Data Protection Law

Table of contents
  1. Datenschutzpakete
  2. Fortsetzung wie wir arbeiten
  3. Technical and organizational measures
  4. Our Expertise
  5. Our Experts

How we work

Commercial law firm & law firm for the public sector

We are a business law firm through and through. This means that your business success is at the heart of everything we do. With our high level of specialisation, we create commercially sensible and pragmatic solutions for you. We speak your business language, understand your needs and enable you to make informed and well-prepared decisions. We work with you to ensure that you only invest where it makes sense for you to do so.

Our experts also know the ins and outs of government, often having worked in government themselves. We understand government structures and have a keen sense of the organisational and political dimensions of data protection in public institutions.

Consulting Services

We focus on providing you with comprehensive advice. You can talk through your entire business model with us, and we will identify any data protection pitfalls. We then help you design your business processes to meet data protection requirements. We identify where processes may need to be adapted and what contractual arrangements you need to put in place to ensure that data protection law does not get in the way of your business success. A key issue is the transfer of personal data to third countries.

What if you have a specific question? You can get a quick, informed answer through a direct line to our case managers.

Preparation of legal texts and procedural documentation

Once the concept and organisational framework are in place, we take over the preparation of all legal texts relating to data protection:

  • Privacy Management System
  • Auditing
  • Training courses
  • Data protection officer
  • Area-specific data protection (e.g. social data protection)
  • CRM Data Protection
  • Employee privacy
  • Website privacy
  • Social media privacy
  • Data mishaps
  • Privacy Policy
  • Statement of Consent
  • Confidentiality Undertaking
  • Data Processing Agreement (DPA)
  • Records of processing activities (RoPA)
  • Rights of data subjects
  • Privacy Policy
  • Risk Assessment & Privacy Impact Assessment (DPIA)
  • Transfer of data to third countries
  • Photos & privacy
  • Data Security (Technical and Organisational Measures)
  • Privacy by Design / Privacy by Default
  • Deletion policy

By the way: We offer privacy template packages for small and medium sized businesses. This gives start-ups in particular the opportunity to start with a solid foundation in data protection law.


Directly fillable package with samples and guidelines for data protection in your company.
The package includes:
  • Privacy policy
  • RPA for Controller
  • TOM
  • DPA
Directly fillable package with samples and guidelines for data protection in your company. Additionally with documents for employee data protection.
The package includes:
  • Privacy policy
  • RPA for Controller
  • TOM
  • DPA
  • Instruction on confidentiality
  • Privacy policy employees
  • Consent employee photos website
  • Data Privacy and Information Security Policy
  • Policy regarding use of internet and e-mail
  • Home Office Policy
Customized compilation of data protection law documents for your company by the law firm. Incl. an assessment of previous data protection documents
The package includes:
  • Privacy policy
  • RPA for Controller
  • TOM
  • DPA
  • Instruction on confidentiality
  • Privacy policy employees
  • Consent employee photos website
  • Data Privacy and Information Security Policy
  • Policy regarding use of internet and e-mail
  • Home Office Policy

Legal Representation

If the worst comes to the worst, we will represent you competently in court, vis-à-vis the regulatory authorities and the parties concerned. We can help you to defend against unjustified claims for damages and fines, and to resist excessive requests for information. Our experts develop appropriate defence strategies for each individual case. Of course, we will also support you in the event of justified claims by third parties - always with a view to ensuring the greatest possible legal security for your company.

Expert opinion

We provide you with qualified data protection advice. We start by developing a comprehensive understanding of your business model and the specific processing situation. Led by our experienced team, we begin with a concrete inventory and risk analysis to identify data protection risks and provide you with clear recommendations on how to ensure compliance.

Training Courses

Our training courses provide in-depth knowledge of current data protection laws to sensitize and train your employees to the requirements of data protection law. We emphasize practical and applicable content that is tailored to your organization's needs. Our experienced team of data protection experts makes the training sessions interactive and illustrative to raise awareness of data protection issues and minimize risks. As a result, our training not only helps ensure that your organization is compliant, but also helps increase customer and business partner confidence in your organization.


