasant when working together.

Taylor Wessing

The bench strength of Taylor Wessing's consistently growing IT and data protection team enables the firm to act in a broad array of areas, including healthcare, life sciences, automotive and insurance. Multinational corporations, mid-sized companies but also start-ups seek the team's advice for ongoing support on topics such as cyber security, GDPR implementation and HR and employment related data protection. Axel Freiherr von dem Bussche heads the technology, media and telecoms practice, while Paul Voigt, who was promoted to equity partner in May 2019, is recommended by competitors and clients alike. The team was furthermore bolstered with five new hires at associate level. Sibylle Gierschmann, who handled numerous data protection projects, however, left the firm in July 2019 to set up her own unit Gierschmann Legal.

Practice head(s):

Axel Freiherr von dem Bussche

Other key lawyers:

Paul Voigt


‘Pragmatic, solution-oriented advice, to the point and practical in its implementation.’

‘Paul Voigt combines tremendous legal knowledge with an equally large economic understanding.’

Key clients

Berkley AG

Bertelsmann SE & Co KG


Crédit Agricole Assurances


Debeka Gruppe

DEKRA Arbeit GmbH



eBay Inc.

Ernst Russ AG

Fitch Ratings

Freudenberg IT GmbH & Co. KG


Grand City Properties


Hyundai Motor Europe GmbH


Roblox Corp

Sirtex Medical Europe GmbH

SoundCloud Ltd.

Springer Nature

Stepstone GmbH

Tenneco Inc.


Wargaming Group Limited

Work highlights

  • Provided comprehensive advice to Berliner Verkehrsbetriebe (BVG), the main public transport company of Berlin, on data protection law.
  • Advised Berkley in connection with its cyber security insurance.
  • Advised Crédit Agricole Assurances on specific questions regarding the implementation of the GDPR and different national requirements in the life and non-life segments.

White & Case LLP

White & Case LLP's data, privacy and cyber security group advises clients on all aspects of data protection, especially on German and European data protection law, cross-border data traffic and IT governance issues. A big focus of the practice also lies on advising online platforms, which the firm assists not only with data protection matters but also regulatory, competition law and product-based questions (such as acting for Facebook and Facebook-company WhatsApp since 2011). Key clients also include automotive, food and construction technology companies. Detlev Gabel, who is considered leading in the German market, heads the European practice. Martin Munz and Sylvia Lawrence, who was promoted to partner in 2018, are the key figures in the Munich and Berlin offices respectively. Lawrence has particular expertise in advising digital platforms, especially in the areas of social media, automotive, energy and cloud services.

Practice head(s):

Detlev Gabel

Other key lawyers:

Martin Munz; Sylvia Lawrence

Key clients

Daimler Financial Services AG


Work highlights

  • Provided data protection advice to Daimler Financial Services on the strategic investment in the used car platform heycar.
  • Advised Facebook on all data protection disputes outside of the US since 2011.


A large team and long list of prominent clients are securing CMS a place among the biggest players providing data protection advice in Germany. Besides giving ongoing GDPR advice, which focuses especially on the banking and life sciences sectors, the firm also offers a targetted information service in connection with the upcoming e-privacy regulation. The practice often covers matters beyond the domestic border and has also developed the data law navigator, a tool which informs clients about data protection and cybersecurity in various countries.

Other key lawyers:

Christian Runte; Michael Kamps; Florian Dietrich


‘The data protection/IT team is broad and, if necessary, able to incorporate other practice areas (such as employment law).’

‘Very engaged, precise, responsive, business-orientiered with a sharp eye for essentials.’

‘Florian Dietrich is an outstanding external advisor.’

‘CMS’ lawyers are always available and very quick. Everything is very professional and somebody is always at hand with the necessary legal knowledge for any given area.’

Key clients



Bayer AG


Ebay Group

Fossil Group Inc

Hewlett Packard Inc.

