Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
Header-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Contact
Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
MTR Legal Rechtsanwälte Logo
Contact
Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
Contact

Legal Lexicon

Wiki»Legal Lexikon»M&A»Data

Data

Term and definition of Data

Data represent a central resource in the digital age and assume diverse meanings and functions in the legal context. The term includes all characters, values, or information that can be digitally stored, processed, or transmitted, regardless of interpretation or context. Data can be personal or relate to economic, technical, scientific, or other matters.

Legal foundations of Data

Data protection classification

General Data Protection Regulation (GDPR)

With the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679), a uniform legal framework for the handling of personal data was established in the European Union. The regulation defines personal data as information relating to an identified or identifiable natural person. The protection of personal data is one of the fundamental rights and forms part of European data protection law.

Federal Data Protection Act (BDSG)

The Federal Data Protection Act (BDSG) supplements and specifies the requirements of the GDPR at the national level. It regulates, among other things, the processing of special categories of data, data protection in employment relationships, as well as the powers and duties of data protection supervisory authorities.

Scope of application and categories of data

In the context of data protection law, a distinction is made between personal and non-personal data. Special regulations also apply to particular categories of personal data (e.g., health data, biometric data) according to Art. 9 GDPR.

Lawfulness of Data processing

The processing of personal data is permitted only under the conditions specified in Art. 6 GDPR, including consent, contract fulfilment, or legitimate interest. The rights of data subjects – including the right to information, rectification, and deletion – are comprehensively regulated.

Data in copyright law

Protection of database works

Under the German Copyright Act (UrhG), database works—that is, systematically or methodically arranged collections of data—can be protected by copyright if they constitute an original intellectual creation (§ 4 (2) UrhG). In addition, database producer rights under §§ 87a et seq. UrhG grant owner-like rights to databases if a substantial investment has been made in obtaining, verifying, or presenting the contents.

Data as a work

Data as isolated units are in principle not protected by copyright because they lack the requisite level of originality. However, protection may extend to the structured compilation of data.

Data and protection of trade secrets

Act on the Protection of Trade Secrets (GeschGehG)

Trade secrets may include data that possess economic value in the course of business, are kept secret, and are subject to appropriate confidentiality measures (§ 2 No. 1 GeschGehG). Data such as customer lists, calculations, or technical descriptions are thus particularly treated as protectable legal assets in the context of competition.

Data in contract law

Contractual regulations and rights of use

In contractual relationships, agreements are often made regarding the use, processing, and transfer of data. Contracts may govern, for example, rights of use to data or stipulate certain behavioral obligations such as confidentiality and data security. IT contracts, license agreements, and service contracts related to data access and provision are of particular relevance.

Liability and data loss

Liability for data losses or unauthorized data disclosures can be contractually regulated but is also subject to statutory provisions, such as the obligation to secure data and to pay damages in the event of breaches of duty.

Data in criminal law

Data protection criminal law

Both under the BDSG and the Criminal Code (§ 42 BDSG, § 202a StGB), the unauthorized collection, use, or disclosure of personal data is a criminal offense. In addition, offenses related to data modification and computer sabotage (§§ 303a, 303b StGB) are relevant.

Data and IT security law

Act to Increase the Security of Information Technology Systems (IT Security Act)

The IT Security Act and the associated BSI Act require operators of critical infrastructures to implement technical and organizational measures to protect data from unauthorized access, loss, or manipulation. Adherence to the protection objectives of confidentiality, integrity, and availability is central.

Data in an international context

International data transfer

Cross-border transfers of data are subject to specific regulations. Under the GDPR, personal data may only be transferred to third countries under certain conditions, for example, based on adequacy decisions or appropriate safeguards (standard contractual clauses, binding corporate rules).

International agreements

International agreements such as the Data Privacy Framework (formerly Privacy Shield) between the EU and the USA govern transatlantic data flows and set requirements for the protection of personal data.

Other legal areas concerning Data

Tax law retention obligations

Tax regulations (Tax Code, GoBD) set retention periods for tax-relevant data and require companies to ensure data integrity during the statutory retention period.

Telecommunications law

The Telecommunications Act (TKG) and the ePrivacy Directive contain regulations on the processing of communication and location data, retention periods, and ensuring confidentiality.

