Security and data protection requirements collide

Data protection in law firms

The General Data Protection Regulation came into force on May 25, 2018. The regulations contained herein regarding the processing of personal data must also be observed by lawyers in the context of their legal work.

According to Section 2 (1) GDPR, the regulation applies to the full, partial and non-automated processing of personal data that is or is to be stored in a file system. Ultimately, all data processing operations that take place in a law firm are recorded.

In Germany, not much has changed compared to the previous German data protection law; It should be noted, however, that the regulations on fines have been significantly changed; in particular Art. 83 Para. 4 and 5 GDPR. For example, there is a risk of fines of up to 20 million euros or up to 4% of global annual sales in the event of a breach of the law.
In addition, lawyers are also threatened with warnings under competition law, because the data protection regulations are market behavior rules in the sense of § 3a UWG acts.

Are you prepared?

If you want to briefly check whether you have considered everything with regard to the changes according to the GDPR, you can quickly determine what still needs to be done using a questionnaire from the Bavarian State Office for Data Protection Supervision:

You haven't dealt much with the GDPR so far?

We offer you an initial brief guide and overview in order to reduce the first dangers of a breach.

Every lawyer and every law firm (§ 59c BRAO) who alone or jointly with others decides on the purposes and means of processing personal data is a so-called responsible party (Art. 4 No. 7 GDPR) . If necessary, he or she is jointly responsible with others for ensuring that he complies with the requirements of the GDPR.

According to Art. 4 GDPR, processing is understood to mean any process carried out with or without the help of automated procedures or any such series of processes in connection with personal data such as the collection, recording, organization, ordering, storage, adaptation or change, reading , querying, using, disclosing through transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction.

According to Art. 4 GDPR, the term personal data includes all information relating to an identified or identifiable natural person; A natural person is regarded as identifiable who can be identified directly or indirectly, in particular by means of assignment to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, psychological, economic, cultural or social identity of this natural person.


1. Website

The GDPR not only affects the data that you hold in your law firm, such as client, opponent and employee data, but also data that you process via your website.

So if you operate a website, you should check whether it complies with data protection requirements, in particular whether your data protection declaration is sufficient.

According to Art. 13 and 14 GDPR, law firms have to fulfill information obligations with regard to their internet presence. This primarily concerns data processing processes associated with visiting the website. According to § 13 TMG, you as the website provider are also obliged to inform the user at the beginning of the usage process about the type, scope and purpose of the collection and use of personal data as well as about any transfer of data to countries outside the EU or the EEA.

You therefore need one on the website that has been adapted to the GDPR Data protection.

In addition to general information (who is responsible, who is the data protection officer, etc.), this must also contain information on, for example, the following points:

  • contact form
  • Storage of IP addresses
  • Use of cookies
  • Use of social media plug-ins
  • Use of analysis tools (e.g. Google Analytics)
  • Order data processing by a host provider
  • Newsletter dispatch
  • Blog
  • Links

Here you will find a non-binding sample data protection declaration and a questionnaire to check what should be included in your data protection declaration.


2. Data protection officer

As a rule, a data protection officer is only to be appointed by the person responsible if at least ten people are constantly involved in the automated processing of personal data (Art. 37 GDPR, expanded by Section 38 (1) BDSG-new). This means that a data protection officer must be appointed if at least ten people have access to the office's IT system (access to e-mails is sufficient), regardless of the scope of work (including part-time employees). An employee of the law firm or an external person can be appointed.

Please note that, in accordance with Section 37 (7) GDPR, the person responsible must publish the contact details of the data protection officer (e.g. in the context of the data protection declaration on the website, see above). In addition, the designation of the data protection officer and the contact details must be communicated to the supervisory authority.