Panasonic Automotive Systems Europe GmbH

Dr. Ing. h. c. F. Porsche AG

Sharp Electronic

Wayfair Stores Limited

Work highlights

  • Provided continuous and comprehensive advice to Airbnb Ireland UC on e-commerce, distance sales, IT and data protection.
  • Provided continuous and comprehensive advice to eBay Marketplaces GmbH and several subsidiaries (such as, eBay Kleinanzeigen, brands4friends, StubHub, Shutl) on various areas of the law, including the representation in front of data protection authorities.
  • Advised Fossil Group comprehensively on the implementation of the GDPR (client and HR data).

DLA Piper

Clients and competitors alike recommend DLA Piper's data protection practice which shows particular strength in the automotive and finance area and has recently handled topics such as big data, AI and privacy-by-design projects. Other pillars of the practice lie in advising clients on compliance applications, employee data protection and cybersecurity. In collaboration with the firm's global data protection group the team often acts in international data protection projects. In 2019 the team grew significantly: In May Hamburg-based Verena Grentzenberg, who focuses especially on data protection advice in connection with new business models, was promoted to partner and at the same time senior associate Jan Spittka   made counsel in Cologne. Renowned university professor and data protection expert Jürgen Taeger already joined the firm in February 2019 as of counsel and in Munich the practice was further strengthened with counsel Katia Helbig from Baker McKenzie in September 2019.

Other key lawyers:

Jan Pohle; Jahn Geert Meents; Verena Grentzenberg


‘The team has a hands-on mentality and always searches for a pragmatic solution.’

Key clients


Reckitt Benckiser

Jones Day

Undine von Diemar heads Jones Day's cybersecurity, privacy and data protection practice at the German and the European level and recently focused not only on GDPR implementation projects but also topics such as the assertion of data protection law-related claims of the individuals affected (such as employees' information claims ) and data breaches (often cross-border). Advice in connection with internal investigations and with transactions constitute two other strategic pillars for the team, which often cooperates with the firm's US offices. Employment lawyer Paul Melot de Beauregard joined in May 2019 from McDermott Will & Emery Rechtsanwälte Steuerberater LLP and brought experience in data protection.

Practice head(s):

Undine von Diemar

Key clients




Cardinal Health

Cylance, Inc.

Kendaxa Holding GmbH


Work highlights

  • Provided continued advice to ICANN (Internet Corporation of Names and Numbers) in Germany and globally on data protection requirements, particularly those of the GDPR, and in negotations with data protection authorities, registrars and registries.
  • Advised SAP SE on data protection matters in connection with its aquisition of Qualtrics International Inc. for $8bn.
  • Advised the Landesbank Baden-Württemberg on data protection issues in connection with its pilot project on blockchain-based issues and  repayments of asset-backed commercial papers (ABCP).

Osborne Clarke

Osborne Clarke's data protection practice established a solid reputation in the German market in recent years through its advice on the design of international data flows, in connection with data protection audits and compliance projects. The well regarded Flemming Moos heads the team, but the other key figure Ulrich Baumgartner left for Allen & Overy LLP in November 2019.

Practice head(s):

Flemming Moos

SKW Schwarz Rechtsanwälte

SKW Schwarz Rechtsanwälte's broad data protection practice led by Matthias Orthwein, whose 'reliability and tact' are well regarded, is noted for the team's 'high expertise and practical explanations of legal issues'. Although the firm is known primarily as German entity, it did not miss out on the opportunity caused by the GDPR to participate in international business (especially in China and the US). Advice on data protection breaches, cybersecurity and data management continues to constitute the bulk of the work. The team also acts as data protection officer for companies and provides foreign clients with services as EU representative in accordance with the GDPR. At the start of 2019 Benjamin Spies was promoted to equity partner and Nikolaus Bertermann made salary partner.  Hans Markus Wulf, however, had already left for Heuking Kühn Lüer Wojtek in July 2018.

Practice head(s):

Matthias Orthwein

Other key lawyers:

Oliver Hornung


‘High skills and very good understanding of clients’ problems, as well as always practical solutions. Particularly in the data protection segment there are currently a lot of firms which deliver qualitatively low services. SKW, however, is highly recommendable.’

Key clients

Commerzbank AG

Autoliv B.V. & Co. KG

bayme – Bayerischer Unternehmensverband Metall und Elektro e.V.

