Data Protection

PLANIT // LEGAL offers you comprehensive legal advice on data protection. Together we will find solutions for the establishment and further development of your data protection organisation and represent you in court and official supervisory proceedings. With complex content such as outsourcing and cloud computing, you are in just as good hands with us as with the challenges of the digital healthcare system.

Data Protection Law

Careful handling of personal data is an important factor in customer acquisition and customer loyalty. The neglection of data protection can have drastic consequences for your company. For example, high fines and – maybe even worse – damage to your reputation can occur if data breaches become public. Take privacy seriously. No matter whether your business is online driven or classically structured. PLANIT // LEGAL advises you comprehensively in all questions of data protection law as a legal advisor, in the function of an external data protection officer or by supporting your internal data protection officer.

Our consulting services include in particular:

  • Negotiation of data protection contracts
  • Preparation of company data protection documentation (processing overviews, technical-organisational security concepts, data protection guidelines, privacy policies, etc.)
  • Auditing of your company
  • Certification of IT products
  • Training of employees
  • Representation in audit, injunction and fine proceedings vis-à-vis data protection supervisory authorities
  • Reputation management in „data protection scandals“

References (selection)

  • Compliance projects for the implementation of requirements of the general data protection regulation
  • Privacy audits
  • Service provider audits
  • Introduction of cloud-based systems such as Office 365, Amazon Webservices or Salesforce
  • Examination of data protection requirements for app developments and preparation of the corresponding data protection documentation
  • Introduction of group-wide HR and payroll systems such as MyWorkday, ACCURAT HCM or Manus+
  • Introduction of Health Data Management Systems
  • Audit proceedings by supervisory authority concerning the use of video surveillance systems
  • Fine proceedings by supervisory authority concerning GPS tracking by a rental car company
  • Negotiation of company agreements on IT use and data protection
  • Deletion and archiving projects
  • CRM and marketing projects
  • Introduction of knowledge management and learning systems, such as Prozubi
  • Introduction of whistleblowing and incident management systems
  • Introduction of fraud detection and prevention systems, such as intelliQ

Outsourcing and Cloud Computing

When outsourcing IT services, engaged service providers have the option of accessing personal data in the IT systems of their clients. This can affect customer, employee or supplier data. This applies to the involvement of service providers in system and software maintenance, hosting, business process outsourcing, cloud computing, software as a service (SaaS) and many other outsourcing constellations. Outsourcing projects therefore push challenges under data protection law as well as IT law, which need to be analysed and taken into account so that your outsourcing project is a success and not a compliance risk.

We have comprehensive experience in all relevant outsourcing constellations for small and medium-sized enterprises (SMEs) as well as for large companies and corporate groups.

Our range of consulting services for outsourcing and cloud computing projects includes in particular:

  • IT Maintenance (also remote maintenance)
  • IT Infrastructure (e.g. desktop operation, help desk)
  • ERP Systems (e.g. SAP, ProAlpha)
  • E-Commerce Systems
  • Website Operation
  • Print Output
  • Marketing (e.g. letter shop)
  • Customer Service (e.g. call center)
  • Quality and Service Control (e.g. Mystery Shopping)
  • Introduction of cloud-based systems such as Office 365, Amazon Webservices or Salesforce
  • Negotiation of Data Processing Agreements, Joint Controllership Agreements and other Agreements concerning data protection

We are also very familiar with more complex issues such as the legally compliant engagement of international service providers and the correct structuring of multi-stage contractual relationships due to our practical experience. We would be glad to support you in any such matter.


Services and business models related to health data always pose great challenges for data protection, since the data concerned, as so-called special categories of personal data, are subject to very strict legal protection in accordance with Sec. 3 (9) of the German Federal Data Protection Act (BDSG). The general data protection regulation does not reduce these high requirements. We have experience in advising numerous service providers and companies in the healthcare sector (e.g. medical associations, pharmacies, pharmaceutical companies) and are therefore well acquainted not only with the general health data protection according to the BDSG, but also with the numerous special data protection regulations. These include the data protection rules in

  • the Social Code,
  • the Medicines Act,
  • the state hospital laws,
  • the Healing Profession Chamber Acts,
  • the professional codes of conduct of doctors and pharmacists,
  • of the Pharmacy Regulations,
  • of the narcotics prescription ordinance.

In addition, we support you in the data protection-compliant and practice-oriented design of offers in the area of eHealth. With our technical know-how, we can easily and efficiently comprehend even complex IT issues and optimally support you in developing efficient, innovative and legally compliant eHealth offerings. Our consulting services in the field of eHealth include in particular:

  • E-Health apps
  • Online services and websites in the e-health sector
  • Remote maintenance of medical infrastructure
  • Wearables
  • Health data processing software
  • Implementation of Health Data Management Systems
  • In addition to legal advice on product design and project implementation, we also act as experts for you. If, for example, you wish to acquire the ULD’s privacy seal of approval in order to gain a competitive advantage, we will prepare the necessary expert opinion for your IT product.

Representation in Official Supervisory Proceedings

In Germany, data protection law is enforced by the 16 data protection supervisory authorities of the federal states and by the Federal Commissioner for Data Protection. These supervisory authorities have extensive possibilities to monitor and enforce compliance with data protection law by Controllers and to sanction violations. Powers of the supervisory authorities include the right to demand information about the processing of personal data, to order changes to procedures concerning the processing of personal data or their omission and to enforce them by means of administrative compulsion and the possibility of imposing substantial fines. Under the general data protection regulation, fines of up to € 20 million per data protection violation or 4% of the worldwide Group turnover may be imposed.

