Data Protection

Data Protection

What is data protection?

Data protection is the legal and organisational framework used to ensure that personal data is collected, used, stored, shared and deleted in a lawful, secure and transparent manner. In the European Union, the main legal basis is Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR). Under Article 4(1) GDPR, personal data means any information relating to an identified or identifiable natural person. Data protection therefore concerns information that can directly or indirectly point to a specific individual, such as a name, identification number, location data, online identifier or factors linked to physical, economic or social identity.

In practice, data protection is not limited to privacy notices or internal policies. It covers the full lifecycle of personal data within an organisation. This includes determining the legal basis for processing, defining the purpose and scope of data use, implementing security measures, managing access, responding to data subject requests, retaining data only for as long as necessary and reporting personal data breaches where required. The GDPR sets out key principles in Article 5, including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Data protection also requires businesses and institutions to demonstrate compliance, not only to declare it. Depending on the type of processing, this may involve records of processing activities, data processing agreements, transfer mechanisms for international data transfers, data protection impact assessments and procedures for handling incidents. In some cases, organisations must appoint a data protection officer. The exact obligations depend on the nature, scope, context and purposes of processing, the categories of data involved and the risks to the rights and freedoms of individuals.

What does data protection involve?

Data protection applies across many operational areas. It is relevant wherever personal data is processed, whether in employment, marketing, customer service, IT systems, sales, compliance, whistleblowing procedures or cooperation with external service providers. For employers, this includes recruitment data, employee files, monitoring practices and HR systems. For commercial entities, it often concerns customer databases, newsletter distribution, CRM platforms, cookies, complaint handling, loyalty programmes and outsourcing arrangements.

It also plays an important role in higher-risk activities. These may include processing special categories of data, large-scale monitoring, profiling, background checks, use of AI tools, cross-border data transfers or implementation of new technologies that affect individual rights. In such situations, a business may need to carry out a data protection impact assessment under Article 35 GDPR, consult with specialised counsel and verify whether the planned processing model is proportionate and properly documented.

One of the central elements of data protection is allocating responsibilities correctly. The law distinguishes between a controller, which determines the purposes and means of processing, and a processor, which processes data on behalf of the controller. This distinction has practical consequences for contracts, accountability, security standards and liability. Disputes or compliance failures often arise from incorrect role allocation, missing contractual clauses, unclear instructions or lack of internal governance.

When is it worth seeking legal support on data protection?

Legal support is useful both when launching a new process and when reviewing existing operations. Private individuals may need advice where their personal data has been disclosed unlawfully, used without a valid legal basis, retained too long or processed in a way that interferes with their rights. Businesses may need assistance when creating privacy documentation, assessing marketing practices, negotiating data processing agreements, handling employee data, preparing breach notifications or answering requests for access, erasure or restriction of processing.

Support is particularly important where a company works with multiple vendors, uses cloud infrastructure, operates internationally or processes large amounts of customer or employee data. It is also advisable before implementing surveillance tools, whistleblowing channels, analytics solutions or AI-based systems. In these cases, the legal issue is rarely limited to one clause or one consent form. It usually concerns the overall architecture of compliance, security and accountability.

A prompt consultation can help identify invalid assumptions at an early stage. This may reduce the risk of administrative penalties, civil claims, contractual disputes, regulatory intervention or reputational damage. Under Article 83 GDPR, administrative fines can reach up to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, depending on the type of infringement. In addition, under Article 82 GDPR, a person who has suffered material or non-material damage due to an infringement has the right to receive compensation. Early legal review may therefore prevent both compliance failures and measurable financial loss.

In some areas, legal interpretation is still evolving. This is visible, for example, in questions around the use of legitimate interests, the validity of consent in employment settings, the qualification of certain online identifiers as personal data or the lawful design of international data transfers after major court decisions such as Schrems II. Because regulatory guidance, case law and supervisory practice develop over time, data protection should be reviewed as an ongoing legal function rather than a one-time formality.

Law firm support in the field of data protection may include in particular:

• audits of GDPR compliance and data processing practices,
• preparation and review of privacy notices, internal policies and retention rules,
• drafting and negotiation of data processing agreements and data sharing arrangements,
• advice on employee data, recruitment processes and workplace monitoring,
• support with personal data breaches and communication with the supervisory authority,
• handling data subject requests and disputes concerning personal data,
• assistance with data protection impact assessments and risk analysis,
• advice on cross-border data transfers and cooperation with external vendors.

Need legal support on data protection? Contact us.

See also

• Consumer Rights
• Employment Contract
• Financial reporting
• Commercial Law