What is Garrigues Digital?
Garrigues Digital is a cross‑practice team of professionals who, drawing on expertise from across all practice areas, advise companies on digital and technology law and support clients wherever digital factors impact asset value, regulatory risk, transaction structuring, or dispute strategy.
We bring our expertise to the digital landscape
We analyze and share our vision of the main legal challenges faced by companies in the digital age
Consult European legislation on the digital sector here
We collaborate in the development of legal tech solutions that enhance legal certainty
Our professionals work closely with Garrigues’ digital business division, g-digital, to design advanced technological solutions to guarantee regulatory compliance, traceability and legal certainty in all critical client processes. This approach ensures alignment between technology and legal compliance.
Leading EU law firm
Garrigues is an international legal and tax services firm that advises clients locally, regionally and globally from every angle of business law.

Expert team specializing in
digital law
A multidisciplinary team of Garrigues professionals advising companies on digital business from a variety of practice areas.
‘LawTech’
developers
g-digital develops advanced technology solutions for the legal services industry and acts as an internal driver of the firm’s digital transformation.
1. What is Garrigues Digital?
Garrigues Digital is a multidisciplinary group of experts that supports businesses, funds and technology firms in matters where technology is not a secondary consideration, but a central part of the advisory process, because:
- The principal asset is digital: software, data, AI models, platforms, marketplaces, tokens, content, algorithms, databases, digital assets and technology infrastructure.
- The project, transaction or dispute in question is governed by digital regulations: AI Act, DSA, DMA, DORA, NIS2, eIDAS, Data Act, MiCA, GDPR and other legislation applicable to digital consumption, e-commerce, online advertising, digital financial services, platforms, marketplaces and online intermediaries.
- The technological element introduces significant legal, operational and evidentiary risk: cybersecurity, privacy, tech debt, algorithmic pricing, automated decision-making, liability of intermediaries, ownership of intangible assets, digital evidence or regulatory exposure.
We set up specialized legal teams for these matters and, where necessary, use our own technological capabilities to address the issue from every legal angle.
2. What types of matters do we handle?
We handle matters in which technology is key for the business:
- Investment or divestment in software or technology firms.
- Deployment of AI systems.
- Operation of digital platforms or marketplaces.
- Adaptation of e-commerce models, marketplaces and online sales channels to digital consumption requirements.
- Review of terms and conditions, privacy policies, online contracting processes and rules governing the use of digital services.
- Defense of clients in penalty proceedings with a digital component.
- Response to cyberattacks or security incidents.
- Protection of software, data, algorithms, databases and trade secrets.
- Taxation of intangible assets.
- Negotiation of cloud contracts, SaaS, licenses and technology outsourcing arrangements.
- Defense of clients in lawsuits for unauthorized use of software, breaches of technology agreements or unauthorized use of digital assets.
- Design of notice-and-action procedures and liability of intermediaries.
- Assistance with data centers and digital infrastructure projects.
3. What sets us apart?
We approach digital matters from our clients’ perspective, taking on board the realities of their business and assembling teams capable of addressing digital issues from every angle of business law.
In transactions involving software, data or AI, reviewing the contracts is not enough. It is necessary to determine who owns the assets, what rights exist in the code, data models or outputs, which third-party components have been used, what restrictions are imposed by legislation, how the data life cycle has been managed, what contingencies may affect the price and what evidence can be used to defend all of the above vis-à-vis buyers, sellers, regulators and the courts.
At g-digital, Garrigues’ digital business division, we are uniquely able to provide a qualified evidentiary layer when needed. We can help document and verify the existence, integrity, date and content of digital assets or critical processes, such as software components, technical documentation of AI models, electronic custody or tokenization of assets. This ensures that our advice does not simply amount to a recommendation, but instead, becomes a legally defensible position, backed by evidence that can be used in due diligence, contractual negotiations, penalty proceedings, court claims, internal investigations or cybersecurity incidents. The key difference lies in not merely identifying risks, but in translating our advice into actionable decisions and verifiable evidence.
4. What does g-digital contribute within Garrigues Digital?
g-digital gives Garrigues Digital a competitive edge, enabling us to offer our clients in-house technological capabilities to integrate digital trust, evidence, signatures, custody and traceability into our clients’ real-world processes. This ensures that our legal advice goes beyond a recommendation and can be incorporated into each company’s processes.
