Data as a resource.

Our services

Data (Protection) Law

The Internet of Things, Big Data and the use of AI have turned data into an asset. The amount of digital data generated in an industrial or business context is growing exponentially, and legal challenges are increasing. This is because the hunger for digital data is growing not only among companies with data-based business models in the media, telecommunications or sports industries, but above all among companies in the healthcare, transport or finance sectors. The confidential handling, protection, integrity and security of data is therefore becoming increasingly relevant.

There is a great need for advice on the lawful handling of digitized personal data. Innovative digital technologies for data collection and data processing enable companies to improve their services and offerings, analyse customer interests and purchasing behaviour via personal profiles, or personalize advertising.

Any use of personal data is to be made in accordance with the requirements of data protection and information security. The legal framework is essentially provided by the General Data Protection Regulation (GDPR/DSGVO). In addition, the German Federal Data Protection Act (BDSG) and the Telecommunications Telemedia Data Protection Act (TTDSG) are particularly relevant. Progressive digitization and new challenges in international data exchange are also accompanied by constant changes in the legal framework. Legal certainty in the handling of personal data therefore requires special attention to ongoing legislative procedures and case law of the European Court of Justice (ECJ), whose decisions (e.g., in the case of “Schrems II”) can directly confront affected companies with major legal challenges.

Data protection law, on the other hand, has no relevance for the use of digital (mass) data that do not relate to individuals or do not allow such a reference to be made (such as pure measured data). Here, the legal discourse currently includes questions about the possible ownership of data, access to and exchange of data, or how a fair market order in the “data economy” can be legally guaranteed.


The GDPR requires companies to implement data security measures that are suitable for ensuring a level of protection appropriate to the risk of data processing for the rights and freedoms of the data subject. The state of the art must be considered appropriately.

Already in the run-up to applications that serve the processing of personal data, the aspects of data protection must be considered through technology design (privacy by design) or through data protection-friendly default settings (privacy by default). When procuring appropriate IT solutions, it must be checked whether they meet the requirements, such as anonymization, pseudonymization, possible restrictions on processing (e.g., blocking), deletion or certain documentation obligations. This is the only way to ensure the lawful organization of data protection in the company's processing procedures or in relation to existing service relationships.

However, the GDPR has not only redefined the requirements for the lawful and secure handling of personal data, but has also introduced new obligations, such as the right to data potability and, in some cases, more stringent requirements and, above all, severe sanctions for legal violations (fines of up to EUR 20 million or up to 4% of total annual turnover), which has significantly increased the pressure on companies to adapt their processes to the requirements.

In addition, Article 85 (1) and (2) of the GDPR stipulates that Member States must or may provide for specific derogations from the GDPR for journalistic, scientific, artistic and literary purposes in order to ensure freedom of expression and information. The handling of this opening clause on media privilege may, under certain circumstances, make it necessary for media companies to reassess the balance of interests between the protection of personal data and media freedom. The same applies, for example, to the handling of the Art Copyright Act (KUG) regarding the use or publication of photos or moving images.

At EU level, extensive legislative projects on data law were successfully completed. The Data Governance Act (DGA) entered into force on September 23, 2022, and took effect on September 24, 2023. It is intended to create a European data space and simplify the exchange of data between companies and private individuals, as well as the public sector. It aims to promote the availability of data through the reuse of public datasets, shared data usage by companies for a fee, and to enable individuals to use personal data with the help of data brokers. In this respect, it complements the 2019 Directive (EU) 2019/1024 (the so-called "Open Data Directive").

Besides, the "Digital Markets Act" (DMA) has also taken effect on May 02, 2023. It provides that so-called "gatekeepers" (companies acting from a strong economic position with a significant impact on the EU internal market) must make their platform available for the sale of goods and services by third parties on a non-discriminatory basis. Furthermore, outside of their platform, the gatekeepers are not allowed to advertise user without their consent.

From February 17, 2024, the Digital Services Act (DSA) will mostly also take effect. It aims to achieve a better protection concerning the safety of the consumer, such as their fundamental rights on the internet. Against the backdrop of this objective, a uniform legal framework for the liability of online platforms for unlawful content (e.g., sale of counterfeit products, hate and incitement) is intended to ensure greater transparency in the use of algorithms and online advertising.

The upcoming "Data Act," also organized as a regulation, clarifies who is allowed to create added value from data and under which conditions. It regulates the right of users to the access and use of their own user-generated data, the prohibition of inappropriate contractual clauses in standardized data license agreements, the right to data access and data usage through public bodies, as well as provisions to facilitate the change of cloud service providers and requirements for their interoperability. After the publication of the Data Act, companies will have 20 months to adapt to its new regulations until the coming into effect, i.e. until around mid-2025.