The Bavarian State Office for Data Protection Supervision, which is responsible for lawyers based in Bavaria, operates an online reporting portal under the following link:

The question of whether you appoint an employee or an external person as the data protection officer is up to you. Regardless of how you decide, the reliability of the agent must be ensured. This requires not only specialist knowledge and trustworthiness. In the case of an internal appointment, you must ensure that there is no conflict of interest in the performance of the function of the data protection officer with other tasks in the office. This is especially the case if the person has their own interest in the company (for example because of a stake in its assets, such as a partner or partner) or has a managerial role. As a rule, partners in a law firm do not seem to be suitable data protection officers. Special dismissal protection regulations apply to employed data protection officers. Owners, partners and (in the case of companies) legal representative bodies (e.g. managing directors) may not be appointed as data protection officers (no self-monitoring).

You can find more detailed information on this question in the e-brochure "Data protection and data security in the law firm", 3rd edition, which you can access on the website of the German Lawyers' Association:


3. Client instruction

According to Art. 13 GDPR, the person responsible has an obligation to provide information when collecting personal data from the data subject. This information obligation already exists at the time the data is collected. It is therefore urgently advisable to include client instructions with the application form, which - for documentation purposes - should be signed by the client. For the sake of simplicity, the information in the instruction should be based on the list in Art. 13 GDPR

The German Lawyers' Association also provides a sample for client instructions:


4. Let's go on ...

You have now taken the first steps. The most important gaps have been closed. However, the subject of data protection in the law firm is not yet closed. In a second step, you should now tackle the following topics:

Order data processing

Whenever an external third party processes data on your behalf, it must be checked whether data processing has been commissioned. Typical examples are host providers for data processing via the website, law firm software manufacturers if they offer cloud services, other cloud services such as web files, IT service providers for external data backups. Such order data processing can only take place on the basis of a contract that binds the processor with regard to the person responsible and in the object and duration of the processing, the type and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the person responsible. You should therefore check the existing contracts to see whether they meet these requirements.

The Bavarian State Office for Data Protection Supervision provides a sample order processing contract:

Processing directory

The procedure directory known from the BDSG (Section 4g Paragraphs 2 and 2a BDSG; there called “Overview”) is replaced by the GDPR with a (written or electronic) directory of all processing activities with personal data. This directory relates to all - including partially - automated processing as well as non-automated processing of personal data that is or is to be stored in a file system.

What must be contained in this directory and what it could look like can be found here: Sample processing directory.


According to Art. 29, 32 Para. 4 GDPR, you as the person responsible have to instruct your employees that personal data are only processed on your instructions. A corresponding obligation of your employees can take place within the scope of the confidentiality obligation. In addition, it should be checked whether the employees are allowed to private use of the means of communication available in the office. In this case, additional agreements may have to be made with the employee to ensure compliance with data protection regulations.

In addition, in accordance with Art. 24 Paragraph 1 GDPR, employees must be regularly trained in compliance with the requirements of the GDPR. Accordingly, the person responsible has to implement suitable technical and organizational measures to ensure and to be able to provide evidence that the processing of the data is carried out in accordance with the GDPR.

The data protection of the employees in the office is regulated in § 26 BDSG-new. In particular, according to Section 26 (1) sentence 1 BDSG-new, personal data of employees may be processed for the purposes of the employment relationship if this is necessary for the decision on the establishment of an employment relationship or, after the establishment of the employment relationship, for its implementation or termination or for the exercise or fulfillment the rights and obligations arising from a law or a collective agreement, a company or service agreement (collective agreement) for representing the interests of employees are required.
Applicants are also considered to be employees in accordance with Section 26 (8) sentence 2 BDSG-new, so that the regulations on employee data protection also apply to them.

Organization of the deletion periods

The deletion of data that is no longer required for the purpose of collection is becoming more and more important: Appropriate technical and organizational measures must be taken to meet the deletion deadlines for stored personal data, Art. 25 GDPR. According to the principle of Art. 5 Para. 1 e GDPR, the storage of personal data is only permitted for as long as is necessary for the purposes for which they are processed. However, in this context, Article 17 (3) b) GDPR must be observed, which provides that the deletion does not have to be carried out if the processing is carried out to fulfill a legal obligation that requires the processing. This can e.g. B. be given with regard to § 43a para. 4 BRAO, which provides for a conflict of interests check when taking on a mandate or with regard to tax retention obligations. In addition, Art. 17 GDPR grants the data subjects the right, under certain conditions, to demand that the person responsible delete personal data concerning them immediately.