Technical and organizational measures

According to Art. 32 DS-GVO, you must take appropriate technical and organizational measures for the security of processing. Appropriate measures go beyond purely technical measures such as the almost always indicated use of two-factor authentication and the encryption of data carriers and connections. Thus, organizational issues such as training employees and committing them to data protection are also part of TOM. It is important that the totality of measures achieves a level of protection appropriate to the type and amount of data processed.

Our Expertise

Corporate data protection

As a specialist data protection law firm, we not only have expertise in a wide range of data protection areas, but are also experts in general corporate data protection. For companies, we have a proven approach - our Data Protection Action Plan - to achieve a solid level of data protection in the company within a short period of time. We not only formulate the necessary legal texts, such as your privacy statement, or provide templates for a list of processing activities (VVT). We also provide you with comprehensive advice and the necessary support for each individual measure.

We take a business-driven, risk-based approach: We want to provide you with the highest level of legal certainty, but we recognize that business resources are limited. It is therefore important to invest where the greatest level of data protection can be achieved with the least amount of resources.

If your company has appointed a data protection officer, we are happy to support him or her as a "second level" in individual legal matters.

Data protection for processors

In particular, IT companies that act as processors need extensive advice. Order Processing Agreements (OPAs) must be concluded with the company's own customers. In the interest of your own company, you should not fall back on the first available model - because if the processes agreed in the OPA do not match the processes of your own company, this can result in considerable opportunity costs in day-to-day business. We provide practical suggestions for agreements with your customers and support you in negotiations.

Our expertise in drafting IT contracts is always incorporated into the design of your data protection legal texts. The result is a coherent overall concept for you.

Privacy when using cloud services

Complex processing situations are especially common with cloud service providers: For example, the services for the actual data processing are operated in the Kubernetes cluster of one provider, while the data is stored via the S3 service of another provider and backups are made on mass storage at a company in a third country, in particular in the USA. It is important to have appropriate contracts with all partners and to keep a good overview of the processing.

Especially if you offer cloud services to consumers, a high level of data protection is important when operating cloud services. In addition to infrastructure, there are fundamental principles of data protection law, such as data minimization and privacy by design, that need to be implemented in your cloud software. With our advice, you can reduce the risk of warnings from competitors and be well prepared for an audit by the data protection authority..

Data protection in international companies and groups

According to the GDPR, data transfers within corporate groups also require a legal basis - the GDPR does not provide for a group privilege, as is the case in antitrust law, for example. The situation is even more complex for international groups with subsidiaries in third countries outside the European Economic Area. In this case, the transfer to these group companies is governed by the rules of Art. 44 of the GDPR. In particular, it requires appropriate safeguards. In the case of third countries for which there is no adequacy decision by the EU Commission, these are generally achieved by agreeing to the EU Commission's standard contractual clauses pursuant to Art. 46(2)(c) of the GDPR or through binding internal data protection rules (so-called Binding Corporate Rules) pursuant to Art. 47 of the GDPR.

We help you navigate this complex legal landscape.

Data protection in e-commerce

We support companies in online commerce with our extensive expertise in data protection law in combination with general e-commerce law. We assist you in drafting and integrating the necessary standard legal texts, such as the privacy policy or the consent for sending newsletters. In addition to the content, the concrete technical and organizational implementation is also relevant, which is why we use test orders to check the entire ordering process of your online shop for data protection shortcomings and provide concrete advice on any necessary adjustments.

In e-commerce, whether B2B or consumer business, your customers' trust in your company is essential. With our advice, you can lay the legal groundwork for data protection-compliant business practices and earn the trust of your customers.

Privacy in the use of CRM systems

We help our clients to use customer relationship management (CRM) systems in a data protection-compliant manner and to ensure the secure handling of personal data. We advise not only on the collection of personal data for these systems, but also on the permissible scope of processing. According to your requirements, we determine how CRM systems can be used in a data protection compliant manner. On a case-by-case basis, we can draft legally compliant consents and help you design data protection-compliant processes so that nothing stands in the way of your business success.

Data Protection in Employment Law

We assist companies and employers in complying with data protection regulations in the context of employment relationships. Our advice includes drafting legally compliant employment contracts, implementing data protection policies, and training employees on their data protection obligations.

In doing so, we always keep in mind the special requirements of German employee data protection, especially according to § 26 BDSG. Especially if your company processes data based on the consent of your employees, there are a number of things to consider. From the private use of company email accounts to the private use of the Internet at work, we help you identify and eliminate data protection pitfalls. We provide templates for common situations, such as using employee photos on your own website.

Social data protection

Our firm has outstanding expertise in social privacy law. We provide comprehensive advice and legal support to companies, public authorities and other institutions in the social sector. Our experienced team has in-depth knowledge of the specific data protection requirements in this sensitive area, including the special provisions of the 10th Data Protection Directive. We help our clients implement data protection policies and procedures that meet high legal standards and maintain the trust of their clients and partners. In doing so, we emphasize individualized approaches to take into account the uniqueness of each organization and develop highly practical solutions that best meet your needs and requirements.

Data Protection for Political Parties and Political Organizations

Data protection in the case of political parties and organizations involves numerous special features; such organizations often have to be measured not only against the law, but also against political opinion - this requires tact on the part of legal counsel. The interplay between directly applicable European data protection law and the special position of political parties and trade unions in German law alone presents a number of special features. Likewise, the particularities of the organization of these entities - often as an unincorporated association (neV), general association, or foundation - pose special difficulties for legal counsel. What data protection law has in store for companies cannot simply be transferred. TRÖBER@ legal has special expertise in this area and is happy to provide advice.

Defense against damages claims

Our law firm specializes in the successful defense of claims for damages under Article 82 GDPR in connection with data breaches. With extensive experience and precise knowledge of the relevant laws, we develop effective defense strategies to best protect our clients' interests. Whether it is a mass warning or a settlement following a data breach, we are by your side.

Monitoring of data protection incidents

In the event of a data breach, it is critical to act quickly: Not only do you need to take immediate action at the technical such as shutting down systems and locking down accounts, but there are also legal issues to consider in a short period of time. In particular, you have only 72 hours to notify data protection authorities under Article 34 of the of the GDPR. And you may also need to notify data subjects.

With our proven standard procedures and legal expertise to guide you through all the relevant stages. In particular, we provide valuable support to data controllers, guiding them through the often difficult with their own customers affected by the incident and helping them to formulate their own in formulating their own position. The goal is always to minimize your liability risks and maintain the confidence of your business partners.

Data Protection Officer

Our firm can also assist you in selecting an internal or external data protection officer. We have an extensive network at our disposal and will be happy to put you in touch with competent contacts. We can also assist you in all legal matters relating to your internal or external data protection officer, in particular with regard to appointment and dismissal.

Our Experts

Jörn Tröber, Lawyer
Certified lawyer for information technology law … Founder of the law firm, born 1964 in Göttingen, 1984 Abitur at the Gymnasium Petrinum in Dorsten, studied law and business administration from 1986 to 1990 in Münster, 1991 1st state exam at the Higher Regional Court of Hamm, legal…
Prof. Dr. jur. Volker Lüdemann
Volker Lüdemann is Professor of Business and Competition Law at Osnabrück University of Applied Sciences and Scientific Director of the Lower Saxony Data Protection Center (NDZ) since September 2009. Previously, he was a legal counsel and managing director in the VW Group. Volker Lüdemann has been…
Christiane Uhlenbrock, Lawyer
As a admitted attorney, she supports the firm as an external consultant, particularly in the area of IT labor law. Christiane Uhlenbrock is also a lawyer on the Labor Relations staff of Atruvia IT AG. The focus of her current work is the structuring of matters relevant to co-determination with…
Fabian Müller, M. Iur.
Fabian Müller has been a legal employee at TRÖBER@ legal since 2022. He specializes in data protection law and has particular technical experience in the IT sector.