The added value this provides becomes particularly evident when legal certainty depends on evidencing digital facts such as, what was in place, when did it exist, who approved it, which content was reviewed, which version was stored, which terms were accepted, which documentation was delivered or which evidence needs to be preserved.
It can prove crucial, for example, when it comes to:
- Certifying documentation, communications or digital content.
- Applying time stamps, qualified signatures, digital trust or electronic custody services.
- Keeping a record of the content analyzed in a data room or the acceptance of terms and conditions.
- Preserving evidence in lawsuits, internal investigations, cyberattacks or penalty proceedings.
- Verifying the existence of software components, datasets, technical documentation for AI models or data governance processes.
- Integrating electronic contracting processes, compliance, decision traceability and storage of critical documentation.
- Structuring digital asset projects and tokenization.
This layer is especially useful in transactions, lawsuits, e-contracting, AI compliance, internal investigations, cyberattacks, intangible assets, digital consumption and penalty proceedings, where traceability of the decision or document can be as important as the legal analysis.
5. How do we work with our clients?
We start with the client’s specific problem: an investment or divestment, an investigation, a cyberattack, a technology deployment, a digital platform, a contractual review or a proceeding before a regulator.
We then identify what decisions need to be taken, what risks need to be mitigated and what documents, contracts, policies, evidence and/or procedural steps are necessary.
Our goal is to ensure that each client receives a single, practical legal response, tailored to their business needs, rather than a series of abstract legal recommendations with no practical solution to the issues they face.
6. What types of clients do we work with?
We work with clients for whom technology has a real impact on their business:
- Private equity funds, venture capital firms, innovation departments of large multinationals and corporate venture builders.
- Scaleups and technology companies.
- Software, SaaS, data, AI, cybersecurity and digital services companies.
- Digital platforms, marketplaces, apps and online intermediaries.
- E-commerce and digital retail operators, accommodation and vacation rental platforms, and online sales models.
- Fintechs, financial institutions such as banks, payment entities and e-money institutions, insurance companies, lenders and other operators subject to digital industry regulation.
- Digital asset and crypto-asset service providers.
- Industrial companies and companies operating in the energy, health, defense, mobility, telecommunications and education sectors that are undergoing digital transformation processes.
- Data center, cloud and digital infrastructure operators, developers and investors.
- Non-tech companies that purchase software, deploy AI systems, outsource technology services, monetize data or exploit intangible assets.
7. Can Garrigues Digital help in tech M&A deals?
Yes. We advise on transactions in which the value or risk of the company is determined by the quality of its software, data, AI, cybersecurity, intellectual property, technology agreements, platforms, digital assets or industry regulation.
In these types of transactions, legal analysis cannot be limited to simply reviewing contracts. It is necessary to understand which asset is being purchased, who will use it, what restrictions are in place and what evidence can help defend its value. This is why we analyze the following aspects, among others:
- Critical contracts, dependence on providers, the cloud, SaaS and outsourcing.
- Ownership of the software, code, databases and other technological assets.
- Privacy, cybersecurity, data governance and the data lifecycle.
- Tech debt, scalability, business continuity and post-closing integration risks.
- Applicable regulation, including export controls, digital industry legislation and potential penalty proceedings.
- Tax treatment of intangible assets, and labor and employment contingencies relating to technology talent.
Where required, we can add a qualified evidentiary layer to verify the existence of key digital facts, for example:
- The existence, date, content and integrity of software components and code versions.
- Training datasets, technical documentation for AI models, or evidence of data governance.
- Content reviewed in the data room.
- Internal approvals, key communications and decision traceability.
- Electronic custody, time stamps, qualified signatures and tokenization of assets.
The goal is for the transaction to accurately reflect the value and risks of the technological component in the price, security, indemnities, closing conditions and integration plan and to be able to defend the client’s position if the asset, its ownership or content are subsequently challenged.
8. Why does AI change the way a transaction is analyzed?
When it comes to AI assets, their value is not always where it appears to be. It can lie in the AI model, but it can also lie in training data, rights of use, traceability, product integration, talent, governance, technical documentation or the absence of regulatory restrictions.