CNA Hardy Versicherung

Markel SE

Deutscher Tierschutzbund

Diaotyutai Mansion Hospitality GmbH

DIEHL Stiftung & Co. KG

E.ON Energie Deutschland GmbH

IKEA Deutschland

Webasto SE


Robert Bosch Power Tools SE

Toll4Europe GmbH

Work highlights

  • Advised the internationally leading automotive supplier Autoliv B.V. & Co. KG as extended workbench for the chief data protection officer.
  • Advised CNA Hardy and Markel SE on the implementation of its cybersecurity policies.
  • Development and implementation of a concept for the deletion of data for Commerzbank AG.

CSW Rechtsanwälte Steuerberater Wirtschaftsprüfer

According to clients German IT boutique SSW Rechtsanwälte Steuerberater Wirtschaftsprüfer determines the 'benchmark in data protection'. From its office in Munich the team handles Germany-wide and cross-border matters. It has particular know-how regarding data protection-related contract, compliance and security issues and acts for companies across various industries (including insurers, pharmaceutical companies, fintech platforms and telecoms providers) and public entities. Practice head Isabell Conrad is considered an 'impressive and razor-sharp negotiator'.

Practice head(s):

Isabell Conrad

Other key lawyers:

Maria-Urania Dovas


‘Qualitatively excellent legal knowledge in the data protection segment, including regional legal particularities.’

‘Professional behaviour with solution-oriented approach.’

‘Maria-Urania Dovas: Very solid and broad knowledge in the entire segment. Regularly exceeded expectations of results.’


WilmerHale's data protection practice is particularly known for its longstanding advice for Facebook. The firm is representing the social media company in several proceedings, both at the German Federal Cartel Office and the ECJ. Besides its ancillary expertise in litigation and antitrust and its focus on the internet sector, the team is also highly active in the pharma industry and non-contentious matters, especially for international companies. The 'exceptional and well versed' Martin Braun, who is recognised as a leading figure by both clients and competitors alike, not only acts as practice head of the German and European data protection practice but also of the firm's international big data group together with Washington DC-based Reed Freeman.

Practice head(s):

Martin Braun

Other key lawyers:

Hans-Georg Kamann


‘Dr Martin Braun: excellent lawyer with outstanding know-how in data protection and exemplary service attitude.’

‘Advice is always pragmatic with a clear focus on feasibility and use for the business.’

‘Risks are demonstrated and considered in a realistic manner, but never exaggerated.’

Key clients

Reporters Committee for the Freedom of the Press

Work highlights

  • Vertretung von Facebook im Verfahren um sog. Fanpages vor dem Gerichtshof der Europäischen Union und dem deutschen Bundesverwaltungsgericht.
  • Laufende datenschutzrechtliche Beratung in allen datenschutzrelevanten Themenbereichen bei McDonald’s.
  • Represented the Reporters Committee for the Freedom of the Press in ECJ proceedings on the geographic scope of the right to be forgotten (C-507/17 and C-136/17).


BEITEN BURKHARDT's IT practice surrounding Axel von Walter and Andreas Lober has a focus in the gaming area and on IT contracts but also consistently demonstrates expertise in data protection matters. The team provides mid-sized and large companies not only with legal but also technical advice, such as via a data protection app developed by the firm which assists clients with GDPR compliance. The segments fintech and big data constitute particular areas of growth for the practice. After Tilmann Lührig  left for Lexton Rechtsanwälte in May 2018, the team was strengthened with Johannes Baumann and Laureen Lee from Bird & Bird and Baker McKenzie respectively. The former has particular expertise in data protection advice for banks and advertisement-specific data protection, and the latter is especially active in international data processing projects. Additionally, Gudrun Hausner and Susanne Klein were promoted to partner in 2018.

Practice head(s):

Axel von Walter; Andreas Lober

Other key lawyers:

Susanne Klein


‘The team is well integrated. Complex questions are solved quickly and competently.’

‘Comprehensive expertise. Uncomplicated and quick communication, also in terms of further queries.’

‘The colleagues know how to translate complex data protection requirements into practical suggestions for implementation.’

‘Axel v. Walter as lead partner gives entirely practical and legally sound advice.’

‘Paul Wilde, associate, works very reliably as secondee, has an extremely quick grasp of matters and offers pragmatic and legally solid solutions.’

