General questions and answers

Here you will find answers to questions we are frequently asked. If your question is not covered, please feel free to contact us directly.

Which areas does your law firm specialise in?

We specialise in IT law, compliance, whistleblower protection, data protection, and acting as external Data Protection Officers.

Do you advise clients throughout Germany?

Yes, we provide advice across Germany.

Do you also provide advice across the EU?

Yes, we provide EU-wide advice through our co-founder Diane Frank Baeza.

In which languages do you advise?

In addition to German, we advise in English, French, Spanish, Italian, Turkish and Portuguese.

What company sizes do you work with?

We advise clients ranging from single IT specialists to multinational corporations with legal and data protection departments – from 1 to 10,000 employees.

IT CONTRACT LAW

Which IT topics do you advise on?

Legally compliant online marketing, online shops and websites, drafting and reviewing software contracts, legal questions around big data and AI, implementation of software projects, and works council agreements on IT and compliance.

What do you offer in relation to direct marketing?

We advise on how to design direct marketing campaigns based on profiling or data analysis in a legally compliant way. Can existing customer data be used for new profiles? We provide solutions and address data protection concerns in marketing strategies.

What do you offer in relation to software projects?

“Privacy made in Germany”: we support privacy by design and by default, help strengthen your IT services when dealing with your clients’ Data Protection Officers, draft outsourcing contracts for ERP or CRM projects, and assist with developing deletion concepts.

What do you offer in relation to employee data protection?

From private internet and email use at the workplace to drafting staff policies or works agreements: we help you implement clear and compliant employee data protection frameworks.

Data Protection

From how many employees does a company need a Data Protection Officer?

Under the GDPR, whenever processing activities create significant risks for data subjects.

From when is a Data Protection Officer mandatory in Germany?

From 20 employees, counted by headcount.

What happens if a company fails to appoint a Data Protection Officer when required?

Persistent refusal may result in fines.

What exactly do you do as an external Data Protection Officer?

We advise and monitor GDPR compliance, train employees on data protection, support with data protection impact assessments, advise on data processing agreements, and maintain documentation in a data protection manual.

What does the process look like after initial contact?

After you reach out, we schedule an initial consultation to assess your current status. Three days later, you receive a tailored proposal. If you accept, you become our client, receive the contractual documents, and we proceed with follow-up meetings.

What topics does your data protection coaching cover?

Legal and organisational data protection tasks, feedback on contracts and wording, provision of template clauses, updates on legislative changes, and support during negotiations.

Would you support our internal DPO with legal questions?

Absolutely – that is one of our core areas of expertise.

WHISTLEBLOWING & COMPLIANCE

Since when has the German Whistleblower Protection Act been in force?

Since 2 July 2023.

What does the Whistleblower Protection Act mean for my company?

Companies with more than 50 employees must set up an internal whistleblowing system. For companies with fewer than 250 employees, there was a transition period until 17 December 2023.

What do you do as an Ombudsman for our company?

We operate the whistleblowing system with personal availability and an online portal, acting as a neutral point of trust between whistleblowers and your company.

Why should we choose your firm?

We are personally available to whistleblowers and have many years of experience in handling reports. In addition, we provide all reporting channels from a single source, including an online portal.

What is the advantage of having an internal reporting office with external whistleblowing officers?

It reduces the burden on your internal infrastructure.

What sets you apart from other providers?

We have been active in this field since 2011. Processing reported cases requires legal expertise – for example, assessing credibility under Section 17 HinSchG or dealing with the specific offences listed in Section 2 HinSchG.

DATA ACT

What does the EU Data Act mean for my business?

The Data Act is part of the EU data strategy and regulates access to, use of and sharing of data generated by products and related services. It primarily affects manufacturers of IoT-enabled products and services, focusing on the data stored by the manufacturer. This means not only individuals will have greater control over their data, but businesses will also be able to share and analyse machine and industrial data.

Who benefits from the Data Act?

Users of connected devices gain easier access to product and service data. Small and medium-sized enterprises also benefit, as abusive contractual clauses on data use will be prohibited.

What obligations arise for companies?

Companies must make usage data easily and comprehensively available – in both B2C and B2B contexts – typically through secure, interoperable technical interfaces. Data may only be used within the contractually agreed framework. In addition, the Data Act eliminates unfair contractual terms regarding data use and access in B2B relations.

How does the Data Act interact with the GDPR, the DSA and the DMA?