In addition to the direct financial risks, there is also a threat of reputational damage if data breaches or the imposition of fines become public. In communication with the supervisory authorities, professionalism is therefore required in order to avoid escalation and sanctions against your company and to keep damage to a minimum.

PLANIT // LEGAL lawyers know the practice of the supervisory authorities from their work as lecturers or trainees at supervisory authorities as well as from numerous proceedings in their daily legal work. Our advisory services in representation in connection with official supervisory proceedings include in particular:

  • Representation in audit, injunction and fine proceedings vis-à-vis data protection supervisory authorities
  • Reputation management in case of „data protection scandals“
  • Audit procedures by supervisory authorities, e.g. concerning the use of video surveillance systems
  • Fine proceedings by supervisory authorities, e.g. due to GPS tracking

Employee Data Protection

The protection of employees’ personal data is in the interest of every company and confronts them with major challenges. In the course of an often longterm employment relationship, the employer inevitably collects a large amount of personal data about his employees. Some of this data is collected directly in connection with personnel administration in the HR department and is then processed in manually maintained personnel files or electronically in personnel administration systems. These data contain sensitive information, such as illnesses or pregnancy of employees, and therefore require special protection.

In addition, the increasing automation of production and business processes generates a large amount of data about employees in many of the employer’s other IT systems. If this data is combined, far-reaching conclusions can be drawn about production and business processes, but also about the employees involved. Here it is necessary to find an appropriate balance between the employer’s interests in the evaluation and use of internal company data on the one hand and the employees’ right to informational self-determination on the other.

Our consulting services in the area of employee data protection include in particular consulting and representation in the following areas:

  • Implementation of HR and payroll systems, such as MyWorkday, ACCURAT HCM or Manus+
  • Operational integration management
  • Fraud prevention and fraud detection systems
  • Privacy and IT use policies and instructions
  • Deletion concepts for personnel files
  • Implementation of knowledge management and learning systems, such as Prozubi
  • Implementation of whistleblowing and incident management systems
  • Implementation of fraud detection and prevention systems, such as intelliQ

Data Protection and Co-Determination

The works council has extensive co-determination rights in the implementation and use of IT systems. In addition, it has the competence to monitor compliance with employee data protection in form of the employee protection law. In addition to the data protection officer, the works council therefore plays an important role in the internal data protection organisation.
In practice, this means information by the employer and involvement in data protection measures and their design within the framework of co-determination.

Our consulting services in the area of data protection and co-determination include in particular:

  • Preparation and negotiation of company agreements concerning the implementation of IT systems, video surveillance and other data protection-related issues
  • Negotiation of company agreements concerning IT use and data protection
  • Representation in conciliation committee proceedings concerning IT and data protection law relevant issues
  • Advising employers and works councils on the permissibility of IT systems under data protection law
  • Negotiation and mediation in co-determination disputes regarding data protection and IT law conflicts

Multimedia and Mobile Marketing

In addition to classic offline marketing, new online marketing channels are rapidly gaining relevance for sales promotion in both the B2C and B2B sectors. Numerous new marketing tools offer seemingly unlimited possibilities to address and communicate with customers instead of simply “sprinkling” them with classic advertising.

To ensure that these new possibilities do not become a compliance risk, you should consider data protection and competition law requirements for your marketing strategy and include appropriate expert advice.

Our consulting services in the area of multimedia and mobile marketing include in particular:

  • Examination and evaluation of the data protection compliance of new marketing tools and strategies
  • Examination of data protection requirements for app developments
  • Preparation of privacy documentation for apps and other marketing tools
  • Design of the integration of tracking technologies
  • Review and legally compliant design of web presences and social media presences
  • Design of the integration of social media plugins
  • CRM and Marketing Projects

Insurance Sector

The insurance sector is characterised by strict regulatory requirements and special confidentiality obligations (insurance secrecy). Much of the information that insurance companies receive about their policyholders can be characterized as special categories of personal data. Its processing is subject to increased justification requirements. Data protection in the insurance industry is therefore of great importance.

Our consulting services on data protection in the insurance industry include in particular:

  • Justification concepts for business outsourcing projects
  • Design of online distribution channels
  • Design of privacy policies and information

Financial Sector

Banks are more than others obliged to guarantee data protection and data security. The extraordinary sensitivity of data within the scope of bank or credit card accounts is proven by its explicit reference in the German Federal Data Protection Act (BDSG) and the general data protection regulation.

In addition, MaRisk sets up notable supervisory regulations concerning any outsourcing in the financial sector. Therefore, a particularly high level of data protection must be ensured contractually and technically. In personal insurance, secrecy protection also plays an important role when IT services are outsourced; here it is important to avoid criminal liability under Sec. 203 of the German Penal Code (StGB), which regulates the violation of private secrets.

We are familiar with the special requirements of payment applications. Inter alia, we have been involved in advising on data protection law regarding the design of software for processing credit card data. We would also be glad to help you with questions regarding PCI-DSS, the IT security standard of the credit card industry, and advise you on the corresponding certification process.

Our range of advice on data protection in the financial sector includes in particular:

  • Justification concepts concerning outsourcing business processes
  • Design of data protection information and policies for online banking
  • Rating, scoring and credit agency law
  • payment applications