Key clients


Bundesministerium für Verkehr und Infrastruktur

FCS Frankfurt Cargo Services GmbH

Groß & Partner


Landwirtschaftliche Rentenbank

MEC Holding GmbH (Messer Group)



E.M.P. Merchandising Handelsgesellschaft mbH

Work highlights

  • Advised the  Federal Ministry of Transport and Infrastructure on data protection issues in connection with the large project of establishing a national motorway company.
  • Provided comprehensive advice to Linde AG on data protection compliance, data protection contracts and international data transfer within the corporation.
  • Provided continued advice to FCS Frankfurt Cargo Services GmbH on the implementation of the GDPR.

Eversheds Sutherland

At Eversheds Sutherland the data protection practice covers compliance, data transfers (aided by the firm's high international spread) and data protection breaches. Thanks to the firm's large employment law group, the team is also able to successfully provide advice on matters at the intersection with collective employment law. Data protection-related issues are predominantly handled by practice head Alexander Niethammer and counsel Nils Müller, both based in Munich.

Practice head(s):

Alexander Niethammer

Other key lawyers:

Nils Müller 


‘Very responsive, helpful and practical.’

‘Nils Müller is an excellent practitioner.’

Key clients

Aspen Pharma


Coupa Software






Philip Morris

PPG Industries

Rohe & Schwarz

Special Olympics Deutschland

Turkish Airlines

Work highlights

  • Advised the South African pharmaceutical company Aspen Pharma, Africa’s largest pharmaceutical corporation, on group data protection.
  • Advised the international airline association IATA on cross-border data transfer.
  • Advised the US software provider Coupa Software Inc. on data protection nd cloud computing products in Germany.

Heuking Kühn Lüer Wojtek

After Heuking Kühn Lüer Wojtek over the last few years was able to gain data protection expertise with lateral hires such as practice head Thomas Jansen (2017) and Hans Markus Wulf (2018) from DLA Piper and SKW Schwarz Rechtsanwälte respectively, in 2019 the practice was ready to significantly expand its coverage. New clients – from domestic public entities to international companies – enabled the team's access to new types of projects, which, for instance, involved data transfer between governmental bodies and private actors as well as product advice and order processing agreements. The seven partner strong team that constitutes the firm's data protection task force sits within the larger IP, media and technology group.

Practice head(s):

Thomas Jansen; Philip Kempermann

Other key lawyers:

Hans Markus Wulf; Britta Hinzpeter


‘When working together with Heuking Kuhn’s data protection team profitability is always guaranteed. The lawyers deliver quick and practical results and are moreover very pleasant conversational and business partners.’

Key clients

Bezirkskliniken Mittelfranken

Bundesamt für Sicherheit in der Informationstechnologie (BSI)


Graphika Inc.

Heinrich Hugendubel GmbH & Co. KG

meetyoo conferencing GmbH

Messer Group GmbH

Netigate Deutschland GmbH


Rewe Digital

Santander Consumer Bank AG

Work highlights

  • Advised the German Federal Office for Information Security (BSI) in connection with the audit of the data protection limitations of the transfer of IT security-relevant information with 18 other governmental bodies and various private entities.
  • Provided data protection advice to an IT subsidiary of the EDEKA corporation in connection with the implementation of the GDPR in the company under consideration of groupwide aspects and the drafting of company agreements.
  • Provided comprehensive data protection advice to Graphika Inc., particularly product and solution-related advice in order to achieve a GDPR certification.

Hogan Lovells International LLP

After the renowned data protection expert Tim Wybitul left for Latham & Watkins LLP in 2018, Hogan Lovells International LLP's data protection practice also lost Nils Rauer and senior associate Ruth Maria Bousonville to Pinsent Masons Germany LLP at the start of 2019. The team is now led by Burkhardt Goebel, Morten Petersenn and Andreas Bothe, who are responsible for the larger IP group. The departures were also met with the partner promotions of Martin Pflüger in Munich and Christian Tinnefeld in Hamburg. The newly formed practice now focuses on advising the telecoms, pharma, medical products, automotive and consumer goods sectors on GDPR implementation projects, the use of personal data and the data protection compliant drafting of IT contracts. Noteworthy is also the Hogan Lovells Data Breach Assessor, the firm's internal legal tech tool, which assists the decision-making process in the case of data breaches.

