Matter / Experience

Advising a systemically important major German bank comprehensively on data protection since 2010

Dr. Thomas Helbing

HELBING Kanzlei für IT- und Datenschutzrecht

München, Germany

English, German

You current availability

Client Information

Major German bank with over 4 million customers
Financial (Banking & Insurance)
Company Size:
Large (>1000 employees)

Matter Details

Practice Area:
Data Protection Law
Matter Type:
Continuous advice
Type of service:
Sole advising lawyer
Work scope:
> 1000 hours



As a major systemically important bank, my client is subject to high regulatory requirements and many special legal provisions. Data protection violations pose an increased reputational risk for banks. Data protection regulation requirements must be implemented in a reliable, practical and risk-oriented manner. The definition of processes and responsibilities in the area of data protection is therefore of particular importance, as are data protection controls by the data protection officer.

Consulting Services

I have been advising the bank since 2011 and thus consistently over a period of more than 10 years.

I support the departments responsible for data protection internally (data protection officer or operational data protection department) as well as, on a project basis, directly the business units. 

My consulting services have included: 

  • Drafting of a large set of instructions (SOP) for implementing the GDPR, including a general data protection policy as well as special instructions on the inventory of processing activities, management of data subjects' rights (e.g. access requests), conducting data protection impact assessments (DPIA), notification of data protection breaches, DPAs (data protection agreements / controller processor agreements), data transfers to third countries including transfer impact assessments (TIA) and deletion strategies.
  • Advising on the structuring of the data protection organization within the bank as well as in relation to subsidiaries and branches in Germany and internationally.
  • Drafting of customized audit and documentation forms, e.g., for legitimate interests, change of purpose, data protection notices, and software roll-outs
  • Advice on a audit concept and on audit activities by the data protection officer
  • Drafting of various consent forms and data privacy notices for employees, customers and users of websites and apps
  • Customized training courses on data protection

Expertise Gained

  • Implementation of the GDPR in regulated industries with high compliance requirements
  • Practical experience in defining and implementing responsibilities and processes for ensuring
  • Insight and close involvement in the practice of operational data protection in large organizations
Additional Information

This page describes a matter, case or other experience of a lawyer. The described experience may also stem from work at previous law firms.