Are you looking for a competent lawyer for legal questions concerning data protection, GDRP, commissioned data processing? Then you have come to the right place.

We have the technical understanding and advise not only small companies and self-employed persons who do their business mainly via the Internet, but also medium-sized companies with international business relations.

Just ask us! We will gladly advise you.

We advise hundreds of merchants on trading on various platforms, in particular also Amazon e.g.

Data protection, data protection declarations, order data processing, data deletion, claims for information etc.

Ask us


We make your data storage and data processing legally secure

Would you like to make your organization legally compliant in data protection?

Are you looking for an external data protection officer?

Do you want to set up and integrate a data protection management system?

Liesegang & Partner offers you legal advice for your individual needs. Our services are available at a fixed price or tailored to your specific needs.

We can support you in many ways. Our experienced lawyers for data protection law will advise you on the creation of a data protection concept that is legally compliant and practicable for your everyday business.

Frequent tasks in the area of data protection

Our experienced team will be pleased to support you in particular with the following questions:

  • Data protection in the company: Employees, storage and processing of data
    • Revision of the employment contracts with your employees according to data protection law
    • Creation of data protection concepts for your company
    • Employee data protection, transfer of employee data to third parties
    • Review of measures of the employer relevant to data protection law
    • Data transfer within the Group - Group Privacy
    • Information, documentation and action obligations of the employer and legal consequences in the event of violations
    • Creation of guidelines for the observance of employment data protection in your company
    • Preparation of the corresponding contractual basis
    • Design of regulations on the topic "Bring Your Own Device
  • Questions relating to the use of cloud based hosting services AWS such as AWS and Azure
  • Support with data protection issues in the context of certification according to ISO 9001 or TÜV s@fer-shopping
  • Advice on the rights of access of data subjects, both preventive and in the event of infringements, data protection problems
  • Right to data transferability (data portability) pursuant to Art. 20 GDRP
  • Preparation of commissioned processing contracts (Art. 28 GDRP)
  • Creation of a directory of procedures for data protection in your company that is suitable for submission to the supervisory authorities
  • Advice on the services and tasks of the data protection officer
  • Assistance in identifying and implementing proportionate technical and organisational measures (Art. 32 GDRP)
  • Drawing up guidelines for the transfer of personal data abroad (Art. 44 - 50 GDRP)
  • Advice on the admissibility of tracking mechanisms on websites
  • Creation of a data protection declaration for your company website


Overview of the most important data protection issues

The processing directory

All processing activities are recorded in a directory. The register serves as proof of whether the person responsible complies with the obligations of the GDRP. The register must be kept by the controller or the representative and must contain all the information required by Art. 30 para. 1 GDRP. Companies with fewer than 250 employees are not obliged to keep such a register. Upon request, the controller must submit his processing register to the supervisory authority.

The order data processing

As soon as the servers are not located at the responsible party or the associated maintenance of the systems is not carried out by the responsible party, an order processing pursuant to Art. 28 GDRP by an external company is deemed to have taken place. In this context, a contract data processing agreement is indispensable, in which the extent to which the data may be collected, processed and used by the processor is contractually specified. The processor must comply with the instructions of the person responsible.

The rights of data subjects

If the person responsible collects personal data from data subjects, he or she must comply with the requirements of Articles 12 to 23 GDRP. The data controller must ensure that processing is transparent and comprehensible, that the permissibility of storing the collected data is always checked and that the data subjects can exercise their rights to information and deletion.

(In the following, the main rights of the data subjects to be respected as data controllers are explained:)

The right of revocation/instruction of revocation

The implementation of this right is elementary to meet the requirements of the rights of the persons concerned. It is mandatory that the person responsible informs the data subject about his or her rights.

The persons concerned have the right

  • to obtain information on the data they have processed to date and the data available within the framework of data collection (Art. 15 GDRP)
  • to correct the data if their data have not been collected correctly (Art. 16 GDRP)
  • upon revocation, of the collection and storage of their personal data so that the data are no longer used for the original processing purpose (Art. 21 DPA). In this context, the right to have the stored data deleted may also be requested (Art. 17 GDRP).

All requests for information, correction, revocation and deletion must be made in writing.


The right of deletion ("right to be forgotten")

The responsible person must delete the data at the request of the person concerned. The data controller shall inform any processors of the data subject's request for deletion. When the data subject asserts his or her right of deletion, one of the reasons pursuant to Art. 17 para. 1 GDRP must be given. If, on the other hand, an exception under Art. 17 para. 3 GDRP applies, the person responsible does not have to comply with the request for cancellation. This is often the case when it is a matter of statutory retention obligations.

Data transferability

If the data subject wishes to have his or her data transferred to another responsible party, the data subject can assert the claims in two ways: First, Art. 20, Paragraph 1, Old. 1 DPA ensures that the person concerned can "demand" that the data be "returned" to the person responsible on a standard commercial data carrier. On the other hand, Art. 20 para. 2 GDRP allows the data subject to choose whether he or she wishes to have the data transferred to himself or herself personally or directly to another responsible party.

Necessity of a data protection officer

According to Art. 37 GDRP, a data protection officer is required if the focus of the company's activities lies in regular monitoring or in the processing of sensitive data (including health data, criminal offences). Pursuant to Art. 38 (1) BDSG nF, a data protection officer must be appointed if at least ten persons are permanently involved in the automated processing of personal data. This also applies if the person responsible is obliged to carry out a data protection impact assessment.

Data protection declaration and consent

The responsible person must be able to present a data protection declaration. A missing or inadequate data protection declaration is admonishable. The data subject's consent to the collection of data cannot be obtained by means of consenting to the data protection declaration. Rather, the consent to the collection and storage of the data must be obtained through a separate declaration of consent by the data controller.