Innovation and Law

Your company

Innovation and Law provides you with the consultancy needed to understand law as an enabler and supporter of innovation. We focus on building privacy- and security-by-design solutions that incorporate appropriate standards - in particular, certificates, codes of conduct and/or Binding Corporate Rules.

Privacy- and Security-by-Design

Privacy- and Security-by-Design

Privacy- and security-by design is a regulatory approach established by the EU General Data Protection Regulation (GDPR). It requires data controllers and/or controllers to implement technical and organisational measures in order to mitigate privacy- and security risks. One of the main instruments for demonstrating compliance with the requirements of privacy-and security-by-design, just as with legal requirements in general, are certificates and codes of conduct. These mechanisms enable data controllers and processors to create trust amongst its customers in their data-driven products and services, and to use this is a core value and competitive advantage on the market.

Technological and Data-Driven Innovation

Technological and Data-Driven Innovation

Technological and data-driven innovation is the core driver of public welfare in our digitized society. Data-driven innovations can solve many problems of society, through both the private and public sector: Transport, logistics, product and service development, administration, communication, finance, health, and science in general.



Controlling Risks of Data-Driven Innovation

Controlling Risks of Data-Driven Innovation

However, data-driven innovation can also create risks for individuals and even the society as a whole. For example, data-driven innovation can be misused by people who illegitimately intrude into an individuals’ privacy, engage in unjustified discrimination against people, or who monitor society at large.



Enhancing Trust in Data-Driven Products/Services

Enhancing Trust in Data-Driven Products/Services

Therefore, in order to fully exploit the positive effects of data-driven innovation, it is necessary to control its risks. Customers can only trust in data-driven products and services if the risks are controlled, and data controllers and processors can only then fully exploit the commercial benefits of data-driven innovation.



Exploiting the Competitive Advantage

Exploiting Competitive Advantages

The new General Data Protection Regulation builds upon this approach by establishing broad legal terms and general principles, which leave data controllers and processors a large room of manoeuvre for applying these requirements during their innovation processes. In order to make sure that their specific application meets the regulator’s expectations, controllers and processors can additionally build and/or use certificates or codes of conduct demonstrating the legal compliance. This mechanism increases legal certainty, which is important in order not only to avoid legal fines but also to signal the compliance to customers.

Certification

Certification

Data controllers and processors can develop new certificates or use existing ones in order to demonstrate the compliance of certain processing activities. This might imply certain product or service categories. A certificate is the ideal instrument to signal compliance as a core value of the product or service and to compete with it against other providers of products or services of the same category, which may have a lower data protection level.

Certificates

Certificates

Data controllers and processors can build new certificates or use existing ones in order to demonstrate compliance for certain processing activities. This might imply certain product or service categories. A certificate is the ideal instrument in order to signal compliance as a core value of the product or service and to compete with it against other providers of products or services of the same category, which possibly have a lower data protection level.

Codes of Conduct

Codes of Conduct

Data controllers and processors can also set up or use codes of conduct for a certain processing sector. In contrast to certificates, a code of conduct not only demonstrates compliance for a certain processing activity (or product or service), but for a whole bundle of activities typical in that sector. However, since the scope of application of a code of conduct is wider than a certificate, it is more complex to set it up.

Binding Corporate Rules

Binding Corporate Rules

Similar to a code of conduct, binding corporate rules do not only refer to a certain processing activity but to a bundle of activities. However, while a code of conduct focuses on a processing sector, binding corporate rules apply to one company. Binding corporate rules are particularly useful for globally operating companies because they can legitimize the transfer of personal data within the company, irrespective of whether this occurs inside or outside the EU.

laurel wreath

Advantages

In summary, there are the following five key advantages for data controllers and processors using certificates, codes of conduct or binding corporate rules:

Certificates can demonstrate compliance with the privacy-by-design requirement under Article 25 GDPR.
Certificates and codes of conduct can demonstrate compliance with the security-by-design requirements under Article 32 GDPR.
Certificates and codes of conduct can demonstrate compliance with the principle of responsibility (i.e. with GDPR requirements, in general) under Article 24 GDPR.
In the case of a data protection infringement, the adherence to certificates or codes of conduct can decide on whether an administrative fine is imposed or on its amount.
Certificates, codes of conduct and binding corporate rules can provide for appropriate safeguards legitimizing the transfer of personal data to a third country outside the EU (this is particularly important for the USA and will soon be for the UK).
laurel wreath

Focus Areas

Focus Areas

Team

Network

Certificates

Maximilian von Grafenstein LL.M.

Certificates

Jan Schallaböck

Certificates

Christina Petsopoulou-Douka

Certificates

Elissa Jelowicki

Scientific Advisory Board

Certificates

Prof. Dr. Dr. Thomas Schildhauer

Certificates

Prof. Dr. Wolfgang Schulz

Get in Touch