IT Law and Data Protection Law

Legal Requirements for IT and Data Protection in Companies

The term IT law stands for information technology law and deals with legal issues relating to electronic data processing. The underlying technologies have developed rapidly and the name of the legal field has changed accordingly over time. It was initially referred to as computer law or EDP law, and later as IT law or software law. Internet law or multimedia law was mainly used to refer to legal issues relating to the Internet. Today, the term IT law is commonly used. IT contract law, telemedia law, copyright law and data protection law are of particular importance in this context. This area of law is primarily concerned with the drafting of contracts in the areas of software licensing, software development, software renting and software leasing, but also and especially in software as a service (SaaS) business models and in the drafting of customized data protection declarations and agreements on joint order processing. The development of IT law is far from complete, but continues to progress due to the increasing digitalization of the economy. Both European and German legislators, authorities and courts are constantly grappling with issues of IT law. The most relevant legal bases here are the General Data Protection Regulation (GDPR), the Telecommunications and Telemedia Data Protection Act (TTDSG), the Digital Content Directive (EU) 2019/770, the EVB-IT and the resolutions, decisions, short papers and guidelines of the Data Protection Conference of the independent federal and state data protection authorities.

Data Protection Law and BaFin Requirements for IT Compliance

New technologies are constantly bringing new opportunities for the economy and the financial sector is also undergoing change. The future, and in fact the present, of the financial industry is digital. The number of FinTech companies and start-ups in this area is growing daily and crypto assets, blockchain technology and AI technology are raising new legal issues in IT law, copyright law, data protection law and IT security. When designing IT systems and the associated IT processes, common standards can be used to ensure a basic level of protection. These include, for example, the IT baseline protection of the German Federal Office for Information Security and the international security standards ISO/IEC 270XX of the International Organization for Standardization or the Payment Card Industry Data Security Standard (PCI-DSS). The German Federal Financial Supervisory Authority (BaFin) is also constantly issuing new requirements for the IT of supervised companies in various circulars, which they must comply with in order to meet the regulatory requirements for IT security. These include, in particular, the Minimum Requirements for Risk Management (MaRisk), the Banking Supervision Requirements for IT (BAIT) and the Payment Services Supervision Requirements for IT (ZAIT). The requirements of the Digital Operational Resilience Act (DORA), which take legal effect from January 17, 2025, are also relevant. Among other things, BaFin has implemented the guidelines of the European Banking Authority (EBA) in MaRisk. MaRisk places clear requirements on credit institutions with regard to risk management and IT systems. These IT requirements set out in MaRisk are further specified in BAIT. In the ZAIT, BaFin explains the requirements it places on the proper management of payment and e-money institutions with regard to the use of information technology and cyber security. The ZAIT is based on the requirements of BAIT and the EBA guidelines on security risk management and outsourcing.

Regulatory Requirements for the Outsourcing of IT

Outsourcing is the term used in supervisory law when individual functions, entire organizational units or corporate processes are outsourced from one company to another. In the constantly evolving financial industry, it is becoming increasingly common to outsource certain IT functions to specialized providers. This requires extremely complex contracts to be drawn up, which not only have to meet the requirements of civil law and data protection, but also the requirements of supervisory law. In this context, the requirements of the BaFin circulars (MaRisk, BAIT, ZAIT) and the requirements of the European Banking Authority (EBA) must be taken into account in particular. This makes it necessary to plan outsourcing measures precisely and to structure the underlying contracts and data protection agreements in accordance with the requirements. The outsourced activity must be clearly defined and recorded in the service description, information and audit rights must be agreed and the supervisory authority’s control options must be ensured. Furthermore, provisions must be made to ensure that data protection regulations and other security requirements are complied with. The starting point for IT security is that, in principle, the current standards such as the IT baseline protection of the Federal Office for Information Security and the international security standards ISO/IEC 270XX of the International Organization for Standardization should be applied.

The competent lawyer for advice regarding IT Law and data protection law in our law firm is Attorney Anton Schröder.