Thorsten Sörup

Thorsten Sörup  is a German Attorney at Law, a Certified Information Technology Law Specialist, and a Certified Labor and Employment Lawyer. He advises German entities as well as foreign conglomerates on all aspects of information technology (IT) law, telecommunications law, and data privacy law.

Thorsten’s practice includes negotiating and drafting contracts, such as software agreements, IT-related outsourcing and insourcing projects, license agreements, general terms and conditions, and payment solutions. He also advises on telecommunications law, digital services regulation (including the AI Act and the Data Act) as well as on IT and cybersecurity law (including NIS2, the German Federal Office for Information Security Act (BSI Act), and the Cyber Resilience Act and DORA).
As part of his data privacy practice, Thorsten advises on the structuring of complex data processing operations, data processing agreements, and domestic as well as cross-border data transfer arrangements.

In labor and employment law, Thorsten advises at the interface between employment law and data privacy law, including internal investigations, employee monitoring, works agreements, and compliance matters.

Thorsten is a lecturer at the Frankfurt University of Applied Sciences and a member of the Scientific Advisory Board of the Journal for Data Protection (ZD). He regularly publishes and speaks on labor, IT, data privacy, and telecommunications law topics.

• Advising a railway transportation company on general terms and conditions and telecommunications law in connection with the introduction and expansion of WiFi and internet services on trains; contractual structuring of WiFi offerings; implementation of regulatory requirements in the area of lawful interception measures
• IT law advice and representation of a provider of automotive noise-cancelling software in negotiations with several vehicle manufacturers and suppliers
• Advising a logistics service provider in the field of toll and fleet management services on the data regulatory assessment of its services, in particular regarding the applicability of the Data Act and the Data Governance Act
• Data privacy and IT law advice in connection with the use of AI in business processes, chatbots and customer communication
• Advising a German IT system house on the establishment of a group-wide data privacy structure, including structuring, drafting, and implementing a group-wide template for data processing agreements as well as central inter-company agreements
• General terms and conditions advice to an IT service provider regarding its entire portfolio of services and deliveries (SaaS, IaaS, software sale/rental, hardware sale/rental, software development and customizing, training and consulting services)
• Data privacy and software law assessment (in particular, open source) of a software application developed by client in connection with the planned sale of the company to a US insurance group
• IT contract law advice to a regional transportation company (bus services), in particular in the area of software development, maintenance, and support services
• Data privacy advice to a conglomerate on the use and implementation of AI applications, including drafting and rolling out an AI guideline
• Data privacy and IT law advice to the operator of an advisory and distribution platform for commercial and industrial insurance enabling brokers, agencies, banks, and other intermediaries to search, compare, and conclude insurance contracts digitally, including price comparisons, tendering of complex risks and digital contract conclusion
• Representation of a Dubai-based hardware and software distribution company in license litigation against Cisco and a Cisco distributor before the Regional Court of Munich and the Higher Regional Court of Munich

Selected Publications

• “Data Processing Service between Data Act and Digital Omnibus – A Term in Search of its Meaning”, EuCML 2026, 6, together with Philipp Zikesch and Maximilian Adrian
• “Data Processing Service – A Term in Search of its Meaning – Definition Based on Systematics, Objectives and Transferability to Service Models”, MMR 2026, 171, together with Philipp Zikesch and Maximilian Adrian
• “Existing Contracts and the EU Data Act – Applicability of Chapter VI on Cloud Switching to Existing Agreements”, MMR 2025, 487, together with Philipp Zikesch
• “Use of Microsoft Office 365 in Companies – Data Privacy and Works Constitution Law Issues and Drafting Guidance”, ZD 2021, p. 291, together with Danyal Parvez
• “The Right of Access under Article 15 GDPR – Scope and Limitations”, ZD 2019, 240, together with Philipp Zikesch
• Additional numerous publications and case commentaries in IT, telecommunications, data privacy, and labor and employment law

Selected Books, Handbooks and Monographs

• (forthcoming) Handbook on Data Law, Wiebe / Imhof / Kreutz, Beck Publishing, 1st edition 2026, Chapter 13 (IV) “Commercialization/Distribution of Electronic Communications Data” and Chapter 23 “Procedural Law”
• The New Law on Cyber Resilience (Regulation (EU) 2024/2847 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No. 168/2013 and (EU) 2019/1020 as well as Directive (EU) 2020/1828), Nomos, 1st edition, Baden-Baden 2025
• BGB Statutory Forms, Nomos, 5th edition, Baden-Baden 2024, commentary on Sections 617 to 619a, 628, 630 German Civil Code (Service Agreement) as well as Sections 662 to 674 German Civil Code (Order Agreements)
• BGB Statutory Forms, Nomos, 4th edition, Baden-Baden 2019, commentary on Sections 617 to 619a, 628, 630 German Civil Code (Service Agreement) as well as Sections 662 to 674 German Civil Code (Order Agreements)
• BGB Statutory Forms, Nomos, 3rd edition, Baden-Baden 2017, commentary on Sections 617 to 619a, 628, 630 German Civil Code (Service Agreement) as well as Sections 662 to 674 German Civil Code (Order Agreements)

• German Bar Association (DAV)
• IT Law Working Group of the German Bar Association (DAVIT)
• German Association for the Protection of Intellectual Property (GRUR)
• German Society for Data Protection and Data Security (GDD)
• German Association for Law and Informatics (DGRI)
• Institute for Art and Law (IFKUR)
• Transparency International Germany

Thorsten studied law at the Johann Wolfgang Goethe University in Frankfurt am Main and began his legal career in 2004 at WILLKIE FARR & GALLAGHER. He joined SCHIEDERMAIR in Frankfurt am Main in 2007, was appointed Junior Partner in 2009 and Partner in 2013. After serving as Partner at ADERHOLD RECHTSAN-WALTSGESELLSCHAFT MBH from 2016 to 2022 and at ANDERSEN GMBH RECHTSBERATUNG STEUERBERATUNG from 2022 to February, 2026, Thorsten returned to SCHIEDERMAIR as a Partner in March, 2026 together with his team.

• Handelsblatt / Best Lawyers: “The Best Lawyers in Germany 2026” – Information Technology Law; Labor and Employment Law
• Handelsblatt / Best Lawyers: “The Best Lawyers in Germany 2025” – Data Security and Privacy Law; Information Technology Law; Labor and Employment Law
• Handelsblatt / Best Lawyers: “The Best Lawyers in Germany 2024” – Data Security and Privacy Law
• Handelsblatt / Best Lawyers: “The Best Lawyers in Germany 2023” – Data Security and Privacy Law; Information Technology Law
• Handelsblatt / Best Lawyers: “The Best Lawyers in Germany 2022” – Data Security and Privacy Law; Information Technology Law
• WirtschaftsWoche 2019 – “One of Germany’s Most Renowned IT Lawyers”
• WirtschaftsWoche 2016 – “One of Germany’s Best Lawyers for Information Technology”