Data protection and privacy-related requirements shall be under intensified examination of public authorities and individuals. Accordingly, the companies are hooked on ensuring compliance with data protection requirements during the course of their activities and operations.
Todor, Istocescu&Vintila is ready to meet the highest demands in this area, by assembling a multidiciplinary team of professionals, indemnifying cross-view over the processes and activities involving data processing.
Thus, clients benefit from our outstanding expertise and experience on the full range of data protection and privacy including:
Personal data mapping and inventory
- Assistance in identifying categories of processed personal data and categories of data subjects, including a description of processed personal data (synoptic of processed personal data and data subjects and synotpic of processes)
- Determining the personal data dissemination and the correspondent permitted actions and limitations thereof
Records of processing activities
- Identifying the various purposes of personal data processing
- Linking personal data categories with processing activities. Assistance in preparing specific records
- Preparing review procedures regarding the records, allowing updates as necessary
Legal grounds for personal data processing
- Analysis of the purposes and legal grounds of processing certain categories of personal data
- Preparing templates of consent/withdrawal of consent clauses
Privacy impact assessment. Risk assessments
- Assessment of the impact of processing operations on the protection of the personal data for the identification of the internal processess implying data processing. Indentification of the derived possible risks. Analysis on the need for a privacy impact assessment
- Full-scale data protection audit on all data procesessing operations inside the groups of companies
- Drafting an audit report with the findings and conclusions in view of ensuring the personal data protection and legal processing
- Preparing the action plan with recommended measures to be implemented to ensure compliance
- Legal and IT assistance for the implementation thereof
Privacy by design
- Identifying the activities of the organisation and applying the privacy by design approach in the change of the internal processes
- Implementation of privacy by design tools
Privacy by default
- Preliminary assessment on the adequacy of personal data processing in view of “privacy by default” concept
- Assistance in preparing legal and IT solutions for personal data minimisation, security and access control
Retention of personal data
- Assessment of the current retenion periods for various categories of personal data
- Assesment of the internal procedures on retention and personal data disposal
- Drafting of recommendation related to data retention periods, personal data disposal method and tools in view of GDPR rules
Profiling
- Checking of the existance of cases of automated profiling with use of personal data
- Analysis of the legal ground for personal data processing for profiling purposes
- Drafting of recommendation on ensuring personal data protection in profiling activities
Notification, detection and investigations of personal data breaches
- Conduct of compliance checks and investigations into potential breach of policies and ethical business behaviour in accordance with data protection principles
- Addressing data protection inquiries to data controllers and to the Supervisory Authority
- Assistance within internal investigation on privacy breach allegations and unlawful disclosures made by employees
- Reviewing of existing policies on detacting and reacting to personal data breaches
- Assistance in creation of strategies aiming to minimize damage in case of data security breach
- Legal representation in personal data breaches disputes and litigations
- Preparing of data intervention requests based on the “right to be forgotten” in relation to unlawful (excessive and incorrect) processing of personal data by way of blacklisting and excessive publication of data performed by NGOs, public authorities or private entities
Verification of data processors and data processing agreements
- Analysing the measures and tools used by data processor for the protection of personal data
- Providing recommendations on the legal grounds for entrusting personal data processing to a data processor
- Legal analysis of documentation used in relation with data processors in respect to GDPR requirements
- Preparing of template data processing agreements
- Data protection implications of cloud computing
- Drafting processing and transfer agreements with Romanian and foreign data processors and data controllers, or advise on how to structure the collaboration with data processors and sub-processors.
- Drafting of representation agreements for clients from outside the European Union who do not have a local presence in Romania.
- Assistance in obtaining from the Supervisory Authority a data transfer authorization in relation to the implementation of data loss prevention tools inside a group of companies.
Interaction with data subjects
- Analysis of the panel of reaction procedures within the organization in case of data subject requests to access to rectification, restriction, deletion and transmission of personal data
- Preparing policies on reacting to data subject requests to the processing of their personal data
Transfer of personal data to third countries
- Analysis of cases involving transfer of personal data outside the EU
- Determining the legal grounds for a transfer of personal data outside the EU
- Preparing templates consent clauses for acceptance of a transfer of personal data or other legal instruments permitting a transfer of personal data to third countries
- Addressing the privacy challenges faced during cross-border data flows (e.g. binding corporate rules, standard contractual clauses
Personal data security and data protection policies
- Analysis of the company’s structure in the context of data protection organisation
- Preparing and organisational scheme
- Recommendation on assigning roles within the organisation related to personal data protection
- Analysis of security measures and tools applied within the organization for personal data protection
- Recommendation on data protection measures and tools as per GDPR requirements
- Preparing policy and implementation of tools on personal data security
Training and security awareness
- Preparing and carrying out training in personal data protection area and data protection and cyber security tools addressing both general-applicability aspects and particular aspects for various business units.
- Informing the employees on how their data is processed (information and consent forms) and instructing the employees on the rules for handling personal data in their activity (privacy policies)
Data Protection Officer (DPO)
- Analysis in order to determine whether or not a DPO must be appointed
- Deleivering a specialised professional training for DPO
- Offering support to existing DPO
- DPO outsorced services
Consultation with the supervisory aurthority
- Analysis in order to determine the need to consult planned data processing operations with the supervisory authority
- Addresing of data protection inquiries to the supervisory authority
- Preparing draft documents necessary to conduct a consultation with the supervisory authority
- Assistance during the audits carried out by the data protection authority
Pseudonymization
- Analysis of the need to pseudonymise certain categories of personal data
- Analysis of methods and scope of using pseudonymization data
Continuous compliance
- Direct monitor of any new regulation at EU and national level as regards the personal data protection and accomodation of the policies and measures as per agreed action plan
- Data protection compliance and implementation adapted to specific industries (e.g. banking, automotive, energy, pharmaceutical, manufacturing and retail, marketing, online, IT, transportation and logistics, public sector)
- Assistance on data protection issues encountered in the course of carring out of the daily business, whether in contract drafting, managing disclosure to third parties or handling the enhanced individuals’ right under the new GDPR rules
Database creation, sharing and transfer
- Implementation of data protection related requirements in relation to the creation and transfer of databases, including in case of business transfers
- Legal and practical guidance on how to identify and comply with data protection implication of intra-group disclosure of employee and customer data, including when data is transferred within and outside EU
- Assistance and support in connection with sales of business units and data protection matters arising from cross-border margers
- Assessments of data protection implications in transferring of portfolios of clients and contracts between affiliates, drafting of the necessary and applicable agreements, formalities thereof
- Assistance and recommendations for the compliance with the requirements applicable to data sharing with affiliates
Marketing-Related Data Processing
- Consolidating and assorting the specific implications of the new developments in data protection law with marketing initiatives of the clients
- Drafting of the commercially appropriate wording for promotional campaigns, in particularly in view of obtaining consent for using personal data within the marketing communications
- Drafting of data protection provisions for commercial agreements, especially agreements providing for database sharing for marketing campaigns
- Legal advises regarding the special rules governing the deployment of loyalty or similar programs aiming at gathering clients’ data for further behavioral advertising
- Drafting of the minimum required information for the privacy policy published on websites
- Drafting of the data protection related wording in marketing materials prepared for loyality programs and similar
- Legal advises concerning the data protection requirements applicable to promotional campaigns, including reviews of the regulations and individual participation forms, procedure concerning categories of sensitive data that may be collected from individuals during marketing activities, development of data collection justification to be provided to the Supervisory Authority
- Legal advises on aspects of e-privacy and e-commerce issues
IT audit and assessment of application and infrastructure security
Data protection IT solutions and tools
-
-
- Audit, encryption, pheudonymisation, incident management
- IT solutions and tools for right to be forgotten, data portability
- Data processing traceability IT solutions and tools
- Obtaining explicit user consent consultancy and solutions
- “Cookies” and cloud computing
-