Our data protection lawyers are helping technology, B2B retail, e-commerce, health-tech, marketing, fin-tech, etc. companies to implement data protection (including General Data Protection Regulation GDPR and e-privacy) requirements.
Data mapping of new products or services
- Helping to map personal or customer data in the organization;
- Creating sustainable mapping that can be easily updated according to changes in activities. For this purpose, we also offer a SaaS (software) solution, which can also be used for the secure transmission of the documents;
- Drafting an overview of the necessary activities and priorities to eliminate possible gaps.
Data protection impact assessment
- Assessing the impact of existing solutions;
- GDPR compliance assessment of data processing;
- Assessing the compliance of the company’s software solutions and databases with the technical and legal requirements of the GDPR;
- Preparing the GDPR-compliant impact assessment documentation.
Legitimate interests assessment and balancing test (LIA)
- The purpose test (is there a legitimate interest behind the processing?);
- The necessity test (is the processing necessary?);
- The balancing test (is the legitimate interest overridden by the fundamental rights and freedoms of the data subject?);
- Answering all three questions sufficiently and documenting this accordingly provides a conclusion on the lawfulness of data processing based on legitimate interest and demonstrates that all necessary aspects have been taken into account during the assessment.
Data protection documentation
- Compiling an overview of personal data processing and privacy policies, a compilation of cookie notifications;
- Preparation of consent forms and integration into the business model;
- Development of internal rules, including related processes;
- Preparation of documentation on employment relations related to data protection;
- Drafting data processing agreements (group company level and external), controller-processor agreements, technical and organizational measures (including cross-border or international data transfers).
Data Protection Officer’s (DPO) service
- It is possible to purchase a full DPO service or an in-house DPO advisory service to ensure compliance with the GDPR and other relevant legislation;
- DPO informs and advises the organization and its employees of their data protection obligations under the GDPR;
- DPO is monitoring the organization’s compliance with the GDPR and internal data protection policies and procedures.
- DPO serves as the contact point to data protection authorities for all data protection issues, including reporting data breaches.
Risk management and data security
- Consulting R&D teams within the development process;
- Risk management and privacy and data security;
- Technical and organizational measures;
- Recommending software solutions (anonymization, encryption, records of processing, consent management, cookies, etc);
- Processing of the handling of privacy incidents (e.g. reporting privacy and security issues to the regulatory authorities);
- Reacting to privacy incidents.
Data Protection Officer’s (DPO) training
- Providing bespoke DPO training courses based on the client’s profile;
- Helping the DPO understand the requirements of GDPR applicable to the company;
- Training for employees that takes into account the specifics of the organization. Sectoral training provides more relevant information (customer service, sales department, marketing analytics, IT development, finance, etc.).
Representation in personal data disputes
- Representing and advising the data controller or processor in supervisory and judicial proceedings concerning data protection and data privacy law.
Frequently Asked Questions
DO I NEED A PRIVACY POLICY ON MY CORPORATE WEBSITE?
According to data protection laws, if your website collects personal data, you need a privacy policy. If you collect/process personal data through your product or service, you need a privacy policy.
Even if your product or service does not include any kind of personal data processing, but your business has a website, it is highly likely that you still need a data privacy policy. Most websites collect user data. Often, it happens without the website owner even being aware of it, by means of cookies.
If your website is hosted, or if you use plugins, social media-buttons, analytics tools, and the like on your website, then it does set cookies and collect user data.
A privacy policy is a document that states what personal data you collect from your users and/or customers, why, and how you keep it private.
The purpose of the privacy policy is to inform your users/customers about how their data is being handled.
A privacy policy should be accessible for your users/customers and kept in plain and readable language.
Most countries have data privacy and cybersecurity laws requiring that websites collecting personal data have a proper privacy policy in place.
For businesses operating in the United States, compliance with laws like the California Consumer Privacy Act (CCPA) is essential.
Failure to comply can result in heavy fines. Are you based in the EU or providing services to EU citizens, you must have a GDPR compliant privacy policy on your domain.
WHAT IS A PRIVACY PROGRAM?
It is not enough to draft policies to create a privacy program in the organization. Implementing the policies and ensuring that the organization has an appropriate infrastructure to support compliance with such policies is the key.
A comprehensive privacy compliance program includes, at a minimum, the following elements:
- Appointment of a privacy officer/external DPO service;
- Privacy audits/testing;
- Privacy training for employees;
- Privacy policies;
- Confidentiality agreements;
- Outsourcing controls/Data protection agreements;
- Procedures for responding to complaints, inquiries, and data subject access;
- Breach response plan;
- Data processing impact assessments (“DPIA”);
- Regular review and updates of policies and training.
WHAT DOES GDPR MEAN FOR MY BUSINESS?
GDPR introduces different responsibilities for data controllers, joint controllers, and processors. The role that your business plays in a commercial arrangement will depend on the particular circumstances.
Generally, the controller will be the decision-maker determining how, why, and which personal data is collected. Joint controllers will have data collection objectives and procedures in common with another controller.
The processor follows instructions and usually receives the data from a third party such as a client and has no direct relationship with the individual.
Enforcement action can be brought against both, controllers and processors for non-compliance with GDPR. Likewise, individuals can make a claim for compensation and damages against both controllers and processors for breaches of the rights under data protection and security law.
It is therefore crucial that you carefully review and document the flow of personal data between your organization and others so that your status is clear (regardless of the terminology used in a contract).
DO I NEED TO INCORPORATE SPECIFIC PROVISIONS INTO THE TERMS OF MY CONTRACTS WITH SUPPLIERS AND CUSTOMERS DUE TO THE GDPR?
Yes, we offer data protection training through our GDPR Masterclass. This program focuses on how to practically apply data protection laws, providing businesses with the tools and knowledge to ensure compliance and protect personal data.
DO YOU OFFER TRAINING ON DATA PROTECTION?
Yes, we offer data protection training through our GDPR Masterclass. This program focuses on how to practically apply data protection laws, providing businesses with the tools and knowledge to ensure compliance and protect personal data.
DO YOU ASSIST WITH DATA BREACH INCIDENT RESPONSE?
Yes! We will provide you with immediate support for identifying, managing, and reporting security incidents.
