GDPR, ePrivacy and general data protection

gdpr compliance -

We help clients implement comprehensive yet practical data protection (GDPR) compliance programs, seamlessly integrated into their business activity.

All businesses collect and process personal data one way or another. Some – such as online retail shops, financial services providers, marketing agencies, hospitality providers, developers of online platforms and apps, utility/telecom suppliers etc. – are data driven, and require a complex, thorough and highly customized GDPR compliance program. Other businesses may not deal with natural persons, but still they have employees whose personal data need to be processed.

We design and follow through complex GDPR compliance programs in a wide range of industries, including FMCG, real estate, energy, hospitality, marketing & media, cosmetics, telecom, market research and others. We have an interdisciplinary approach and we take the time to really know our clients and make them feel like we are part of their teams, not just external consultants


When you process someone’s personal data, you must provide them with a minimal set of information. The GDPR is quite strict on this topic, which makes the transparency obligation one of the most sensitive and important data protection requirements.

We help clients both with writing content (what should be disclosed to data subjects) as well as with designing transparency mechanisms (how should the information reach people).

We are skilled at drafting data protection related documentation, such as information notices and other materials that need to have an accessible language and be easily understood by the general public.

Data mapping

Every organization needs to know what personal data it is processing. Without this step, it is impossible to implement any data protection compliance program. Moreover, this is a direct obligation imposed by the GDPR.

We assist clients with setting up and filling in registers of data processing activities. This means that we conduct interviews with all departments of the company and make sure that all relevant processes are considered. From our experience, this is best way to know our clients’ business and to raise awareness about personal data protection among all key employees

Data processing agreements

When processing personal data, an organization can be a Data Controller (determines the purposes and means of the processing), a Joint Data Controller (processes data in association with another organisation) or a Data Processor (processes data on behalf and at the initiative of a Data Controller). The GDPR requires that specific types of agreements be concluded in case of Controller – Processor relations and between Joint Controllers – these are data processing agreements or DPAs.

We assist our clients with drafting DPAs tailored to their specific needs and with negotiating and signing with their partners and suppliers all relevant data protection documentation. Our experience provides us with a very practical approach, and we aim to help all parties create legal arrangements which work in the real business world.

Websites & apps

If you interact with your customers online, then websites and apps become a data processing ecosystem. In addition to the GDPR, in this case you also have to consider the ePrivacy legislation (such as Law no. 506/2004 in Romania), which regulates the use of cookies and the deployment of e-mail marketing.

Our approach to websites and apps is highly customized – we don’t believe in template privacy policies. First, we need to know all the details about our client’s online projects and propose personalized documentation, as well as practical mechanisms for GDPR compliance, so as to allow our clients to carry out their activity smoothly while also observing data protection legal requirements.


How to plan and implement marketing campaigns while also complying with the data protection legislation? This question is on the mind of any business who uses direct marketing, social media communication, promotional campaigns or events and other such means to promote and advertise their brands.

There is no one-size-fits-all solution when it comes to marketing. Rather, we discuss together with clients about their objectives, and then we help in choosing mechanisms which allow them to carry out their marketing activities in compliance with the legal requirements.

Data subject requests

Data protection legislation offers natural persons (data subjects) certain rights which can be exercised against data controllers: erasure, rectification, access – to name just a few. Every organisation needs to put in place effective mechanisms to manage requests from data subjects within the one-month response rule.

In Romania, the failure to reply to data subjects is the most frequent issue leading to GDPR sanctions. We make sure that our clients are equipped with efficient procedures and with relevant awareness, and we advise on how best to address any claims related to the processing of personal data.

Trainings and DPO coaching

In-house trainings are the best way to raise awareness about data protection. We offer custom designed trainings for all types of teams and help teach the most relevant GDPR principles for your business, from top management to operational staff handling personal data.

We designed a unique one-to-one training program for Data Protection Officers and other privacy specialists. The aim is to go deeper into both theoretical and practical GDPR compliance issues, through a personalized learning and coaching experience.

PrivacyON logo symbol soft amber
Day to day data protection assistance
GDPR compliance is a continuous effort, because personal data processing is a continuous activity. We maintain a close connection to our clients, for all ongoing privacy-related matters. We spend a fair amount of time getting to know our clients’ businesses and therefore we are able to provide relevant advice in a very efficient and integrated way.
We come up with practical solutions to your legal problems and empower your organisation to learn to handle them in the future.