The approval of the ePrivacy regulation, on the other hand, is extremely uncertain. The draft regulation, which was first presented in January 2017, was planned to enter into force together with the GDPR on May 25, 2018. Due to extremely controversial debates among the stakeholders, in particulary regarding regulations concerning the handling of cookies, tracking or targeting of users and technical (meta) data, the last draft of the EU Council of Ministers has been put on hold since February 2021. The draft regulation is now considered outdated, being the reason there now is great doubt concerning the progress of the legislative process at EU level in general.

The extent to which online retailers, website operators and digital marketing companies will have to expect further intensifications remains unanswered. Nevertheless, the Telecommunications Telemedia Data Protection Act (TTDSG), which has been in force since December 1, 2021, applies to them. The Act transfers the sector-specific data protection rules from the Telecommunications Act (TKG) and the Telemedia Act (TMG) into a separate law and at the same time adapts the rules to the requirements of the GDPR. However, among other aspects, it also regulates the storage of and access to information in the end user's terminal equipment, which is generally only permitted with GDPR-compliant consent (keyword: cookies). With the TTDSG, the German legislator has anticipated some of the ePrivacy regulations and transposed supreme court rulings (e.g., on the digital estate) such as parts of the ePrivacy Directive (2002/58/EC).

Especially in data protection law, supreme court verdicts - particularly those of the ECJ - might have legal consequences and therefore require direct entrepreneurial action. The verdicts of the ECJ in the Planet49 and Schrems II cases show this exemplary:

In the Planet49 case, the ECJ fundamentally identified (in the judgment of 01.10.2019) that, within the European Union, the only form of valid approval to the processing of user data by means of cookies is through explicit consent, i.e. a declaration of consent that must be actively and specifically given by the user of the website. This judgement was the first, after the entry into force of the GDPR, to explicitly deal with consent in relation to cookies and tracking on websites and to reach an extensive impact on website-operators. Hence, its requirements must be observed in any case until another legal regulation is put in place.

In Schrems II, the ECJ had to deal with the transfer of personal data within third countries (primarily the USA). In principle, personal data can only be transferred if an adequate level of data protection is being guaranteed in the concerning third country. In Schrems II, the ECJ declared the Privacy Shield agreement between the EU and the USA, as well as its predecessor, the Safe Harbour agreement, invalid. Further, it also recorded that standard data protection clauses (SCC) can be used, but that the data exporter is obliged to verify on a case-by-case basis that adequate protection of the transferred data is guaranteed. Through this judgement, the ECJ forces third countries to obey the law concerning the protection of fundamental rights of EU citizens.

In response, the EU Commission published an adequacy decision on July 10, 2023, being the successor to the Privacy Shield agreement. Now personal data may be transferred to the US without special authorization. This requires the affected U.S. companies to register on the U.S. Department of Commerce website and to update their data protection conditions until October 10, 2023.

What we do for you

With our legal expertise and technical know-how, we advise you on all data protection and data security relevant processes in your company and thus provide you with legal protection.

We work out legal, technical and organizational parameters required for your company and any necessary adjustments with regard to the collection and processing of data. We also represent and negotiate the solutions identified in this way with the relevant data supervisory authorities.

In addition, we support your operational business in all legal issues and pitfalls relating to the establishment and development of data-based business models, the digitization of your processes (the introduction and use of cloud services, Big Data or AI technologies), customer relationship management, the establishment and support of compliance systems or effective notification and information systems for affected parties (customers). Our consulting services also include questions in connection with international data transfers, order processing, in particular the preparation of contracts or the fulfillment of mutual obligations under Art. 28 DSGVO.

Furthermore, we represent your interests vis-à-vis regulatory authorities, consumer and competition associations or in court.

FREY offers – also in cooperation with other experts – ongoing training and company seminars in the field of data protection and data security.

Who we work for

Our clients in the area of data protection on the right come from all industries. They include medium-sized and large companies from the ICT and media industry, the construction industry, personnel service providers, content aggregators, specialized portal providers or startups (such as app developers). We also advise local authorities on data protection issues.

Our focus

  • European data protection Law (GDPR)
  • National data protection law (BDSG)
  • ePrivacy regulations
  • Interstate Treaty on Media & Broadcasting
  • State media and state press laws
  • Telemedia Law
  • Telecommunications Law
  • Right to own picture