Other key lawyers:

Marcus Schreibauer; Stefan Schuppert; Martin Pflüger; Christian Tinnefeld

Work highlights

  • Provided Daimler with IT, IP and data protection advice in connection with the establishment of a joint venture with BMW for the pooling of the global mobility services of both automotive corporations.
  • Advised a German automotive manufactuer in the context of the data protection assessment of the use of video recordings for the purpose of developing highly automated driving functions.
  • Provided data protection advice to a leading US investment bank in connection with the establishment and further development of a new website for the offer and distribution of structured products.

KNPZ Rechtsanwälte

Traditionally known for its engagement in IP topics KNPZ Rechtsanwälte's practice is gaining increasing visibility in the data protection segment. The firm owes its growing reputation in part to its representation of the transport company Üstra againt Lower Saxony's data protection officer. The case, which concerns video surveillance on public transport services, was handled by Kai-Uwe Plath and Jan-Michael Grages.

Other key lawyers:

Kai-Uwe Plath; Jan-Michael Grages

Luther Rechtsanwaltsgesellschaft mbH

Luther Rechtsanwaltsgesellschaft mbH provides tailored data protection advice for the mid-sized sector. Recently the team was particularly busy advising on the establishment of data protection management systems. Through the use of external providers the firm was able supply companies in the finance, telecoms, energy and consumer goods industries with digital solutions for the protection of privacy. Clients in the healthcare and retail sectors also generated data protection projects for the firm. Wulff-Axel Schmidt in Frankfurt heads the entire IP and IT practice, but Michael Rath and the team in Cologne handle the bulk of data protection matters. Silvia Bauer conducts data protection audits and acts as external data protection officer.

Practice head(s):

Wulff-Axel Schmidt

Other key lawyers:

Michael Rath; Silvia Bauer


‘Great legal knowledge, good bench strength and quick reaction times.’

‘Great expertise, efficient, solution-oriented.’

Key clients

arvato Systems / Bertelsmann




Bundesministerium für Verkehr und digitale Infrastruktur (BMVI)


Deutsche Postbank


Evonik Industries




Procter & Gamble



Work highlights

  • Provided data protection advice to Deutsche Telekom in a series of large strategic and international projects.
  • Provided EDEKA Minden-Hannover IT-Service GmbH with data protection advice regarding the drafting of a supplier and operating agreement for hardware and software with Pentland Firth Software GmbH for the establishment of the digital shopping cart Easy Shopper.
  • Advised E.ON SE on the implementation of the GDPR.

Pinsent Masons Germany LLP

Pinsent Masons Germany LLP's IT and data protection team is continuing to grow and was able to again expand its team in the course of the opening of its new Frankfurt office: Partner Nils Rauer and legal director Ruth Maria Bousonville joined from Hogan Lovells International LLP at the start of 2019 and strengthened the practice surrounding Stephan Appt, who remains based in Munich. The team predominantly covers data protection issues in the energy and automotive sector. For compliance matters the firm puts to use a tailor-made legal tech solution for data protection audits in the energy sector. Particularly advice on data protection breaches and cyber attacks are drivers of growth for the practice.

Practice head(s):

Stephan Appt

Other key lawyers:

Florian von Baum; Kirsten Wolgast; Nils Rause; Ruth Maria Bousonville

Key clients

Wirecard AG

Anbieter eines cloudbasierten Videoerstellungsdienstes

Premier Inn

Neovasc Tiara Inc.

Bundesverband der electronic cash – Netzbetreiber (BecN) e.V.

CarBlock Foundation Ltd

Do&Co Aktiengesellschaft

Evidensia Deutschland GmbH

Honda Motor Europe Limited


Mitsubishi Corporation (Through Secured By Design Ltd.)

Work highlights

  • Advised and represented a US client, a provider of cloud-based video creation services, in front of German regulatory authorities following a cyber attack in the US, which affected the data of users in Germany.
  • Advised a provider of a new operator model for radiology regarding the data protection conformity of the use of public and US cloud solutions.
  • Advised a digitalisation company on the development of new products for the digitalisation of the process insdustry.

