Data exchangeLegal questions in the use of data rooms
A guest contribution by
Dr. Alexander Molle & Dr. Benedikt Burger* | Translated by AI
6 min Reading Time
With initiatives like Manufacturing-X, data rooms are becoming more prominent in the minds of many company and project managers. However, with all the possibilities, legal questions also arise. Two digital experts from the law firm Gleiss Lutz provide answers.
Some legal aspects of dealing with data rooms are further explored below to provide companies with strategies to handle data in a legally secure and responsible manner and to respond appropriately in case of data protection violations.
Dr. Alexander Molle is a partner at the Berlin office of Gleiss Lutz and specializes in IT law. He advises on IoT, AI, SaaS, cloud computing projects, M&A, outsourcing transactions, complex IT contracts, e-commerce, internet law, and IT-related litigation.
Dr. Benedikt Burger is an attorney at the Stuttgart office of Gleiss Lutz, focusing on complex technical litigation (in negotiations, court proceedings, and arbitration) and strategic advice on technology-driven projects.
Further editorial contributions: Dr. Hannah Bug, Dr. Marc Ruttloff, Prof. Dr. Eric Wagner, and Simon Wegmann.
With the rise of data spaces, the General Data Protection Regulation, or GDPR, is once again receiving attention. Companies must not only ensure that they meet data protection requirements but also minimize the risks of high fines and legal consequences in the event of a violation. At the same time, they face the challenge of making clear contractual arrangements to maintain the protection of sensitive information, intellectual property rights, and data usage rights.
Especially in an ever-changing legal environment that includes industry-specific requirements and international regulations, active compliance management is essential. Below, lawyers Benedikt Burger and Alexander Molle from the law firm Gleiss Lutz answer some of the most common legal questions about legally compliant work with data rooms.
How do companies ensure that they comply with the General Data Protection Regulation, the GDPR, when processing personal data in data rooms? What sanctions are threatened in case of a violation?
Data spaces vary significantly in terms of data protection requirements. Data spaces like the European Health Data Space require consent-based access to personal data and a consent management system integrated from the start. Industrial data spaces, on the other hand, can often operate without personal data. It is always important to conduct a careful and documented assessment to determine whether personal data is present.
All data rooms operate better in terms of data protection with anonymized data. Violations of data protection regulations can lead to high fines and claims for damages. Measures by competitors are also possible, such as cease-and-desists, specific cease and desist letters.
What contractual arrangements should organizations implement to ensure the confidentiality and protection of sensitive information in data rooms?
Contracts should specify which data is confidential. Confidentiality obligations should be agreed upon for such data. These include, in particular, obligations not to disclose or share confidential information without the express consent of the providing company—except for legally mandatory disclosures—as well as deletion obligations. Furthermore, technical protective measures such as data encryption and IT security audits should be included. Contractual penalties can contribute to sanctioning violations.
Who owns the intellectual property of the data and information generated or shared within the data rooms? Are clear contractual agreements necessary for this?
Individual data or information is generally not protected by intellectual property rights. Data collections can be protected by copyright as database works, provided the selection and arrangement of the data are based on a personal intellectual creation of a human being. If the selection and arrangement are exclusively done by software, only protection as a database is considered. However, the database manufacturer only has the exploitation rights to the database as a whole, not to the individual data.
Due to the insufficient legal protection of data and information in data rooms, contractual agreements, especially regarding the so-called ownership of the shared data, the generated/derived data, and any analysis results are important.
What usage rights exist for the data? Are clear contractual agreements necessary for this?
Subject to any confidentiality protection regulations, data can generally be used freely. Clear contractual agreements are therefore advisable to regulate the usage rights of the data. In particular, the permissible usage scope, the duration of the permitted use, and any authorization to share data with third parties should be regulated.
What specific requirements or legal regulations apply in which industry environments regarding the use of data rooms?
There are currently few regulations specifically for data spaces. They are to be introduced in the future, such as with the European Health Data Space. A central component of the current EU data strategy is the Data Governance Act (DGA), which creates a legal framework for data sharing.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
According to current working papers from the European Commission, data holders should be entitled to grant or share access to data under their control. The reuse of data is possible for compensation, remuneration, or free of charge. The general European regulations, for instance, according to the GDPR, the Data Act, and the Directive on Network and Information Systems, must naturally also be observed when using data spaces.
How can companies ensure compliance with the requirements and legal regulations regarding the use of data rooms? What sanctions are threatened in case of a violation?
