INTERNAL AND EXTERNAL IT SECURITY OBLIGATIONS
For operators of critical infrastructures, such as energy suppliers, but also cloud providers, it is imminently clear that IT security also has a legal component. But also for other providers, such as SaaS (Software as a Service), online shops and web portals, it is important that the focus is not only on the technical aspects of IT security and the threat of cybercrime, but also on possible legal consequences and the corresponding risk minimisation.
As a law firm specialising in data protection, IT law and IT security law, Piltz Legal advises and accompanies you both in the analysis, drafting of appropriate security measures and contractual texts and in legal disputes. Moreover, with the corresponding technical and content-related understanding.
Our view is directed in three directions.
Firstly, the regulations vis-à-vis your customers, from the offer to the contracts, data protection declarations to service level agreements and software contracts.
On the other hand, your internal regulations, for example corresponding company guidelines, confidentiality agreements and contracts with subcontractors and IT partners.
And last but not least, legal risk minimisation against attacks by unauthorised third parties and precautions in the event of possible damage.
Our goal: to identify risk factors from a legal perspective and with an understanding of technology and to contribute in the best possible way to safeguarding your business.
- Review of existing contracts, legal texts and regulations
- Advice and support for projects
- Contract offers and customer contracts
- Support in the creation of IT security guidelines
- Legal assessment of the legal security requirements applicable to you
- Internal processing of security breaches
- Examination of possible reporting obligations to authorities
Your Piltz Legal contacts
ECJ ruling on VIN and general aspects of the term 'personal data'
The consequences of the ECJ's decision in Case C-319/22 (also referred to as the ‘Scania case’) of November 9, 2023 will certainly be discussed in the data protection scene for a long time to come. It is already visible that the judgment creates big waves in the automotive industry and related sectors, but also in the data protection community in general. However, it seems doubtable whether this is justified or whether essentially the same aspects as before the decision must be taken into account when clarifying the question of the existence of personal data. In the exact case dealt with by the ECJ, it will first be decided by the Regional Court of Cologne whether the VIN is indeed personal data for vehicle manufacturers and independent operators. The ECJ ruling itself does not yet provide a direct and unambiguous answer
Advocate General at the CJEU: Concerning the appropriateness of technical and organisational measures and compensation for non-material damages in the event of a hacker attack
Advocate General at the Court of Justice of the European Union (CJEU), Giovanni Pitruzzella, published his opinion in case C-340/21 on 27. April 2023 regarding the conditions for compensation for non-material damages and the burden of proof for the appropriateness of technical organizational measures (TOMs) under Art. 32 GDPR in connection with a hacker attack.