Effective advice involves understanding where the added value of AI-based business models lies, and setting up the necessary teams to protect the asset in question and deploy systems in light of the risk involved. It is necessary to analyze licenses, providers, contractual architecture, privacy, bias, human oversight, the use of third-party models, security, restrictions on use, key talent and the actual ability to integrate the asset into the business.
9. Do you help deploy and govern AI systems?
Yes. We help companies deploy AI systems in a legally defensible manner. This includes classifying use cases, identifying regulatory obligations, defining roles and responsibilities, reviewing contracts with providers, analyzing how training data have been compiled, preparing documentation, designing internal policies, establishing human oversight protocols, defining acceptable use criteria and preparing evidence of compliance.
Rather than taking a purely regulatory approach, we translate the regulatory framework into a roadmap of specific decisions and help clients deploy their own technological evidentiary layer, which is essential for verifying compliance.
10. Can I rely on Garrigues if my company suffers a cyberattack?
Yes. In the event of a cyberattack we activate a legal crisis response team with experts in privacy, cybersecurity, criminal, procedural, corporate and commercial law, sector-specific regulation and, where necessary, labor law and third-party communications.
We provide assistance right from the start, by preserving evidence, coordinating forensic teams, analyzing personal data breaches, evaluating notifications to the authorities and affected parties, reviewing contractual obligations with customers and providers, relations with insurance companies, internal communications and criminal complaints, appearing in proceedings and defending the client against claims or penalty proceedings.
We also act in cases involving ransomware attacks, CEO fraud, payment fraud, unlawful access to systems, data breaches, damage to IT systems, impersonation, digital extortion or internal misuse of login credentials.
The key is to act swiftly without losing control of the evidence: what happened, which systems and data are affected, what are the notification obligations, what communications must be made, what evidence must be kept and what defense strategy should be prepared from the start.
11. Do you assist in data protection, privacy and data governance matters?
Yes. Privacy and data governance form the core of many digital projects: AI, analytics, e-commerce, online advertising, apps, marketplaces, human resources, M&A deals, cybersecurity and data monetization. The risk is not solely in complying with the GDPR but in the ability to explain which data are processed, the legal basis for and purpose of the processing, who has access to the data, where they are stored, how they are transferred and what evidence can be used to verify compliance.
In this area, we advise on the following aspects, among others:
- Design of processing models, legitimate bases, information clauses, consent management, data subject rights and internal privacy governance.
- Privacy in digital products, apps, platforms, marketplaces, e-commerce, online advertising, cookies, tracking, profiling, personalization and measurement.
- Data processing in AI systems: datasets, training, inference, automated decision-making, anonymization, pseudonymization and impact assessments.
- International data transfers, data processors, data agreements and contracts with providers of cloud, SaaS, outsourcing and technology services.
- Employee data, biometrics, monitoring and geolocation, internal tools and automated decision-making in the workplace.
- Data due diligence in transactions: lawfulness of the data, ownership, quality, restrictions on use, breaches, ongoing proceedings and regulatory contingencies.
- Security breaches, notifications, dealings with supervisory authorities and defense of clients in proceedings involving the Spanish Data Protection Agency or other European authorities.
In addition, where necessary we can rely on g-digital to provide an evidentiary layer in terms of the traceability of consent and acceptance, evidence of the information provided, records of decisions, time stamps, and custody and storage of key documentation.
12. Do you have experience in digital markets, platforms, marketplaces and e-commerce?
Yes. We advise digital platforms, marketplaces, online intermediaries, e-commerce businesses, apps, comparison sites, fintechs, social media networks, search engines, SaaS providers and companies that sell products or services through digital channels.
We can help you with:
- Adaptation to the DSA, DMA and P2B Regulation, as well as digital consumer, anti-trust and data protection legislation.
- Terms and conditions, usage policies, online contracting processes and relationships with individual and corporate users.
- Online advertising, protection of minors, financial transparency, price transparency, reviews, rankings and recommendation systems.
- Liability of intermediaries, traceability of sellers, suspension of accounts, and notice-and-action processes.
- Procedures for designing customer on-boarding flows, product procurement and after‑sales services.
- Adapting flows to the applicable legislation, such as transparency in financial products, prevention of money laundering, privacy and cybersecurity.
- Penalty proceedings, requests by the authorities and defense against claims by brought by users, companies or competitors.