Conclusion and outlook

Data represent a subject in law that is both diverse and complex. Depending on the specific area of application—from data protection to copyright law, from contract law to IT security regulations—a legally compliant handling of data requires a differentiated consideration of all relevant provisions. In light of ongoing digitalization, it is expected that the legal framework for the processing, use, and protection of data will be subject to further amendments and clarifications.

This article provides a comprehensive overview of the legal significance and regulation of Data according to the current legal situation.

Frequently asked questions

What are the legal foundations for processing personal data?

The processing of personal data in Germany and the entire European Union is primarily governed by the General Data Protection Regulation (GDPR), supplemented by the Federal Data Protection Act (BDSG). These regulations specify in detail the conditions under which personal data may be collected, stored, processed, and transferred. Core elements include the lawfulness of data processing, the principle of data minimization, transparency, purpose limitation, and the implementation of technical and organizational measures to protect data. In addition, a legal basis must exist for any form of data processing, such as the consent of the data subject, a statutory requirement, or a legitimate interest. Violations of these provisions can be sanctioned with significant fines, with the respective data protection authority responsible for monitoring and enforcement.

What information obligations exist towards data subjects when collecting data?

According to Art. 13 and 14 GDPR, controllers are obliged to provide data subjects with comprehensive information when collecting personal data. This includes, among other things, the identity and contact details of the controller, the purpose and legal basis of processing, the planned storage period, disclosure to third parties, and notices concerning data subject rights (e.g., right to information or complaint to the supervisory authority). If the information is not collected directly from the data subject, the information obligations must be fulfilled subsequently and within certain time limits. Fulfilling these obligations is a key element of transparency requirements and prerequisite for the lawfulness of data processing.

Under what circumstances is the transfer of data to third countries permitted?

The transfer of personal data to countries outside the European Economic Area (so-called third countries) is only permitted under Art. 44 et seq. GDPR if an adequate level of data protection is ensured there. This can be demonstrated, for example, by an adequacy decision of the European Commission, appropriate safeguards such as standard data protection clauses, or binding internal data protection rules (“Binding Corporate Rules”). If an adequate level of protection is lacking, exceptions are necessary, such as the explicit consent of the data subject after prior information about existing risks. Violations in this area can lead to serious legal consequences.

What obligations apply to data processing by third parties?

If personal data are processed on behalf of another party, such as by external service providers, this constitutes what is known as commissioned data processing according to Art. 28 GDPR. There must be a written contract between the controller and the processor that clearly regulates the rights and duties of both parties. The processor may process the data only on the instructions of the controller and in compliance with all legal data protection requirements. In addition, the controller is obliged to carefully assess the suitability of the processor with regard to compliance with data protection requirements and to monitor them regularly.

What rights do data subjects have regarding their data?

Under the GDPR, data subjects have a variety of rights with respect to their processed personal data. These include in particular the right of access (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17 “right to be forgotten”), restriction of processing (Art. 18), data portability (Art. 20), and the right to object to processing (Art. 21). Controllers must respond to requests within one month; extensions of the deadline are only permitted in exceptional cases. Non-compliance with these rights may result in complaints to supervisory authorities and significant fines.

What measures are mandatory for the secure processing of personal data?

Article 32 GDPR sets clear requirements regarding the security of data processing. Controllers and processors must ensure an appropriate level of protection in line with the risk by means of suitable technical and organizational measures (TOM). These include, for example, encryption, pseudonymization, access restrictions, regular security audits, and processes for restoring data in the event of a physical or technical incident. Regular review procedures must also be implemented to ensure the continued effectiveness of these measures.

When and in what form must data protection breaches be reported?

In the event of a breach of the protection of personal data (“data breach”), there is an obligation under Art. 33 GDPR to report to the competent supervisory authority, as a rule within 72 hours of becoming aware of the incident. If there is a high risk to the rights and freedoms of data subjects, they must also be informed without undue delay (Art. 34 GDPR). The report must describe the nature and scope of the incident, possible consequences, and the remedial measures taken in detail. Proper documentation of data protection breaches is required by law and serves as evidence towards the authorities.

Auf dieser Seite

Further term explanations