Companies must identify relevant regulations and sensitize their employees, for example, through ongoing training. A stable and efficient data compliance governance is essential. This requires clear responsibilities and practical procedures. Data Compliance Management Systems, abbreviated as DCMS, complement existing Data Protection Management Systems, also known as DSMS. Non-compliance may result in sanctions, including those under the GDPR.
How can companies minimize liability risks associated with data loss or misuse? What liability clauses should be included in contracts?
Data rooms and their data must be protected against data loss and unauthorized access through technical measures and contractual arrangements. Distinguishing between internal and external relationships is important:
Internal relationships: A functioning DCMS and technical measures such as encryption, access controls, including multi-factor authentication and role-based access controls, continuous monitoring, logging, and data backups are essential. Additionally, the risk should be reduced by training the database user extensively and creating awareness.
External relations: Preventive measures and contractual agreements are important between companies and database providers. Selecting a certified provider and having clear contractual agreements, such as terms and conditions, liability clauses, or service level agreements, for compliance with relevant standards, namely GDPR compliance and ISO/IEC 27001, are necessary to reduce risks. Data recipients should be required to implement technical protective measures themselves and to grant access to third parties only to the extent strictly necessary and only after signing a confidentiality agreement. Contractual penalties can encourage compliance with these obligations.
Are there international data protection and data transfer regulations to be considered when companies exchange data between different countries?
Many data spaces are initially designed within a specific physical territory, such as the EU or the European Economic Area, where internal data exchange does not pose particular requirements. For the transmission of personal data beyond these borders, additional compliance mechanisms are necessary. This might mean limiting the data space to countries that cooperate on data transfer restrictions, like the EU with the UK or Japan. Further expansion often requires complex contractual foundations, such as EU standard contractual clauses, to guarantee a certain level of data protection. Problems arise when data spaces collide with legal data localization requirements, as seen in Russia and partly in China.
How can organizations adapt their internal processes and policies to ensure they can respond quickly and legally in case of a data protection breach?
Handling data breaches requires good data governance and careful data minimization. Internal processes and policies must define who is responsible for which data. Once responsibility is clearly assigned, the so-called reporting chain must be documented to ensure that information about data breaches quickly reaches the appropriate authority. Through legal acts such as the NIS-2 Directive, the Digital Operational Resilience Act (DORA), and the Cyber Resilience Act, reporting obligations are continually expanding.
Secure and Compliant Authentication in Laboratories
:quality(80)/p7i.vogel.de/wcms/af/1e/af1ec4fca4636f521f780ba0ae009c8e/bild3-werkst-c3-bcck-20und-20werkzeug-5204x2928v1v1.jpeg "The main area of application for the new axial gear cutting machine is the production of rotor shafts for electric vehicles. (Image:Profiroll Technologies)")
:quality(80)/p7i.vogel.de/wcms/d1/ab/d1ab452217529e5c29a81add9aca7c22/0128871322v1.jpeg "Only one year to go: the new EU Machinery Regulation makes cybersecurity mandatory. Companies should act now. (Picture: ©Pisit - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/28/75/28751a17e2bcca46e53a1e7b8a84c433/schmersal-tiepner-029-6749x3796v1v1.jpeg "Tiepner's compact system produces ID cards made of laminated plastic, which are used as customer cards, ID cards or cheque cards, among other things. Left in the picture: Christian Höltge, Managing Director of Tiepner GmbH. (Image:Tiepner GmbH)")
:quality(80)/p7i.vogel.de/wcms/cd/fe/cdfe212a3b3206e2ff09dcdf71c11240/0129219561v1.jpeg "Extended S-series: The new Cobot models from Omron lift up to 30 kilograms and are now also protected against dust and water thanks to protection class IP65. (Image:Omron)")
