There are 10 kinds of law office
when it comes to data law:
The one kind is at home
in the binary system.
The other is not.

The triumph of digital data

Digital data are the capital of the future – and that capital is growing unstoppably. In 2018 there were around 33 zettabytes of data (a zettabyte is a 1 with 21 zeros), but by 2025 there will be 175 zettabytes in circulation. And this will by no means be all that the binary system has to offer.

Data quantities in businesses are rising especially fast. By 2025, businesses will be producing around 80% of all data – whereas today, end users and businesses use approximately the same amount.

This digitalisation, and the value and use of data, are confronting most companies’ business models with completely new changes. There are big opportunities, but also many challenges. This applies also to businesses whose models are not data-driven, because value-adding and supply chains are digitalising at an exponential rate.

Dr. Andrea Panzer-Heemeier + Tobias Neufeld, LL.M.

The challenge for businesses

Decisions made now will decide whether a business surfs the digital wave of the future or is drowned by it. The potential that lies in the data that businesses are creating and storing means lots of opportunities – but also risks.

There are the rising demands on cyber security and IT and data security, which are among the increasingly stringent compliance duties of business leaders.

Completely new questions are raised by the use and commercialisation of data, such as in the context of Big Data, AI robotics and networked data structures in digital ecosystems such as the European GAIA-X. Who owns data, who has control of it, and how can data usage be commercialised? How is the value of data shown in a company balance sheet? And then there are recently formulated questions relating to data ethics and corporate digital responsibility (CDR).

Finally there is data protection law (GDPR/BDSG), which is still in its early stages in terms of official monitoring and case law. And here’s another fast-changing field: fines and data privacy litigation can be used against businesses by the authorities, competitors and consumer associations.

Here are the major data themes for businesses:

  • Business model changes / change projects brought about by digitalisation
  • Data-based value-adding
  • Internet business models and online marketing
  • Health data as a value and business model
  • GDPR/BDSG compliance
  • Human resources and processing employee data
  • International data transfers
  • Data and data protection in M&A transactions
  • Outsourcing
  • GDPR information demands as a new tactic
  • Know-how and data loss prevention
  • Crisis management / reputation management / communication (especially cyber attacks and data loss)
  • Managing data-related litigation against rivals and authorities

The competence of Data.Law by ARQIS

Unusual times demand unusual solutions – like Data.Law by ARQIS. Data.Law by ARQIS offers our clients a new type of innovative, holistic, data-related legal service:

a technically adept, integrated data consultant who can solve any data issue – in its context and in its entirety – using a one-stop approach. One who tackles and implements change projects and digital challenges together with the client. Regardless of legal field or industry. Nationally and internationally.

This ground-breaking consulting approach is based on a combination of competencies which Data.Law by ARQIS can draw upon.

  • Data protection law (GDPR/BDSG)
  • Compliance
  • Litigation
  • IP/IT
  • Commercial
  • Corporate
  • M&A
  • Labour law (HR.Law)
  • Data.Law by ARQIS can draw upon proven expertise at ARQIS. ARQIS already has strong consultants in the market in every relevant consulting field. ARQIS has a successfully tested interdisciplinary network. This means our clients have access to the expertise of digital strategists, digital experts, IT security experts, communication experts and forensic experts – all from a single source.
  • Data.Law by ARQIS is co-founder of b.yond, a consulting solution that provides answers to the ethical and legal questions of the digital world: (only in German so far)

The team at Data.Law by ARQIS

Tobias Neufeld led the development of an innovative consulting service at ARQIS for data protection law. Data.Law by ARQIS is based on the design thinking approach to work. Unlike many methods in science and legal practice, which approach tasks in terms of their legal solvability, this method focuses on the business. Design thinking enables us to overcome traditional, outdated thinking, learning and working models, and to solve complex problems creatively in order to master digital transformation.

Tobias Neufeld, LL.M.

has been a partner at ARQIS since 2020. He has decades of experience providing data consultancy services to national and international enterprises. Before joining ARQIS Tobias established and headed the German data protection unit at a major multinational law firm. He was also a member of the worldwide Data Privacy & Cybersecurity unit at that same Magic Circle law firm. Tobias has Certified Information Privacy Professional – Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) certification from the world’s largest data protection organisation, IAPP.

According to Chambers Europe he is a data protection consultant with “outstanding expertise” and “an excellent communicator with fast reactions and a strong client orientation”. He also “draws on in-depth legal knowledge to deliver first-rate advice”. Legal 500 Deutschland describes his work in the field of data protection as “efficient, clear and incisive” and emphasised his “diverse expert knowledge”. It also described him as “adept in complex international issues”.

