Data protection

Employment or other work-related relationships give rise to a number of data protection obligations on the side of employers.
We conduct audits, consultancy and draft documents for our clients, in particular, but not solely, in data protection issues relating to electronic surveillance systems, employee supervision, use of company IT devices, software and vehicles, access control systems, selection processes, etc.

One of the central and undoubtedly most important elements of data protection compliance is providing a privacy notice to data subjects. However, by issuing a privacy notice, clients are far from being in compliance with the requirements of data protection legislation. It is 'only' the surface and, ideally, one of the last things to be done. The real challenges of data protection compliance lie deep: aligning processes, corporate data processing customs and practices with legal requirements.
This involves using a pre-defined methodology to review our clients' operations and daily data protection practices, identifying and prioritising risks, and then working with the client to develop the most appropriate legal solution.

Data protection legislation imposes strict documentation requirements.
We undertake to draft data protection notices, policies and, where necessary, conduct and document impact assessments, tailored to our clients' needs and areas of their activity.

We represent our clients in proceedings for judicial review of a data protection authority's decision and in data protection litigation.

Lost company IT devices? Hacker attack? Malicious code hacking into IT system? Mail sent to the wrong address?
These cases all have one thing in common: most of them are classified as data breaches. The occurrence of a data breach can pose a challenge even to the most prepared data controllers. Our experience has shown that once data controllers become aware of a data breach, there will be overwhelming confusion and uncertainty, typically even if specific policies are in place to deal with the incident.
In this case, a rapid and adequate response is of paramount importance, given that, as a general rule, a data breach must be reported to the Data Protection Authority (DPA) within 72 hours after it comes to the controller's attention. Accordingly, we assist our clients in investigating, documenting incidents affecting personal data, notifying the DPA and in any further action related to a personal data breach.

It is a common phrase among information security professionals that "employees are the biggest information security risk". Fortunately, with proper employee training, this exposure can be minimised. We provide regular privacy and information security training for our clients, introducing employees to concepts such as dumpster diving, data minimisation, clean desk policy, security incident and data breach.

For data controllers who are required by data protection laws to appoint a Data Protection Officer (DPO), our firm undertakes to provide DPO services on a long-term basis.
As part of the DPO service, our firm reviews the data protection processes of the data controller, provides ongoing support in data management issues and incident management processes, conducts audits, interacts with the authorities and generally monitors and ensures that client's data processing processes comply with the legal requirements.

Compared to previous regulations, the GDPR provides a high level of autonomy for natural persons affected by data processing.
Within the framework of this autonomy, depending on the legal basis for the data processing, data subjects have the right to access their personal data, request deletion, correction, portability, restriction of processing and object to the processing of their personal data.
Data controllers are also subject to strict legal time limits for responding to data subjects' requests: they must respond within one month of receipt of the request.
We support our clients in handling and fulfilling their data subjects' requests.