:quality(80)/p7i.vogel.de/wcms/c3/6d/c36d161e7709095fd1de4cb9de27d927/0129133682v1.jpeg "Nanjing is Siemens' largest research and production center for CNC systems, drives and electric motors outside Germany. (Image:Siemens)")
:quality(80)/p7i.vogel.de/wcms/70/dc/70dc2fbc09e6958a72c63bd15e986e14/0129206156v1.jpeg "The global shoe machine manufacturer Desma relies on automation and has been revolutionizing shoe production—together with ABB Robotics for over 40 years. (Image:ABB Robotics)")
:quality(80)/p7i.vogel.de/wcms/60/fd/60fd12ddfe1fb623568736f27d1cfe61/0128606899v1.jpeg "The future of supply chains: AI and dashboards to ensure optimal OTIF values (Picture: ©immimagery - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/39/38/393873c2ed943bb715a6419d94049b63/geralt-entrepreneur-1340649-1280-1280x720v1v1.jpeg "Visual Components presents its forecast for production simulation in 2026. (Image:Pixabay)")
:quality(80)/p7i.vogel.de/wcms/60/4e/604e2a1ce26f177c5f28c2bff94c2f7d/der-20rotor-20mit-20aktiv-20verwindbaren-20rotorbl-c3-a4ttern-20im-20windkanal-1920x1079v1v1.jpeg "The rotor with actively twistable rotor blades in the wind tunnel: The open measuring section and sound-absorbing wall and model fuselage cladding enable high-quality acoustic measurements. (Image:DLR)")
:quality(80)/p7i.vogel.de/wcms/a8/9a/a89aef1cba3843fa06a1ec1f07cf659b/adobestock-95634179--c2-a9-20crazyforanimeart-20-e2-80-93-20stock-adobe-com-4762x2678v1v1.jpeg "Copied from the octopus: Researchers have developed a film-like thin-film platform that can dynamically change not only its color but also its surface structure. (Image:AdobeStock_95634179_ CrazyForAnimeArt)")
:quality(80)/p7i.vogel.de/wcms/2b/fb/2bfbb9fa26274cb8f6e8979c24a3d08e/0129243542v1.jpeg "In some cases, the new additively manufactured lightweight bearings only reach
11 percent of the weight of comparable steel bearings. (Image:Rosswag Engineering)")
:quality(80)/p7i.vogel.de/wcms/25/11/25111828d56b46dc0dc3b717ac2dfcfa/0129276081v1.jpeg "According to media reports, Ford is negotiating with Geely about cooperation in production and technology. (Image:Ford)")
:quality(80)/p7i.vogel.de/wcms/b7/2d/b72dfd1458e86652491018914478cb00/0129259253v1.jpeg "The green belt of VW Palmela - including two geothermal fields and a new paint shop. (Image:VW Group)")
:quality(80)/p7i.vogel.de/wcms/cb/76/cb76d0c686e8dbc8b0e0b6961e3849c7/0129249515v1.jpeg "The Chinese Ministry of Industry and Information Technology has developed binding standards for retractable vehicle door handles. (Image:BYD)")
:quality(80)/p7i.vogel.de/wcms/42/0a/420a796e6b9d9e3bf27d89d4fe425d84/0129264331v1.jpeg "Polestar presented the new Model 5 live. (Image:Polestar)")
:quality(80)/p7i.vogel.de/wcms/6f/8f/6f8ff5bf9b81829ef22736bc790cecca/0129224894v1.jpeg "View of the quantum optics laboratory at the University of Stuttgart: here, researchers are experimenting with new photon sources for quantum computing and quantum networks. (Image:Barz Group, University of Stuttgart)")
:quality(80)/p7i.vogel.de/wcms/52/3a/523ac3157ae4b4f596c7241c89127061/0129260553v1.jpeg "This artistic illustration shows a thermal analog calculator that performs calculations using excess heat and is embedded in a microelectronic system. (Image:Jose-Luis Olivares, MIT)")
:quality(80)/p7i.vogel.de/wcms/d1/f4/d1f4508c6b79ec2f0432b34a6fa33a98/0114966184v1.jpeg "The Infineon headquarters Campeon in Neubiberg, Munich. (Image:Infineon)")
:quality(80)/p7i.vogel.de/wcms/fa/d3/fad3872cf3f110f43411f2dce9e8f23a/0129265762v1.jpeg "Siemens Energy has discovered the USA as a prosperous growth market for network technology and gas turbines! In order to be able to meet demand at some point, the company is already digging deeper into its pockets ... (Image:Siemens Energy)")
:quality(80):fill(efefef,0)/p7i.vogel.de/wcms/67/ac/67acb931a438c/elatec-wp-gmp.png "Elatec WP GMP")
:quality(80)/p7i.vogel.de/wcms/0f/f9/0ff9c4e5808dbd20e70b234d083f72b0/0125727239v1.jpeg "What exactly does the Data Act regulate, and how does it relate to GDPR? We have summarized answers to these and other questions for you in this article. (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/e2/ce/e2ce5bc2e9c65afbe5ca6ce73dce9ddc/0123834984v1.jpeg "Although the legal situation has not changed, Meta is now planning to introduce its AI features in the European Economic Area. (Image:freely licensed)")