Reed Smith

Over recent years Reed Smith was able to put together a team of 'proven experts' in technology, IT and data protection matters. The practice surrounds the prominent partners Andreas Splittgerber, Philipp Süss and Thomas Fischl. Start-ups make up a significant part of the client portfolio, including companies from outside the EU and internet platforms in areas such as mobility and banking. Advice on data protection breaches, GDPR projects and the drafting of contracts constitute the firm's daily business.

Key clients

53 Bank

Allianz Arena München Stadion GmbH


Cayman Islands Department of Tourism

FC Bayern München AG

FC Bayern München Basketball GmbH

FC Bayern München Digital & Media Lab AG & Co. KG

Matthews International Corporation

Sourcepoint Technologies, Inc.

Allen & Overy LLP

Allen & Overy LLP's data protection practice originated in the year 2015 within the context of the firm's employee protection and HR compliance practice but today covers a much broader spectrum of data protection advice. Besides handling regulatory data protection issues the team also advises on data protection due diligence and in connection with areas such as fintech, insurtech and digital transformation. Former key figure Tobias Neufeld left the firm in autumn 2018 and established in his own entity neufeld Recht at the start of 2019, but with the arrival of Ulrich Baumgartner from Osborne Clarke in August 2019 the practice subsequently managed to gain a renowned and experienced data protection expert. He collaborates closely with tech practice head Jens Matthes.

Other key lawyers:

Ulrich Baumgartner

Ashurst LLP

In accordance with the firm's general focus Ashurst LLP's data protection practice is shaped predominantly by transaction-related advice. Banks make up the majority of the client base which also includes other international companies. Andreas Mauroschat and his team concentrate in particular on issues such as data processing, GDPR implementation and international data transfers.

Practice head(s):

Andreas Mauroschat

Graf von Westphalen

Graf von Westphalen's SME-oriented data protection team is 'pragmatic and extremely competent' and 'combines legal know-how with commercial thinking'. Practice head Stephan Menzemer has 'deep market insights and special expertise' in digitalisation and data protection matters, which he and his team handle at the intersection of various areas such as public law, banking and finance, and healthcare. The firm also increasingly acts as external data protection officer.

Practice head(s):

Stephan Menzemer


‘Wide range of expertise, diverse approaches, good communication and ability to handle complex matters in such a way that solutions can be found.’

‘The successful and trustworthy work with this firm is characterised particularly by competency, speed and reliability.’

Key clients

3F Management GmbH

Asseco Solutions AG

Axivas Deutschland GmbH

Blue Mesa Health, Inc.

Celanese Europe B.V. /Celanese Services Germany GmbH

Cognizant Technology Solutions GmbH

danubius GmbH

dbb beamtenbund und tarifunion

Gemeinde Halstenbeck/Schleswig-Holstein

get energy GmbH

GEWOFAG Holding GmbH

H-Hotels AG

ÖRAG Rechtsschutz Versicherungs-Aktiengesellschaft

Scienta Omicron GmbH

Stiftung Kunstsammlung Nordrhein-Westfalen


Universitätsklinikum Düsseldorf AöR

VDMA Verband Deutscher Machinen und Anlagenbau e.V.

Work highlights

  • Provided comprehensive advice to Asseco Solutions AG (in Germany, Austria and Switzerland), the standard software manufacturer with more than 1500 company clients in Germany alone, on all IT and data protection matters.
  • Advised Blue Mesa Health, Inc. on various matters including the development, licensing and distribution of ChatBots, which enable Blue Mesa’s clients the automated request of client and health data.

Morrison & Foerster LLP

Lokke Moerel and Hanno Timner head the data protection practice at Morrison & Foerster LLP, which historically originated as reaction to the increased data protection-related requirements of the firm's traditional media clients. The firm continues to meet the needs of music platforms, video streaming providers and companies in the film industry, but today an increased number of clients in the e-commerce area and tourism sector as well as recruitment agencies and large US and Asian corporations also seek the firm's advice on GDPR compliance and cyber security. Additionally noteworthy is Moerel's development of binding corporate rules for cross-border data transfers within a group of companies, a concept which was incorporated into the GDPR.

