Data Protection Law



In the process of outsourcing IT services, the providers necessarily get in contact with personal data of their customers or their staff. The same applies to most other cases of Business Process Outsourcing. Therefore, Outsourcing always has to be accompanied in terms of data protection. This is achieved by legally required monitoring arrangements for data protection and suitable periodic assessment of the security measures which the provider has put in place.

We have extensive experience in diverse Outsourcing constellations from small companies to large-scale operations. Among other things, this experience is gained from providing accompanying advice to the Outsourcing of the following services:

  • IT maintenance (also remote maintenance)
  • IT infrastructure (e.g. desktop operating, Help Desk)
  • ERP systems (e.g. SAP, ProAlpha)
  • e-commerce systems
  • Website operating
  • Print output
  • Marketing (e.g. letter shop)
  • Customer service (e. g. call centre)
  • Quality control and service inspection (e. g. Mystery Shopping)

Due to our own work experience we are also very familiar with more intricate problems like the legally compliant use of international service providers and the proper arrangement of multilevel contractual relationships. Therefore, we are happy to assist you with such issues in every possible way.

Data Protection in the Health Care System & Life Sciences

The handling of health data has to meet to special data protection requirements. On the one hand, the Federal Data Protection Act (‘Bundesdatenschutzgesetz’, BDSG) lists health data among sensible data which are subject to tighter protection. On the other hand, there is diverse special legislation which takes precedence over the BDSG depending on the individual circumstances.

We have substantial experience in the area derived from counselling diverse service providers and companies in the health sector (e. g. Medical Associations, chemists/pharmacies, pharmaceutical companies). Hence, we are not only familiar with general data protection regulation as codified in the Federal Data Protection Act (‘Bundesdatenschutzgesetz’, BDSG) but also with the extensive special legislation on data protection, such as the data protection legislation contained in

  • the Code of Social Law (‘Sozialgesetzbuch’, SGB),
  • the Medicines Act / German Drug Law (‘Arzneimittelgesetz’, AMG),
  • the hospital codes (‚Landeskrankenhausgesetze‘) of the German Federal States (‘Bundesländer’),
  • the Federal State legislation regarding chambers for health care professions,
  • the professional codes of conduct for doctors and chemists/pharmacists,
  • the Ordinance on the Operation of Pharmacies (‘Apothekenbetriebsordnung’, ABetrO),
  • the prescription regulations for narcotics (‘Betäubungsmittel-Verschreibungsverordnung, BtMVV).

Therefore, we are happy to assist patients, doctor’s surgeries/practices, chemists/pharmacies, hospitals, manufacturers, producers and any other participants in the sector in all data protection and IT law related matters.

eHealth – Privacy-Compliant Tailoring of Services

Do you offer health data-related products or services? In that case we assist you in data protection compliant yet practical tailoring of your offers. Thanks to the technical expertise of Claudia Bischof (studies in software engineering) and Dr. Bernhard Freund (Master of Computer Science, experienced programmer) we are able to get to the bottom of highly complex IT issues both easily and efficiently. This ensures that we can assist you in developing commercially and legally balanced solutions. We are happy to help you with eHealth solutions such as:

  • eHealth Apps
  • Online services and Websites in the e-health sector
  • Remote maintenance of medical infrastructure
  • Wearables
  • Software for the processing of health-related data

Many sensitive processes can be made data protection compliant, e. g. by employing technical security measures, pseudonymisation, hash methods. Or they can be rendered privacy-compliant by relying on third parties as data custodians. We also represent you (anonymously, if so requested) in consultation with the competent data protection authorities.

As an alternative to our counselling in the area of product development, we act as an expert on your behalf. If you wish to obtain the data protection quality mark from the Independent Centre for Data Protection for the Federal State of Schleswig-Holstein (‘Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, ULD), we will carry out the required expert report for you.

Data Protection in the Financial Sector

Banks and insurance companies are under a particularly high obligation when it comes to ensuring data protection and data security. The high sensitivity of bank account data and credit card information is already reflected by the mandatory reporting provisions of section 42a BDSG (Federal Data Protection Act) which are intended for cases where such information is acquired by third parties without proper authorisation.

Furthermore, every outsourcing activity in the financial sector requires compliance with the regulatory requirements as specified by MaRisk (Minimum requirements for risk management). It is therefore necessary to make sure contractually and technically that a high data protection level is guaranteed. In personal insurance, protection of secret plays a critical role in the outsourcing of IT-services. In this regard, it is particularly important to avoid criminal liability under Section 203 STGB (German Criminal Code) which safeguards against the violation of private secrets.

We have comprehensive experience in the field of data protection in the financial sector, gained from work covering e.g.: