Data Protection and Cybersecurity

Protecting data and harnessing its business potential must be viewed as integral parts of any business model

In times of digitalisation and disruption, it is essential for companies to address data protection and data security. The enormous potential that easy access to information and data brings with it presents a number of challenges and risks for companies. PwC Legal supports you in the design of your data-driven business models, as well as in the efficient and effective implementation and design of legal requirements with regard to data protection and IT security. 

Data Protection

From strategy consulting to technical implementation

Making the best use of the new technical options available for collecting and analysing information is crucial in competition. At the same time, data protection law sets limits on the permissibility of processing personal data, determines requirements for data protection organisation, and counteracts any violations of the law with the threat of severe sanctions internationally. Compliance with data protection law has been an important component of risk management in companies for years. In addition, there are new regulatory requirements for non-personal data in the draft EU Data Act, as well as constantly increasing, real-terms and regulatory requirements for cybersecurity. Therefore, you can rely on a team that provides you with comprehensive legal advice on the transformation of your company, is always on the same page as you, and implements the appropriate holistic solutions. 

This is how PwC Legal supports you

Our lawyers advise you on: 

  • Design and implementation of a data protection management system – including the associated set of rules (and in software tools)
  • Assessment and design of the legally compliant collection and use of data processing processes and business models
  • Designing data transfer mechanisms, from Transfer Impact Assessment to achieving approval of Binding Corporate Rules by the data protection supervisory authorities
  • Creation and implementation of data protection notices and consent forms 
  • Drafting and negotiating IT company agreements (in cooperation with colleagues from the field of employment law)
  • Certification of management systems, services and products 
  • Conducting risk assessments or transfer impact assessments – including as a managed service 
  • Data protection reviews and audits (also with service providers as a managed service)
  • Incident Response Team for data incidents
  • Maturity and risk analyses pertaining to IT security law and data protection law vulnerabilities, while always taking into account other data law requirements, for example, with regard to trade secrets
  • Assessing the impact of new legal requirements from EU level such as Data Act, Data Governance Act, AI Regulation, etc.
  • Support with data law issues in transactions, carve-outs and post-merger integration


Cyber attacks on companies are becoming ever more frequent and sophisticated. This is especially true for critical infrastructures. It is high time to manage cyber risks, to protect yourself with maximum efficacy against digital threats, and to strengthen cyber resilience. PwC Legal advises on all legal and commercial issues arising in relation to the theft of sensitive data or economic or government espionage. In order to minimise risks, technical aspects are also integrated into the legal advice. To this end, we work closely with our colleagues from the Incident Response & Forensics department.

How PwC Legal supports you

Our lawyers advise on: 

  • Implementation of regulatory requirements in the ISMS
  • Reporting obligations and measures in the event of a cybersecurity breach
  • Safeguarding client data and assets
  • Obtaining injunctions against publications deemed to be an infringement of proprietary rights
  • Implications of criminal law and sanctions for extortion (in cooperation with colleagues from the field of criminal law)
  • Questions on dealing with business partners and regulators 
  • Mitigating risks in the form of sanctions, fines, penalties, reputational damage and third-party compensation claims