13. Can you help with e-commerce, digital consumption and online pricing issues?
Yes. Today, e-commerce and digital sales account for a large percentage of consumer risk. Customers are purchasing without being physically present, pricing can be dynamic, information is presented on digital interfaces, and purchase decisions are influenced by reviews, promotions, subscriptions, loyalty programs or recommendation systems. This is why legal analysis must go beyond reviewing legal texts and look at how an online sales channel actually works.
We can help you define:
- Precontractual information, distance contracts, right of withdrawal, warranties and customer service.
- Terms and conditions, privacy policies, cookies policies, and platform terms of use.
- Check-out processes, ordering, confirmation, commercial communications and cross-border sales models.
- Subscriptions, loyalty programs, promotions, discounts and transparency of price reductions.
- Reviews, digital advertising, dark patterns, personalized pricing, algorithmic pricing and consumption flows.
Additionally, at g-digital we can provide an evidentiary layer to ensure these processes are not only correctly designed but can also be subsequently verified: acceptance of terms and conditions, online contracting, order placement, communications with consumers, consent traceability, changes in pricing or conditions, proof of delivery of precontractual information and retention of relevant information.
14. Do you advise on technology contracts, software, cloud services and outsourcing?
Yes. Technology contracts typically cover much more than just the provision of a service, since they determine the client’s operational dependence, access to data, business continuity, ability to migrate to another provider, liability in the event of an incident, and actual ability to utilize the software, platform or product purchased.
In this area, we can help with the design and analysis of:
- SaaS contracts, cloud services, software licenses, technology development, outsourcing, systems integration, managed services and APIs.
- Data agreements, AI contracts, use of third-party components, open-source technologies and rights in developments, outputs and technical documentation.
- Service levels, support and maintenance, business continuity, reversibility, audits, escrow and orderly exit of the provider.
- Contractual cybersecurity, data processing, liability, limits on liability, warranties and indemnities.
- Pricing changes, provider dependence, migration, interoperability and risks deriving from cloud or SaaS models that are critical to the business.
15. Do you handle digital content, online reputation, protection of minors and liability of intermediaries?
Yes. The publication, recommendation and removal of content in digital environments poses risks involving freedom of expression, reputation, privacy and image rights, the protection of minors, targeted advertising and the liability of platforms and intermediaries. It is not only about deciding whether content should be removed, but also about determining who is responsible, what procedure should be followed, what evidence should be kept, and how to defend the decision to users, authorities or the courts.
In this area, we advise on the following aspects, among others:
- Removal of content, notice-and-action processes, and liability of intermediaries.
- Moderation of content, terms of use, community rules and suspension of accounts.
- Right to reputation, privacy, one’s own image, freedom of expression and online reputation.
- Protection of minors, age verification, targeted advertising and potentially harmful content.
- Disputes deriving from social media and digital platforms, forums, marketplaces and channels.
- Judicial and nonjudicial proceedings involving unlawful publications, smear campaigns, impersonation, unauthorized sharing of images or breach of platform obligations.
16. Do you defend clients in penalty proceedings and investigations by authorities and regulators?
Yes. The digital regulatory framework is becoming increasing broader, with authorities incorporating supervision of technological components into markets that have previously been analyzed using more traditional categories: consumer protection, competition, finance, advertising, platforms, data protection, online services and digital content. For many businesses, this not only means adapting their processes but being ready to respond to requests, investigations and penalty proceedings.
We defend clients in proceedings before data protection, consumer protection and competition authorities, the Spanish National Securities Market Commission (CNMV), the Spanish Markets and Competition Commission (CNMC), the European Commission and other industry regulators. For example, we act in:
- Penalty proceedings due to breach of the obligations applicable to platforms, marketplaces, online intermediaries and digital services.
- Proceedings linked to the DSA, DMA, digital consumer protection legislation, online advertising, data protection, digital financial services and crypto-assets.
- Proceedings involving online sales, price transparency, reviews, terms and conditions, digital contracts and consumer information.
- Investigations relating to advertising of financial products, commercial communications or digital models subject to supervision.
- Appeals for judicial review of penalty decisions and defense of clients in proceedings involving the Spanish or European authorities.
In these cases, it is particularly important to design a strategy from the outset that combines regulatory analysis, evidence gathering, dealings with the authorities, document management, and administrative litigation if the proceeding results in a penalty.
