Monika Kuschewsky is a German Rechtsanwältin and qualified as a Certified Information Privacy Professional/Europe (CIPP/E) and Betrieblicher Datenschutzbeauftragter (German company data protection officer) (GDDcert.). Monika is the general editor of Data Protection & Privacy – International Series, a multijurisdictional reference guide published by Thomson Reuters for companies, legal professionals and data protection officers, covering 46 major jurisdictions worldwide, which is now in its third edition.

Monika has practiced in Brussels since 2000. Prior to joining our Data Privacy & Cybersecurity Group, she was a senior lawyer in a US-headquartered law firm and prior to that, a partner in an independent Brussels-headquartered law firm, where she developed and headed the European data protection practice.

Monika has broad experience in a wide range of data protection matters, with a particular focus on international data transfers (Binding Corporate Rules [BCRs], EU standard contractual clauses, Privacy Shield), outsourcing, HR data protection and direct marketing. Monika has successfully managed numerous data protection projects, including multijurisdictional audits and compliance programs, at a pan-European level and beyond, and has carried out data protection impact assessments. She helps companies prepare for the General Data Protection Regulation (GDPR) and other legislative developments in the data protection field at the EU level and in Germany. She represents clients before data protection authorities and provides training on data protection, helping clients navigate the complex rules in relation to data processing and requests for disclosure of personal data in the context of internal and external investigations and non-EU litigation. She also advises on the data protection implications of the use of new technologies and practices, such as big data, mobile apps, the Internet of Things (IoT), Bring Your Own Device (BYOD), cloud computing, geolocation services, cookies and other tracking technologies and social media. Monika also handles health data-related matters.

Monika advises multinationals, as well as large- and medium-sized companies and trade associations in a wide range of sectors, including media and technology, energy and transport, healthcare, pharmaceuticals and finance.

Award Mouse thought multimedia interface book medal screen monitor
  • Advising several clients and trade associations on the implications of the General Data Protection Regulation, the Privacy Shield and other data protection developments.
  • Advised several life sciences and medical devices companies with respect to website privacy policy, mobile apps, patient information and consent and processing of patient and healthcare professionals’ personal data.
  • Advised medical devices companies on data protection issues related to mobile health applications and outsourcing of data processing.
  • Participated in the drafting team, under the auspices of the European Commission, which developed the Code of Conduct on privacy for m-Health apps.
  • Advising a trade association in the transport sector and several clients on the implications of the General Data Protection Regulation, the Privacy Shield and other data protection developments for the members of the association. Assisted in the development of data protection principles.
  • Carried out a data protection compliance audit in preparation for BCRs, developed the relevant BCR documents and representing a US-headquartered multinational in BCR approval proceedings before a German data protection authority.
  • Assisted a US multinational in the preparation of BCR documentation and advised on the implications of the annulment of the EU-US Safe Harbor adequacy decision.
  • Conducted a comprehensive data protection audit in preparation for the BCR application of a global supplier in the oil and gas industry and assisted in the implementation of the BCR.
  • Conducted a data protection compliance audit and gap analysis for a US multinational in the finance sector in light of the EU Data Protection Directive and the General Data Protection Regulation and assisting in the development of various compliance tools.
  • Assisted a US-headquartered client in a data protection compliance investigation by a German data protection authority and prepared a response.
  • Provided advice on data breach notification obligations in Germany to a US-headquartered client in the media sector and assisted in the preparation of the notifications.
  • Carried out a data protection impact assessment of a new HR system and provided strategic advice to the headquarters of a US multinational regarding the involvement of the German affiliate‘s data protection officer and works council.
  • Advised a US-based IT company on the legal framework in Germany regarding law enforcement requests for information.
  • Advised a US-headquartered company in the aviation sector on German law enforcement authorities‘ request for information
  • Provided legal advice to an Asian and a US multinational regarding the German rules that are relevant for the use of cloud computing in various industry sectors.
  • Provided strategic advice on the location of data centers in the EU.
  • Advised an Asian multinational on the data protection issues related to the envisaged transfer of customer personal data as part of the divestiture of parts of its business and developed notice and consent forms.
  • Advised several companies on the legal requirements for marketing activities in Germany.
  • Managed and supervised several multijurisdictional audits at a pan-European level, including of HR and customer data processing, as well as the use of cookies, of Fortune 500 and other international companies with establishments in several European countries. Other multijurisdictional projects have included the preparation and roll-out of compliance solutions for international data transfers, internal and third country governmental investigations, whistleblowing schemes and data breaches.
  • Participated in the audit of the data processing practices of a non-European multinational conglomerate IT and electronics company and the development of a global compliance strategy. Involved in the development of its global privacy policy, HR and due diligence guidelines. Advised on the deployment of Big Data.
  • Developed and successfully implemented a number of pan-European data protection compliance programs, which include, among others, the drafting of various policies, procedures and information notices, as well as filing registrations and notifications in EU Member States. Prepared contractual clauses, including with respect to international data transfers and the use of processors and assisted in contract negotiations.
  • Reviewed and amended vendor contracts for a number of clients and assisted in the negotiation of the relevant data protection terms.
  • Advised several clients on the possible set up of an internal data protection organization and the rules and requirements applicable to data protection officers in Germany.
  • Developed a data protection compliance strategy regarding the sharing of personal data and international data transfers of an organization and its members in the transport sector. Prepared data transfer, controller-to-controller and processor agreements and worked on a security policy.
  • Advising a global biopharma company on the legal aspects and implementation of a Customer Relationship Management system in several European jurisdictions.
  • Reviewed various IT and email policies of a global life sciences company and amended them in light of several IT projects, including email and server consolidation and mobile device management. Advised and developed a BYOD policy and related documents. Prepared processor and international data transfer agreements.
  • Drafted and amended controller-to-controller agreements, including for a life sciences company in relation to its distributors.
  • Advised a leading global IT company and others on miscellaneous questions of German data protection law, including in relation to direct marketing, call center activities, asset deals and the deployment of new technologies.
  • Advised a global IT company and a multinational in the banking sector on Germany’s new IT Security Law.
  • Advised clients in the financial and health sectors on the data protection implications of internal and external investigations and e-discovery requests for information, developed notices and consent forms and other compliance tools.


  • International Association of Privacy Professionals, 2009
  • GDD, 2007
  • Kammergericht Berlin, Second State Examination, 1999
  • University of Bristol, LL.M., 1997
  • Freie Universität Berlin, First State Examination, 1996


  • Belgium (EU List)
  • Germany

Memberships and Affiliations

  • International Association of Privacy Professionals (IAPP), Member
  • IAPP Brussels KnowledgeNet, Co-Chair
  • Privacy & Data Protection Journal, Member of the Editorial Board
  • Research contributor to Nymity
  • Gesellschaft für Datenschutz und Datensicherheit e.V. (GDD) (German Association for Data Protection and Data Security), MemberDigital Economy Committee of the American Chamber of Commerce to the European Union, Member
  • Deutscher Juristinnenbund e.V. (German Women Lawyers Association), Member
  • Studienvereinigung Kartellrecht e.V. (Association of German, Austrian and Swiss lawyers with a special interest in antitrust law), Member


  • German
  • English
  • French

{{}} {{insights.source}} {{insights.type}}


  • “This Facebook Nemesis Says Businesses Will Shun U.S.-EU Privacy Deal,” Fortune, July 11, 2016
  • “The EU-US Privacy Shield: What’s New and What’s Next?” BNA World Data Protection Report, July 2016.
  • “Classifying IP addresses as personal data,” LexisPSL IP & IT, June 13, 2016.
  • “EU strikes deal on data protection rules,” Politico, December 15, 2015.
  • “Special report: Confusion reigns in wake of safe harbor ruling,” Politico, November 1, 2015.
  • “EU privacy regulators give EU, U.S. three months to find new data pact,” Reuters, October 16, 2015.
  • “Thousands of companies await EU ruling on U.S. data privacy pact,” Reuters, September 30, 2015.
  • “Data Protection Challenges for the Design of Financial Services,” ECRI Newsletter, Summer 2015.
  • “Article 29 Working Party Clarifies Scope of Health Data in Apps and Devices,” Inside EU Life Sciences, February 12, 2015.
  • “New Cybersecurity Law Draft Proposed by Interior Ministry,” World Data Protection Report, September 2014.
  • “Data Protection and Privacy Law - 2nd Edition,” The European Lawyer Ltd., September 2014.
  • “The new privacy guidelines of the OECD: what changes for businesses?” Journal of European Competition Law & Practice, February 21, 2014.
  • “OECD Privacy Guidelines – what has really changed?” Privacy Laws & Business International Report, December 2013.
  • “What Does the Revision of the OECD Privacy Guidelines Mean for Businesses?” MLex, October 22, 2013.
  • “Data Protection in the Context of Competition Law Investigations: An Overview of the Challenges,” SSRN, October 18, 2013.
  • “Privacy Impact Assessments – Soon Compulsory for Companies in the Life Sciences Industry?” Inside EU Life Sciences, September 2, 2013.
  • “What You Need to Know about the Article 29 Working Party’s Opinion on Purpose Limitation,” Inside EU Life Sciences, June 3, 2013.
  • “Art. 29 WP Insists on Narrow Scope for Purpose Limitation,” Privacy Laws & Business International Report, June 2013.
  • “Transferring Data Outside the EEA, Outsourcing and Cloud Computing—A Practical View,” LexisPSL IP & IT, May 23, 2013.
  • “Competition Law and Personal Data: Preliminary Thoughts on a Complex Issue,” Concurrences N° 2-2013, February 2013.
  • “Transferring Data Outside the EEA, Outsourcing and Cloud Computing,” LexisNexis, 2013.
  • “Albrecht Report on the Proposed EU Data Protection Regulation Revisited,” The Privacy Advisor, January 2013.
  • “Japanese Businesses Should Watch the EU Data Protection Law,” Nikkei Electronics, May 2012.
  • “Sweeping Reform for EU Data Protection,” The European Lawyer, March 2012.
  • “Data Protection and Privacy – Jurisdictional Comparisons,” The European Lawyer Ltd. (ISBN 190823914X), March 2012.
  • “EU DP Draft Regulation Heralds Ground-breaking Changes,” Privacy Laws & Business International Report, February 2012.
  • “Data Protection Compliance Policies,” PLC Cross-border Data Protection Handbook, 2011/2012.
  • “Data Protection: Belgium,” PLC IPIT & Communications Handbook, 2011/2012.