Practice head(s):

Lokke Moerel; Hanno Timner

Key clients

American Academy Berlin GmbH

DocuSign, Inc., USA

Europäische Niederlassung einer globalen Payment-Service-Anbieters

Fyber N.V.



Twitch Interactive, Inc.

United Internet/1&1


Work highlights

  • Provided comprehensive advice to United Internet (1&1, WEB.DE, GMX) on data protection aspects of the marketing concepts and log-in alliance with ProSiebenSat.1 and RTL.
  • Provided continuous advice to an online music service on data protection, particularly regarding requests for information by users, dealing with data protection authorities and corporate restructuring.
  • Continously acted for one of largest global hotel chains in all matters of German, European and global data protection law.

Norton Rose Fulbright

At the end of 2018 Norton Rose Fulbright's IT and data protection team underwent some structural changes: The group now sits within the firm's global practice that covers IP and IT issues combined. In the data protection area the team focuses especially on GDPR and global data protection breaches. The firm's work in the insurance sector is particularly successful. The key figures of the German team are Christoph Ritzer in Frankfurt and Jamie Nowak in Munich, who is responsible for the technology and innovation segment.

Practice head(s):

Christoph Ritzer; Jamie Nowak


‘Quick and pragmatic suggested solutions and good availability.’

‘Reliable advice with customised proposed solutions.’

Key clients

Mitsubishi Electric Corporation (MELCO)

Mitsubishi Electric Europe (MEU)


AIG Europe Limited

Guy Carpenter


Work highlights

  • Advised AIG on an internationally coordinated service for the reaction to data breaches.
  • Provided Bayerische Motoren Werke AG with data protection advice in connection with the merger of the mobility services of BMW and Daimler in 18 countries.
  • Assisted the UK data protection teams with advice for Mitsubishi Electric Corporation (MELCO) and Mitsubishi Electric Europe (MEU) on various global projects for MELCO in connection with the export of personal data of multiple MELCO companies in EEA countries.

Orrick, Herrington & Sutcliffe LLP

Orrick, Herrington & Sutcliffe LLP's small data protection team surrounding key figure Christian Schröder entered the firm's newly founded global practice group Cyber, Privacy and Data Innovation in 2018. Consequently, with the 'unique' support of the firm's international offices, including London, Seattle and Washington D.C., clients benefit from the seamless coordination of their frequently international data protection matters. The practice focuses in particular on topics such as international data transfers, data protection compliance and whistle-blowing.

Practice head(s):

Christian Schröder


‘Outstanding combination of very solid legal knowledge and broad experience. Very high availability and quick solutions.’

Key clients

Flexera Software


Carnival Corporation


SIG Combibloc

W.W. Grainger/Zoro Tools

Work highlights

  • Advised Carnival Corporation, the largest cruise company worldwide, on global data protection matters.
  • Advised Flexera Software on global GDPR compliance and the takeover and integration of the Brainware group.
  • Advised W.W. Grainger / Zoro Tools on data protection issues, particularly regarding the GDPR.


Boutique SCHÜRMANN ROSENTHAL DREYER's 'comprehensive and highly qualified' advice focuses on the development and introduction of digital business models and associated data protection concerns. Traditionally the group provides advice on e-commerce projects, but increasingly it is also active in the pharma and healthcare sector, where profiling and loyalty systems cause questions surrounding the management of personal data. Kathrin Schürmann, who is considered 'experienced and well versed' in data protection matters, heads the practice together with Simone Rosenthal.

Practice head(s):

Kathrin Schürmann; Simone Rosenthal

Other key lawyers:

Philipp Müller-Peltzer

Key clients

Deutschland Card GmbH (Bertelsmann)

HD Plus GmbH

INTERSPORT Deutschland eG

Zalando SE

Westdeutsche Lotterie GmbH & Co. OHG

Takeda Pharma Vertrieb GmbH & Co. KG

sociomantic labs GmbH

remerge GmbH

Outfittery GmbH

Micromata GmbH

Work highlights

  • Advised Deutschland Card GmbH (Bertelsmann) on new legal text for participants of the customer loyalty programme and consent agreements.
  • Advised Westdeutsche Lotterie GmbH & Co. OHG on GDPR implementation.
  • Advised Takeda Pharma Vertrieb GmbH & Co. KG on the development of a digital healthcare solution.