It is therefore advisable to take technical precautions to ensure that the deletion deadlines are adhered to and that deletion requests from data subjects can be considered. For this purpose, a concept should be developed that regulates the details of the procedure with regard to a corresponding cancellation request. In addition, a deadline calendar with the deletion data should be kept or updated regularly, for example in the event of the termination of a mandate.

IT security / data security / technical and organizational measures, Art. 25, 32 GDPR

Particular attention must also be paid to IT security, as it is usually the medium today to minimize the risk of unauthorized access by third parties to protected data.

It is therefore becoming more and more important in terms of data protection law to initiate the following measures:
regular updates of the software programs you use,
Use of current anti-virus and security software as well
Ensuring sufficient encryption when transmitting data, e.g. correspondence with the client.

According to Art. 30 Para. 2 lit. d GDPR, a general description of the technical and organizational measures in accordance with Art. 32 Para. 1 GDPR must be included in the processing directory, if possible. A brief explanation of the appropriate technical and organizational measures can be found in recital 78 of the GDPR.

In this context, it should be noted that it should also be documented to what extent the premises or the technical devices that are used to process personal data are secured against access by unauthorized third parties. For example, it must be recorded here whether the premises have an alarm system and whether the PCs used are password-protected. At the same time, it is advisable to create a concept that contains or regulates which employees have access to what and which access authorizations (also to the respective offices of the law firm) have been granted to them. Explanations of the measures taken to comply with the requirements (e.g. the allocation of special access codes and the creation of individual user profiles) must also be included.


5. Now to the final spurt!

Data protection impact assessment, Art. 35 GDPR

If a form of processing, in particular when using new technologies, is likely to result in a high risk for the rights and freedoms of natural persons due to the type, scope, circumstances and purposes of the processing, the person responsible must in advance according to Art. 35 GDPR carry out an assessment of the consequences of the intended processing operations for the protection of personal data. This only includes individual, specific processing operations.
Art. 35 (3) GDPR contains a list of cases in which a data protection impact assessment is required. As a result, among other things, when special categories of personal data in accordance with Art. 9 and 10 GDPR are processed extensively in the office.
If a data protection impact assessment is required, a data protection officer must also be appointed in accordance with Section 38 (1) sentence 2 BDSG-new, even if the number of people involved in the processing as specified in Section 38 (1) sentence 1 BDSG-new is not exceeded.
The minimum content of a data protection impact assessment is regulated in Art. 35 (7) GDPR.

Develop an emergency concept - reporting obligations

If there is a violation of the data protection regulations in your law firm, the person responsible must notify the responsible supervisory authority immediately and, if possible, within 72 hours after he became aware of the violation, in accordance with Art. 33 GDPR. There is an exception if the violation of the protection of personal data is unlikely to lead to a risk for the rights and freedoms of natural persons, Art. 33 Para. 1 S. 1 2nd Hs. GDPR.

A concept must therefore be developed in the law firm which, on the one hand, enables data protection violations to be detected and, on the other hand, ensures compliance with the above-mentioned deadline.

According to Art. 33 Para. 3 GDPR, the report must contain at least the following information:

  1. a description of the nature of the personal data breach, as far as possible with an indication of the categories and the approximate number of persons concerned, the categories concerned and the approximate number of personal data records concerned;
  2. the name and contact details of the data protection officer or another contact point for further information;
  3. a description of the likely consequences of the personal data breach;
  4. a description of the measures taken or proposed by the controller to remedy the personal data breach and, if necessary, measures to mitigate its possible adverse effects.

In addition, the accountability contained in Art. 5 Para. 2 GDPR must be observed. Accordingly, the person responsible must ensure compliance with the requirements set out in Art. 5 Para.1 GDPR can provide evidence of the obligations contained in it. At the request of the supervisory authority, it must therefore be possible to document that the data protection requirements of the GDPR are being complied with. It is therefore advisable to keep an internal manual on the respective processing operations and the corresponding data protection precautions taken.


6. For professionals

You can find more information about the GDPR on the following websites: