Data protection attorney

Data Protection

Data protection consultancy to get your projects off the ground.

We create data protection solutions that mitigate risk and enable digital freedom, ensuring that projects ranging from AI to marketing are not slowed down.

Arrange an initial consultation

Challenges

Common pitfalls in data protection

Integrate data protection with the Data Act & the AI Act
Consistently design roles, legal bases and evidence – without contradictions or duplication of work.
Meet industry-specific requirements
Neatly integrate special requirements into data protection management for finance, healthcare, KRITIS & the public sector.
Manage complex system landscapes
Map AV chains, joint responsibility, cloud/SaaS & international transfers (SCC/TIA) in an audit-proof manner.
Handle interactions with authorities & procedures correctly
Respond to enquiries in a structured manner, maintain consistent documentation and reliably meet deadlines.
Harmonise documentation
Integrate ROPA, data subject rights, the deletion concept, DPIA, TOM and incident response in such a way that you pass audits and inspections.

Relevance

Who we help and why

We assist data protection officers and in-house lawyers with the inventory, evaluation and legal classification of their data processing in a pragmatic, comprehensive and verifiable manner.

How we advise you

Clarity instead of risk: systematic data protection

Our data protection consulting services:

Industry-specific data protection (energy, health, e-commerce, mobility and finance)
Data protection for AI, big data, the Internet of Things (IoT), scoring and blockchain/smart contracts
Data protection-compliant use of marketing data
Data protection in IT projects, from outsourcing to contract drafting
Cross-border data protection and data transfers to third countries
Data protection and IT security at the interface
Correspondence with authorities and support in fine proceedings
General data protection: setting up a DPMS, creating a DPIA and a ROPA

Your result

Clear measures, secure contracts, tangible solutions

You know what your obligations are

We clarify the scope of application and responsibilities, deriving your obligations in a comprehensible manner

You know what measures are necessary

We prioritise requirements and translate them into concrete steps, assigning responsibilities and setting timelines

You can use new technologies in a legally compliant way

We will evaluate your application scenarios and define clear usage rules, data flow processes and limits

We ensure that your contracts comply with data protection regulations

We can review and draft all components of your contracts, from the privacy policy to the DPA

Your marketing campaigns are risk-free

We can help you implement CRMs and customer loyalty programmes

Your documentation is audit-proof

We organise processes, evidence and templates in a way that ensures they pass audits

Free initial consultation

Prioritise your data protection in 30 minutes

Arrange an initial consultation

We provide a clear overview of the scope of application, the most pressing gaps and the initial measures, in a concise and practical manner.

Dr Benedikt Vogel, LL.M. (London)
Lawyer, Counsel | Berlin

Intro

Our motto: secure, radical, digital

SRD is the boutique law firm for digital projects, supporting you from kick-off to go-live. We combine technical innovation with compliance. We create radically clear legal scope for this.

Our awards

Our market solutions

Contact us

Your experts for data protection

Simone Rosenthal

Lawyer, Partner Berlin

Kathrin Schürmann

Lawyer, Partner Berlin

Dr Philipp Siedenburg

Lawyer Berlin

Contact

Bye, bye legal Standby

With us, you get clarity at project speed, so there's no need to wait for the legal team

Arrange an initial consultation

FAQ

Frequently asked questions about data protection

Tell us about the challenges you are facing and we will explain how we can help, how long it is likely to take, and how much it will cost.

The legal basis comes first: Any processing of personal data (training, inputs and outputs) requires a sound legal basis (Article 6 of the GDPR). For special categories, the requirements of Article 9 applies.
Purpose limitation and change of purpose: Do not use existing data for AI training 'just like that'. Before changing the purpose, a compatibility check must be carried out in accordance with Art. 6(4), and data subjects must be informed (Arts. 13 and 14).
Data minimisation: Only use as much personal data as is necessary. Where possible, use anonymised or synthetic data without compromising the quality of the model.
Prevent shadow AI by implementing an internal AI usage policy that specifies approved tools and provides clear guidelines for data types and approvals, ensuring need-to-know access.
Establish a DPIA early on: For risky AI applications, perform a DPIA before processing begins. Provide guidance on GDPR requirements and the DSK positive list (AI for interaction/profile assessment).
AI governance: Integrate AIMS/policies into existing DSMS/ISMS, and classify risks according to the AI Act (roles: provider/operator). Document all AI assets and use cases.

In Germany, a Data Protection Officer (DPO) must be appointed if at least 20 people are regularly involved in the automated processing of personal data (Section 38 BDSG). However, regardless of the number of people involved, a DPO must be appointed if the core activity involves extensive monitoring or processing of special categories of personal data (Art. 9 GDPR), or if a Data Protection Impact Assessment (DPIA) is required. For SMEs, an external DPO is often the most pragmatic solution.

Act immediately: Secure the incident, clarify the facts and assess the categories and scope of the data (risk assessment).
The 72-hour deadline applies: If there is a risk to those affected, report to the supervisory authority within 72 hours (Article 33).
Notify the affected parties: In the event of a high-risk incident, inform them immediately (Art. 34), providing details of the type of incident, its consequences and the measures taken.
Documentation: Log every incident internally, even if it is not reportable.
Remediation and prevention: Take immediate measures (e.g. password resets, blocks and patches), conduct root cause analysis, refine TOMs, train the team and test the emergency playbook.

A DPIA is a structured risk analysis pursuant to Art. 35 of the GDPR, which is required for processing operations that are likely to pose a high risk to the rights and freedoms of natural persons (e.g. the use of new technologies, extensive profiling and scoring). It describes the planned processing, checks necessity and proportionality, assesses risks for data subjects, and defines technical and organisational remedial measures. The objective is to identify risks in advance and reduce them to an acceptable level, in a way that is documented and verifiable.

A data protection audit is an independent review of your processes, systems and documentation to ensure GDPR compliance. The following are examined, among other things: the directory of processing activities, the legal bases, the technical and organisational measures (Art. 32), the contract processing, the deletion and retention concept, the data subject rights, and the website and tracking setup. The outcome is a report detailing the findings, along with a prioritised action plan (including quick wins, measures and a roadmap), which is useful for management, certifications or due diligence purposes.