Covington's IT group also demonstrates significant activity in data protection matters. The firm delivers 'efficient and practical' GDPR advice in connection with compliance and data protection breaches but also in litigation and international data protection challenges (in particular in the US and Chinese context). The team also often acts at the intersection with the life sciences area (in relation to the growth sector digital health) and employment law. Lars Lensdorf and the 'extremely skillful' Moritz Hüsch are the key contacts.

Other key lawyers:

Lars Lensdorf; Moritz Hüsch


‘Large network and great expertise in several areas of law including the technical aspects of data protection.’

‘Moritz Hüsch displays a focused approach and great competence.’

Key clients



DSK Hyp AG (früher SEB AG)



Work highlights

  • Data protection-related weak point analyses for multiple companies, including Merck, Shire, AstraZeneca and Eli Lilly, Microsoft, Viacom; the planning and implementation of corrective measures.
  • Advised DARZ GmbH (a high-security data centre) on several IT and data protection matters and the negotiation of partner contracts, distribution agreements and client contracts.
  • Advised Fiplan GmbH on a cooperation agreement with Hexaware regarding the provision and implementation of software at Dubai airport for the collection of flight data, flight-related passenger numbers and passenger details.

Greenberg Traurig Germany

Greenberg Traurig Germany's data protection practice can historically be traced back to the firm's data protection advice in the media sector. By now the client base is much more diverse and the firm has a dedicated Data, Privacy and Cybersecurity group, which is co-led by Viola Bensinger both at the domestic and global level. The team consequently not only advises large US and European media companies but also fitness, IT and real estate companies. Contentwise the advice focuses on GDPR, compliance issues and increasingly on fine proceedings and matters in connection with the planned e-privacy regulation. Noteworthy is furthermore the firm's activity in data protection issues specifically related to the car toll.

Practice head(s):

Viola Bensinger

Other key lawyers:

Carsten Kociok


‘Practical and quick advice at a perfect price.’

Key clients

Bundesministerium für Verkehr und digitale Infrastruktur

Western Digital

Caesars Entertainment

PayPal (Europe) S.à r.l. et Cie.


Athletes’ Performance (EXOS)


Foxxum GmbH

Our Crowd

ZoeTop (Shein)

Multi Corporation B.V.

Work highlights

  • Advised the Federal Ministry of Transport and Digital Infrastructure on data protection aspects in connection with the preparation and implementation of procurement procedures for the introduction of the collection system for infrastructure charges.
  • Advised the multinational operator of shopping centres Multi Corporation B.V.  on various data protection matters, particularly the organisation of business processes  in accordance with GDPR requirements.
  • Advised EXOS, a US fitness company, on the collection and use of health and other data  and international data transfer.


Oppenhoff & Partner's data protection practice, which is part of the firm's IT group, was able to grow significantly, also at a team level: In September 2018 Angela Busche joined from her previous in-house role at Thyssenkrupp and brought expertise in data protection challenges in connection with employee, client and patient data. Under Jürgen Hartung and Marc Hilber's lead the firm advises software, e-commerce and energy companies as well as insurers and banks on the GDPR, data protection audits and reviews and international data transfers.

Practice head(s):

Jürgen Hartung; Marc Hilber

Other key lawyers:

Angela Busche


‘The results of queries are well articulated.’

‘Marc Hilber is always approachable, client-oriented and solution-oriented.  Very strong negotiation skills.’

Key clients

Audemars Piguet

Deutsche Post AG

UNION Tank Eckstein GmbH & Co KG

Work highlights

  • Advised Audemars Piguet on GDPR implementation.
  • Advised Deutsche Post AG on the handover of its SIMSme business to Brabbler Secure Message and Data Exchange Aktiengesellschaft (a start-up).
  • Advised UNION Tank Eckstein GmbH & Co KG (UTA) on group data protection, including the drafting of a intra-group data processing framework argeement.