Tobias shares his data protection expertise as a visiting lecturer at the University of Münster (WWU), as lecturer and executive board member for the JurGrad (LL.M. course), and in various lecturing engagements and publications. He is a member of the advisory board at the ‘Compliance Berater’ magazine.

Successful in operation: Data.Law by ARQIS in action

Data.Law by ARQIS is new. But we have already successfully used the method and mindset behind it in several projects.
Here, you can see which cases we already worked on in four case studies – and more importantly: how we solved them.

Compliance & data privacy: internal investigations

Data protection law support to international banks during global internal investigations. Comprehensive advice on the targeted screening of employee e-mails and on negotiating appropriate data protection contracts with external screening service providers.

  • Drafting and negotiation of international service contracts and data processing contracts
  • Drafting and negotiation of a data law-compliant company agreement on screening
  • Collaboration with the capital market law experts and the data protection officer

Public affairs: request for data from a foreign regulator

Provision of consultancy services to a European corporation which was confronted with a request for data from a foreign regulator in the midst of a multi-billion take-over battle. Under threat of sanctions, the German senior management team was instructed to disclose the details of the company’s shareholder structure.

  • Legal first: Is the disclosure of the shareholder structure compliant with data protection legislation?
  • Analysis of what information could be disclosed to prevent an escalation of the conflict with the foreign regulator
  • Extremely time-critical: the consultancy process concluded successfully within the three-day time limit
  • Collaboration with the corporate/M&A experts

Provision of advice to a U.S. bank on its German operating company’s compliance when the Office of Foreign Assets Control in the U.S. requested the transaction data of global banking customers. The customers in question were on sanctions lists. We successfully resolved the situation of U.S. banking supervision law colliding with European data protection legislation and German rules on banking secrecy.

  • Analysis of group-wide data flows
  • Review of agreements on information sharing between group companies
  • Clarification of admissible access to data in European data warehouses
  • Comparative analysis of legislation in Germany/UK/Asia

Data M&A

1. Review of data-driven business models

Provision of advice to global insurance groups on privacy due diligence and product valuation for FinTech company M&As.

  • Legal first due to the sector-specific factors
  • Provision of advice in an extremely time-critical situation
  • Collaboration with corporate/M&A, IP/IT, labour law and private equity experts

Privacy due diligence for a U.S. conglomerate in the process of acquiring a European InsurTech company.

  • Conversion of the data-intensive business model to reflect GDPR compliance requirements
  • Collaboration with corporate/M&A, insurance law, labour law, IP/IT, banking and finance law experts

2. Data flows in the company sales and demergers

Advice to banks on business units spin-offs to a group company. Data protection legislation often plays a key role when data use (customer data) is the business unit’s main commercial asset.

  • Data protection law-compliant structuring of the spin-off and subsequent mergers
  • Adaptation of the terms of the spin-off and acquisition agreement to the business database and its commercial use
  • Problems relating to test dataset exchange prior to closing
  • Collaboration with corporate/M&A, labour law, tax, litigation and international capital market law experts

Data technology: development of new business models/apps

Comprehensive data protection law advice to a parking services and carpark management payment app provider

  • Data flow analysis
  • Drafting of a data privacy notice for the website and app
  • Drafting of data protection law input for GTCs and contracts with municipal and local authorities
  • International advice in Germany, Belgium, France, Italy, the Netherlands and Spain

Data use in HR

Advice on data protection issues in connection with Europe-wide pre-employment screening (vetting)

  • Review of admissibility under labour and data protection legislation
  • Review of the data processing contract and declarations of consent
  • Clarification of data protection law content in the global agreement and local order forms

Advice on data protection and co-determination issues in connection with the global roll-out of Human Capital Management (HCM) systems (Workday, Success Factors etc.).

  • Data flow analysis and evaluation of data protection legislation compliance, data protection impact assessment
  • Drafting of the necessary contracts on joint responsibility, international data transfer and company agreements

Global implementation of digital signature software and biometric access systems.

  • Labour and data protection law feasibility analysis
  • Drafting of the necessary data documentation
  • Structuring of works council co-determination processes

You are interested in the solutions of Data.Law by ARQIS for your company?

Tobias Neufeld looks forward to your call.

Tobias Neufeld, LL.M.
Partner, Rechtsanwalt, Solicitor (England & Wales)
Certified Information Privacy Professional/Europe (CIPP/E)
Certified Information Privacy Manager (CIPM)
T +49 211 13069 -2040

HR.Law by ARQIS is an innovative advisory service of ARQIS, an independent business law firm operating in Germany and Japan. For more information on ARQIS, visit: