Data Protection

Our data protection lawyers are helping technology, B2B retail, e-commerce, health-tech, marketing, fin-tech, etc. companies to implement data protection (including General Data Protection Regulation GDPR and e-privacy) requirements.

Data mapping of new products or services

  • Helping to map personal data in the organization;
  • Creating sustainable mapping that can be easily updated according to changes in activities. For this purpose, we also offer a SaaS (software) solution, which can also be used for the secure transmission of the documents;
  • Drafting an overview of the necessary activities and priorities to eliminate possible gaps.

Data protection impact assessment

  • Assessing the impact of existing solutions;
  • GDPR compliance assessment of data processing;
  • Assessing the compliance of the company’s software solutions and databases with the technical and legal requirements of the GDPR;
  • Preparing the GDPR-compliant impact assessment documentation.

Legitimate interests assessment and balancing test (LIA)

  • The purpose test (is there a legitimate interest behind the processing?);
  • The necessity test (is the processing necessary?);
  • The balancing test (is the legitimate interest overridden by the fundamental rights and freedoms of the data subject?);
  • Answering all three questions sufficiently and documenting this accordingly provides a conclusion on the lawfulness of data processing based on legitimate interest and demonstrates that all necessary aspects have been taken into account during the assessment.

Data protection documentation

  • Compiling an overview of personal data processing and privacy policies, a compilation of cookie notifications;
  • Preparation of consent forms and integration into the business model;
  • Development of internal rules, including related processes;
  • Preparation of documentation on employment relations related to data protection;
  • Drafting data processing agreements (group company level and external), controller-processor agreements, technical and organizational measures (including cross-border data transfer).

Data Protection Officer’s (DPO) service

  • It is possible to purchase a full DPO service or an in-house DPO advisory service to ensure compliance with the GDPR and other relevant legislation;
  • DPO informs and advises the organization and its employees of their data protection obligations under the GDPR;
  • DPO is monitoring the organization’s compliance with the GDPR and internal data protection policies and procedures.
  • DPO serves as the contact point to data protection authorities for all data protection issues, including data breach reporting.

Risk management and data security

  • Consulting R&D teams within the development process;
  • Risk management and data security;
  • Technical and organizational measures;
  • Recommending software solutions (anonymization, encryption, records of processing, consent management, cookies, etc);
  • Processing of the handling of privacy incidents (e.g. reporting to the regulatory authorities);
  • Reacting to privacy incidents.

Data Protection Officer’s (DPO) training

  • Providing bespoke DPO training courses based on the client’s profile;
  • Helping the DPO understand the requirements of GDPR applicable to the company;
  • Training for employees that takes into account the specifics of the organization. Sectoral training provides more relevant information (customer service, sales department, marketing analytics, IT development, finance, etc.).

Representation in personal data disputes

  • Representing and advising the data controller or processor in supervisory and judicial proceedings concerning data protection law.

Frequently Asked Questions


If your website collects personal data, you need a privacy policy. If you collect/process personal data through your product or service, you need a privacy policy.

Even if your product or service does not include any kind of personal data processing, but your business has a website, it is highly likely that you still need a policy. Most websites collect user data. Often, it happens without the website owner even being aware of it, by means of cookies.

If your website is hosted, or if you use plugins, social media-buttons, analytics tools, and the like on your website, then it does set cookies and collect user data.

A privacy policy is a document that states what personal data you collect from your users and/or customers, why, and how you keep it private.

The purpose of the privacy policy is to inform your users/customers about how their data is being handled.

A privacy policy should be accessible for your users/customers and kept in plain and readable language.

Most countries have privacy laws requiring that websites collecting personal data have a proper privacy policy in place.

Failure to comply can result in heavy fines. Are you based in the EU or providing services to EU citizens, you must have a GDPR compliant privacy policy on your domain.


It is not enough to draft policies to create a privacy program in the organization. Implementing the policies and ensuring that the organization has an appropriate infrastructure to support compliance with such policies is the key.

A comprehensive privacy program includes, at a minimum, the following elements:

  • Appointment of a privacy officer/external DPO service;
  • Privacy audits/testing;
  • Privacy training for employees;
  • Privacy policies;
  • Confidentiality agreements;
  • Outsourcing controls/Data protection agreements;
  • Procedures for responding to complaints, inquiries, and access requests;
  • Breach response plan;
  • Data processing impact assessments (“DPIA”);
  • Regular review and updates of policies and training.


GDPR introduces different responsibilities for data controllers, joint controllers, and processors. The role that your business plays in a commercial arrangement will depend on the particular circumstances.

Generally, the controller will be the decision-maker determining how, why, and which personal data is collected. Joint controllers will have data collection objectives and procedures in common with another controller.

The processor follows instructions and usually receives the data from a third party such as a client and has no direct relationship with the individual.

Enforcement action can be brought against both, controllers and processors for non-compliance with GDPR. Likewise, individuals can make a claim for compensation and damages against both controllers and processors for breaches of the rights under data protection law.

It is therefore crucial that you carefully review and document the flow of personal data between your organization and others so that your status is clear (regardless of the terminology used in a contract).


Under the GDPR, a data controller may only engage a data processor via a legally binding contract containing certain mandatory terms. You should consider whether your contracts with suppliers (who process personal data as processors) contain the mandatory terms and, if not, vary them accordingly. We can help you with the details.

You should also consider whether your business, in the course of providing its services, does so as a data processor. If so, you will need to ensure that your terms of business with all of your customers incorporate the mandatory terms set out in the GDPR.

Contact us

Please do not hesitate to ask us a question or book an (online) meeting.

We would be thrilled to get to know you and are excited about introducing ourselves.

    Get the latest about Hedman law firm


    Our memberships:
    FinanceEstonia, Lexing®,
    Estonian Service Industry Association,
    Estonian Chamber of Commerce and Industry,
    EstVCA, EstBan, FECC,
    IBA & IBA European regional Forum