17. Do you handle civil, commercial and criminal lawsuits with a digital component?
Yes. Many business disputes in today’s environment have a technology or evidence-based dimension that can be decisive: disputed assets can be software, data or know-how; breaches can derive from technology contracts; proof may be found in emails, logs, screengrabs, internal systems or digital communications; and damage can be caused though fraud, unlawful access, impersonation, or unauthorized use of digital assets.
For example, we act in:
- Lawsuits relating to unauthorized use of software, data, content, databases or digital assets.
- Breaches of technology contracts, licenses, developments, SaaS, cloud services or outsourcing arrangements.
- Disputes involving ownership, use or appropriation of software, algorithms or trade secrets.
- Proceedings linked to digital evidence, preservation of evidence, logs, electronic communications, screengrabs, traceability or custody of documentation.
- Disputes involving reputation, privacy, image rights, online reputation, social media content and impersonation.
- Criminal proceedings involving CEO fraud, payment fraud, cyber fraud, damage to IT systems, unlawful access to systems or disclosure of secrets.
Where appropriate, we can rely on digital evidence capabilities, certification, time stamps, chain of custody and traceability to reinforce our client’s legal position from the earliest stages of the dispute.
18. Can you help protect, defend and monetize software, data and other intangible assets?
Yes. In the digital economy, a company’s value increasingly depends on assets that are not always correctly identified, protected or documented: software, databases, algorithms, AI models, datasets, content, trademarks, designs, know-how, trade secrets, technology processes, domain names and usage rights. If these assets are not properly organized, they can lose value in a funding round, due diligence review, M&A deal, lawsuit or commercial negotiation.
Our team is made up of IP specialists, trademark agents and engineers, and we have our own intellectual property agency for registrations, surveillance and monitoring of infringements. This means we can handle both the formal protection of the assets and their management from a legal, contractual, evidentiary and litigation standpoint.
In this area, we advise on the following aspects, among others:
- Registration, protection, surveillance and defense of trademarks, designs, domains, software, content and other industrial and intellectual property rights.
- Chains of title: development agreements, assignments, licenses, commissions, contributions from employees, collaborators, service providers and open-source communities.
- Processes for the review and organization of intangible assets to prepare companies for investment, financing, due diligence or sale.
- Licensing of software, data, content, trademarks, copyrighted works and technology, including negotiations with collecting societies, where applicable.
- Protection of code, databases, algorithms, technical documentation and trade secrets.
- Use of content, data and copyrighted works in AI training, scraping, datasets, outputs and exploitation of models.
- Litigation involving infringements, scraping, unauthorized use of software or content, appropriation of trade secrets, breach of license terms or rights relating to digital assets.
- Strategies to ensure assets are audit-ready, transferable, defensible, monetizable and valuable in a transaction.
More than simply registering or protecting assets, it is about building a solid, traceable and exploitable portfolio of intangible assets that stands up to scrutiny by investors, finance providers, buyers, regulators and the courts.
19. Can Garrigues Digital help with digital taxation?
Yes. Digital models and intangible assets pose specific tax risks because the value they generate does not always match the legal or accounting structure of the group. There may be software, data, trademarks, algorithms, trade secrets or AI models that are developed by one company, exploited by another, licensed within the group, or used in different jurisdictions. Where ownership, exploitation and remuneration are not properly aligned, this can give rise to risks as regards transfer pricing, deductions, credits, royalties, tax incentives, reorganizations, M&A deals and tax inspections.
In this area, we advise on the following aspects, among others:
- Tax treatment of software, data, intellectual property, trade secrets, trademarks, algorithms, AI models and other intangible assets.
- Correct allocation of ownership, exploitation and remuneration of the assets inside the group.
- Intragroup licenses, royalties, development agreements, cost-sharing arrangements, licensing arrangements and international exploitation structures.
- Transfer pricing with regard to digital models, platforms, SaaS, online services, data, licenses and technology assets.
- Application of tax incentives, patent boxes, tax credits for R&D&i and innovation financing.
- IP holding structures, reorganizations, migration of intangible assets, and technology-related M&A transactions.
- Tax documentation and client defense in tax inspections where the value, ownership or remuneration of intangible assets may be challenged.
Our approach links tax treatment to the actual business model: where the asset is located, who develops it, who exploits it, how remuneration works, where value is generated, what risks each entity assumes, and how all of this documented to ensure that the structure can be defended.
