Data law

We open up possibilities

Whistleblower protection
General Data Protection Regulation (GDPR)
Artificial Intelligence Act (AI Act)
Data Act
NIS2

Whistleblower protection

Background

The Whistleblower Protection Act (HinSchG) came into force on July 2, 2023, transposing Directive (EU) 2019/1937 into German law. It serves to protect whistleblowers and obliges companies above a certain size or in certain sectors to set up internal reporting channels. The aim is to protect whistleblowers from reprisals and give companies the opportunity to resolve grievances internally before they become public.

An effective whistleblower protection system is not only a legal obligation, but also offers companies numerous advantages: It increases compliance, reduces the risk of legal violations, and prevents economic damage due to loss of reputation or high administrative fines. Companies that take whistleblower protection seriously also benefit from a better working atmosphere and an open culture of error management.

Why whistleblower protection is crucial for companies

Companies benefit in several ways from effective whistleblower protection.

Early problem detection

Internal reports enable violations to be identified at an early stage and countermeasures to be taken.

Reputation and trust

Companies that actively protect whistleblowers are perceived as responsible and enjoy greater trust among employees, customers, and business partners.

Reduction of liability risks

Proactive measures help avoid administrative fines, penalties, and damage to your image.

Open corporate culture

A whistleblower protection system creates transparency and promotes a culture of open communication.

Who must set up a whistleblower protection system?

Companies and public authorities with at least 50 employees are generally required to set up an internal reporting channel. In certain sectors, such as the financial sector, this obligation applies regardless of the size of the company.

Your advantages with our whistleblower protection system HintPilot

Our law firm offers you a comprehensive whistleblower protection system that meets all legal requirements and can be seamlessly integrated into your corporate structure. With our secure reporting channel HintPilot, we enable simple, confidential, and efficient processing of reports.

Learn more

General Data Protection

Regulation (GDPR)

GDPR – Background

The General Data Protection Regulation (GDPR) has been in force since May 25, 2018, and forms the central legal basis for the protection of personal data in the European Union. It specifies how controllers and processors may carry out the processing of personal data in order to ensure the protection of the privacy of natural persons. The aim of the regulation is to ensure a uniform level of data protection within the EU and to give data subjects more control over their data.

Basic principles of the GDPR

The GDPR is based on several basic principles that must be observed by all controllers:

Lawfulness, fairness, transparency:

The processing of personal data must have a legal basis and be comprehensible to the data subjects.

Purpose limitation

Personal data may only be collected and processed for specified, explicit, and legitimate purposes.

Data minimization

Companies should only collect as much data as is necessary for the purpose for which it is intended.

Accuracy

Personal data must be accurate and kept up to date.

Storage limitation

Personal data must not be stored for longer than necessary.

Integrity and confidentiality

Companies must take appropriate security measures to protect personal data.

Obligations of the controller

In addition to these basic principles, controllers must fulfill very specific obligations when processing personal data. These include, for example:

Ensuring the rights of data subjects
A reporting obligation in the event of personal data breaches
The appointment of a Data Protection Officer
Ensuring technical and organisational measures for data protection
General documentation and accountability obligations
Rules for transfers of personal data to third countries

Penalties for violations

The GDPR provides for severe penalties for violations. These range from warnings to heavy administrative fines of up to €20 million or 4% of a company’s global annual turnover. In addition to financial penalties, violations can also lead to reputational damage and a loss of trust among the data subjects.

Would you like to get an initial overview of the level of data protection in your organisation? Take advantage of our free GDPR quick check.

Learn more

Interview with Scheja & Partners

Artificial Intelligence Act (AI Act)

AI Act – Background

The AI Act aims to create a harmonized set of rules within the EU that protects the safety and fundamental rights of citizens while promoting innovation. Clear guidelines are intended to minimize the risks associated with the use of AI.

Objective of the regulation

Classification of AI systems

A central element of the AI Actis the risk-based approach, which classifies AI systems into different categories:

Unacceptable risk

AI systems that pose a threat to safety or fundamental rights are prohibited.

High risk

These systems are permitted but subject to strict requirements.

Specific AI systems

AI systems subject to special transparency requirements.

AI competence

The AI Act requires companies, public authorities, associations, and NGOs to ensure that their employees have a “sufficient level of AI competence.” “AI competence” includes knowledge of the opportunities and risks of AI, the rights and obligations under the AI Act, and the ability to use AI systems competently. As this applies to all AI systems, regardless of their risk classification, all entities that use AI systems are affected.

Consequences of using AI

The core element of the AI Actis the determination of the specific obligations that apply to you. The first step is to check whether an “AI system” within the meaning of the AI Act exists at all. If this is the case, it must be determined what “role” thecompanies, public authorities, associations, and NGOs play and what risk the respective AI system poses. This gives rise to specific obligations that must be observed when using AI.

Scheja & Partners provides comprehensive advice on all legal issues relating to the AI Act, including the complex determination of roles and risks, and thus identifies your individual obligations. This allows you to concentrate fully on your core business and ensure that AI systems are used in compliance with the law.

Your authorized representatives pursuant to Articles 22 and 54 of the AI Regulation

– Compliance at the highest level

Secure access to the EU market. Minimize risks. Build trust.

Why is an authorized representative indispensable?

For providers based outside the EU – whether for a high-risk AI system or a general-purpose AI model – the appointment of a representative established in the EU is required by law in order to operate on the EU market. Without this key role, lawful market access is often not possible.