Speaking Engagements

  • Speaker, “Global Equivalence Of Data Protection Regimes: How To Create Bridges Between Different International Approaches?” 11th International Conference, Computers, Privacy & Data Protection: The Internet of Bodies, Brussels, Belgium, January 24, 2018.
  • “Dealing With Data,” SMMT Connected: Connected and Autonomous Vehicles Conference, March 26, 2015.
  • “Key Changes to the EU-U.S. Cross-Border Discovery Framework,”  The 8th Annual Sedona Conference International Programme On Cross-Border Discovery & Data Protection Laws, June 6, 2016.
  • “Code of Conduct on mHealth Apps: An Example of Data Protection Self-Regulation?” September 8, 2015.
  • “The EU General Data Protection Regulation: What’s Next and What It Means For Your Business,” Webinar, July 1, 2015.
  • “Secure Connectivity,” ACEA Program - The Connected Car: Safe, Clean, Secure, December 4, 2014.
  • “Privacy Impact Assessments – The Latest Thinking,” 13th Annual Data Protection Compliance Conference, October 10, 2014.
  • “Current Developments in Data Protection” and “International Cooperation in Cyber Security & Data Protection,” EU-Korea Brussels Policy Forum, November 25, 2013.
  • “Privacy Impact Assessments – When They are Needed and How to Conduct Them,” 12th Annual Data Protection Compliance Conference, September 11, 2013.
  • “Update on the Data Protection Regulation: Main Drivers and Key Elements" and "Update on the Data Protection Regulation: The Role of the DPAs,” IAPP Europe Data Protection Intensive, April 23, 2013.
  • “International Data Transfer – Compliance Solutions,” Data Protection & Privacy for In-House Advisers, February 27, 2013.
  • “New EU Data Protection Rules - Preparing Your Organisation for the Upcoming Reform, Pre-conference Workshop” and “The Long-term Approach - How Best to ‘Future-proof’ the EU’s Data Protection Regulation?” The 3rd Annual European Data Protection and Privacy Conference, December 4, 2012.
  • “Data Controller or Data Processor?” 7th Annual Data Protection Practical Compliance Conference, November 22, 2012.
  • “Accountability: A Relationship Killer or the Beginning of a Beautiful Friendship between Controllers and Processors?” IAPP Europe Data Protection Congress, November 14, 2012.
  • “Extending the Law to Data Processors and What this Means for Data Controllers,” 11th Annual Data Protection Compliance Conference, October 18, 2012.
  • “Interpreting the European Commission's Reform Proposal for a General Data Protection Regulation - What do the Proposed Changes Mean for Your Business?” 7th Corporate Counsel Exchange, IQPC, October 15, 2012.
  • “Groundbreaking Changes in the EU’s Data Protection Framework - What Does it Mean for Your Business?” Strategic Data Protection & Compliance 2012, 10/2/2012-10/3/2012.
  • “Cross-border E-discovery in the EEA,” 1/25/2012-1/27/2012, CPDP Conference.
Award Mouse thought multimedia interface book medal screen monitor