20. Do you also handle labor aspects deriving from AI and digitalization?
Yes. Digitalization is directly changing labor relations: how people are recruited and performance is evaluated, how work is organized, how activity is supervised, what information is received by workers’ representatives, and how reorganizations linked to automation, platforms or AI systems are managed. Labor risks do not typically appear in isolation, but rather involve aspects related to privacy, cybersecurity, regulation of AI, digital evidence, trade secrets and protection of assets.
In this area, we advise on the following aspects, among others:
- Use of AI and algorithm-based tools in recruitment, performance evaluations, promotions, disciplinary decisions and dismissals.
- Automation of functions, reorganizations, technology training, reskilling, and the rights to information and consultation.
- Digital collective bargaining, remote work, digital disconnection and platform service models.
- Workplace monitoring using technological means: video surveillance, geolocation, monitoring of equipment, use of corporate devices and review of communications.
- Protection of employee data, processing of biometric data, intragroup disclosures, international data transfers and automated decision-making in the workplace.
- Internal policies on the use of digital tools, corporate cybersecurity, trade secrets and misuse of technology.
- Digital evidence-gathering in labor proceedings: emails, screengrabs, WhatsApp messages, social media, activity logs, geolocation and recordings.
The goal is for the company to be able to integrate technology into the organization of work based on clear legal criteria, enforceable policies, and the ability to defend itself if the measures adopted are challenged or give rise to disputes.
21. Do you advise on data centers and digital infrastructure?
Yes. The digital economy, and the deployment of AI in particular, relies on an increasingly complex physical infrastructure: data centers, cloud capacity, connectivity, energy supply, land, permits, construction, operation, financing and regulatory compliance. These projects are not purely technological or real estate-related; they require coordination of zoning, administrative, energy, real estate, financing, contracts, taxation, data protection, cybersecurity and ESG aspects, as well as sector-specific regulations.
At Garrigues Digital we can offer specialist teams to assist at all stages of the project, including:
- Acquisition, lease or legal structuring of land and real estate assets.
- Licenses, permits, zoning, administrative authorizations and environmental compliance.
- Connection to the electricity system, energy supply, PPAs, energy efficiency and sustainability.
- Construction, engineering, operation and maintenance contracts, cloud, housing and hosting services, and agreements with hyperscalers.
- Financing, due diligence, asset deals, joint ventures and investment structures.
- Data protection, cybersecurity, business continuity, operating resilience and incident management.
- Taxation, ESG, insurance, contractual liability and regulatory risk management.
AI infrastructure and the digital economy require a multidisciplinary approach. This is where Garrigues Digital delivers an integrated perspective to ensure the project’s viability across legal, regulatory, contractual, energy, real estate and financial aspects.
22. What role does g-Advisory play?
We call on g-Advisory when a digital matter cannot be analyzed from a purely legal perspective because the value or risk also depends on technical, energy-related, economic, environmental or market factors. This is particularly important in projects where the technology relies on physical infrastructure, high energy consumption, asset finance, sustainability and ESG compliance.
This might be the case, for example, with a data center project where it is necessary to analyze the site, permits, electrical connections, PPAs, energy efficiency, environmental impact, financing, and contracts with operators. Or transactions involving climate tech or energy tech companies, whose value depends on the technical viability of the assets, or financing arrangements where the bank needs to check the operating assumptions, demand, price of energy, capital expenditures, operating expenses and regulatory compliance.
In these types of matters, g-Advisory can provide, among other capabilities:
- Technical, commercial, environmental and ESG due diligence in sale, purchase and asset finance transactions.
- Market studies, regulatory analysis and review of the technical or economic assumptions underlying the business plan.
- Advice on PPAs, energy price forecasts, connections, energy supply and efficiency.
- Technical and economic analysis of renewable energy, energy storage, biomethane, hydrogen, grid infrastructure, waste, water, and critical infrastructure projects.
- Support with green finance, sustainability, climate change, ESG compliance and reporting.
This combination is unique in that it provides clients with an integral legal and technical assessment. In infrastructure-intensive digital projects, such as data centers, AI infrastructure, climate tech or energy-related assets, it is not enough to know whether a contract is well drafted: you also need to understand whether the technical assumptions underpinning the project’s value are defensible.