Our expertise for your safety

Authorized representative for providers of high-risk AI systems

As your company’s authorized representative, we take on all the tasks required by law, e.g.:

Checking whether the EU declaration of conformity and technical documentation have been prepared
Keeping contact details, declaration of conformity, documentation, and, where applicable, certificates – 10 years after placing on the market/putting into service
Providing all information required for proof of conformity and automatically generated logs upon request by authorities
Cooperating with authorities to minimise risk
Acting as a contact person for authorities in all matters relating to ensuring compliance with the AI Act

Authorised representatives for general-purpose AI models

For providers of such models, we take on all tasks specified by EU legislators, e.g.:

Checking whether the technical documentation has been created and whether the legal obligations are being complied with
Keeping documentation and contact details – 10 years after placing on the market
Providing all information required for proof of conformity to the AI Office or competent authorities upon specific request
Cooperating with regulatory measures, even if your model is integrated into AI systems
Acting as a contact person for authorities in all matters relating to ensuring compliance with the AI Act

The Data Act – A new legal framework for data access

With the Data Act, the European Union has set a milestone: From September 2025, far-reaching obligations regarding access to, use, and sharing of data will gradually come into effect. The aim is to make data more usable for innovation and competition – especially in the area of connected products and digital services.

For companies, this means new opportunities for data-driven business models, but also significant legal risks if requirements are not met.

Data Act in the context of the European Data Strategy

The central challenge of implementation lies in the interplay between the Data Act and other legal acts of recent years, including the GDPR. The Data Act covers both personal data and non-personal data.

Resolving this conflict poses enormous challenges for those affected by this legal act in times of complex data structures:

What precautions must controllers take to enable the transfer of data?
What technical and legal foundations must be in place before customers and other third parties can assert their rights?
How can controllers themselves benefit from the Data Act?

What companies should do now

Implementing the Data Act requires more than just reviewing individual legal cases. Holistic strategies are needed that bring together technology, contracts, and other essential components of implementation. These include:

Establishing secure interfaces for data use and transfer
Adapting contractual clauses in light of new fairness requirements
Developing integrated compliance concepts that combine the GDPR and the Data Act
Identifying opportunities for new data-driven business models

NIS2 – Are you well prepared?

The EU Directive NIS2 (Network and Information Security Directive) is on everyone’s lips – and with good reason. It will reshape the rules for cybersecurity across Europe, aiming to strengthen resilience and safeguard digital infrastructures. Germany missed the implementation deadline in October 2024. However, following the government draft resolution in July 2025, the NIS2 Implementation Act (NIS2UmsuCG) is expected to come into force at the end of 2025 or beginning of 2026.

Why sitting back is not an option

IS2 will apply to far more companies and public bodies than before, requiring strict compliance with binding minimum standards for IT security, risk management, and incident reporting.

At the very least, organizations should promptly assess whether they fall within the scope of NIS2. Given the complexity of the new obligations, entities likely to be affected are strongly advised to conduct a gap analysis well before the NIS2UmsuCG comes into force – and to initiate necessary measures early to meet the heightened requirements.

Key changes & new obligations under NIS2

Expanded scope:
Many more sectors are now classified as “essential entities” – not just traditional critical infrastructures.
Management liability
Executive leadership will bear personal responsibility for implementing security requirements.
Minimum security requirements
Mandatory baseline measures (e.g., technical and organizational safeguards, incident response mechanisms).

Supply chain considerations
Security responsibilities extend to service providers and suppliers.

Multi-level incident reporting
Incidents must be reported promptly in accordance with national rules.

Tougher sanctions
Significantly higher fines for non-compliance – comparable to the GDPR

Who is affected?

Public bodies, authorities, and companies in sectors such as energy, transport, healthcare, digital services, public administration, and more.
Medium-sized and large entities providing important or critical services.
IT service providers and suppliers as part of the extended supply chain

Your obligations once the German law enters into force

Governance duties: Ultimate accountability at the management and leadership level.
Risk analysis and management: Regular assessments and controls
Security measures: Implementation and maintenance of technical and organizational safeguards.
Supply chain integration: Ensuring third parties meet security requirements.
Incident reporting: Mandatory notifications within specified timeframes to authorities (e.g., the German BSI).
Registration: Affected entities must register with competent authorities.

Initial recommendations for action

Assess applicability: Is your organization covered by NIS2?
Conduct a gap analysis: Identify compliance gaps compared to the new standards.
Clarify governance & responsibilities: Define clear roles for management, IT security, data protection, and risk management.
Start implementing minimum security requirements: Especially in IT, process controls, and supply chain management.
Plan registration and reporting processes with sufficient lead time.
Train employees and management to raise awareness and minimize risks

Trust in Scheja & Partners’ expertise

As a law firm specialized in data protection, data law, and cybersecurity, we combine legal expertise with practical implementation know-how. Our experience with complex compliance regimes – such as the GDPR, the Supply Chain Due Diligence Act, and now NIS2 – enables us to help you:

Translate legal and technical requirements into practical, risk-conscious, and future-proof solutions.
Minimize liability risks for executives and organizations.
Ensure your compliance roadmap is efficient, reliable, and sustainable.

Whether you are a medium-sized company, multinational group, or public authority – with us, you can be confident that you won’t be navigating in the dark, but will be fully prepared when the NIS2UmsuCG comes into force in Germany.

Let’s talk.

Jens-Martin Heidemann, LL.M.

Contact me

View Profile