The Data Act governs fair access to and use of both personal and non-personal data. Where personal data is involved, the GDPR applies in parallel and takes precedence in case of conflict. The Digital Services Act (DSA) regulates online platforms such as social networks, while the Digital Markets Act (DMA) focuses on fair competition in digital markets, especially for large “gatekeeper” platforms.

What are the consequences of non-compliance with the Data Act?

In Germany, the Federal Network Agency will supervise non-personal data compliance, while the Federal Data Protection Commissioner (BfDI) oversees personal data. Breaches involving personal data may lead to fines of up to EUR 20 million or 4% of annual global turnover.

CYBER RESILIENCE ACT (CRA)

What does the Cyber Resilience Act (CRA) mean for my business?

The CRA is an EU regulation that sets minimum cybersecurity requirements for products with digital elements. Its goal is to reduce vulnerabilities in connected hardware and software. It applies to manufacturers, distributors and importers placing such products on the EU market.

What obligations will my company have under the CRA?

You must ensure that your products are secure, carry out risk assessments, report vulnerabilities and respond to security incidents. Extensive documentation and evidence obligations also apply.

When do I need to comply with the CRA requirements?

From 11 June 2026: notified bodies may begin CRA conformity assessments.
From September 2026: mandatory reporting of security incidents and vulnerabilities takes effect.
From 11 December 2027: all affected products must fully comply with the CRA requirements.

What are the risks for my company if we do not comply?

Non-compliance may result in fines, sales bans and claims for damages. Reputational damage is also a concern, and contractual partners will more easily enforce warranty rights.

How does the CRA affect my liability?

The CRA increases liability for insecure products in the context of security incidents. Companies should act proactively to reduce liability risks from cyberattacks or security flaws.

Do I need to adapt my supply chain and contracts?

Yes. The CRA requires companies to assess the cybersecurity of their supply chains and implement appropriate contractual safeguards. We can support you in making these adjustments.

How can a specialised law firm support my CRA compliance?

We provide comprehensive advice on the CRA’s legal requirements. Together with our technology partner SEKAS GmbH, we review your products and processes, and support you in implementation. Our services include legal risk assessments, contract reviews, staff training, and assistance in communications with authorities and customers.

AI ACT

What does the AI Act mean for my business?

The AI Act entered into force in August 2024, with obligations applying in stages. It applies to both providers and users of AI systems in the EU. Its purpose is to ensure AI is safe, transparent and ethical – protecting users while fostering innovation.

Which AI systems fall under the Act?

The AI Act defines AI in a technology-neutral way: machine-based systems that operate with varying levels of autonomy, can adapt after deployment, and generate outputs such as predictions, recommendations or decisions that influence physical or virtual environments. The Act follows a risk-based approach. We can assess which risk category your system falls into as part of a legal review.

What obligations will companies face?

Depending on classification, compliance requirements increase – from transparency obligations to strict rules for high-risk systems. These include establishing a risk management system (Art. 9), undergoing conformity assessments, and maintaining extensive technical documentation (Art. 11).

Can you give examples of high-risk AI?

High-risk AI includes systems used in vocational training, law enforcement, or in granting access to essential services such as healthcare or insurance.

What are the penalties for non-compliance with the AI Act?

The competent authority in Germany is the Federal Network Agency (BNetzA). Sanctions can reach up to EUR 35 million or 7% of annual global turnover. Reduced fines apply for SMEs and start-ups.

NIS-2 DIRECTIVE

What does the NIS-2 Directive mean for my business?

The NIS-2 Directive is an EU law aimed at strengthening cybersecurity across key sectors. It requires companies to implement robust security measures, establish clear responsibilities and report incidents promptly.

How do I know if my company falls under NIS-2?

This depends on your sector, company size and systemic relevance. We can carry out a comprehensive assessment to determine whether your organisation is covered by NIS-2.

Can smaller companies also be affected by NIS-2?

Yes. Even businesses below the formal thresholds may be included if they perform critical functions. A tailored legal assessment is essential in these cases.

What happens if my company does not comply with NIS-2?

Non-compliance can result in substantial fines, regulatory measures and even personal liability for management.

How can SFRP support my company with NIS-2 compliance?

We design tailored compliance programmes – from risk assessments to internal policies and reporting procedures. With our Compliance-as-a-Service model, we provide hands-on support and relieve the burden of day-to-day compliance.

Why is legal guidance so important when implementing NIS-2?

NIS-2 is complex, involving not only technical but also liability and governance issues. As a law firm specialised in IT and data protection law, we ensure that your implementation is legally sound and economically viable.