Our combined experience has seen us facing some very interesting challenges. We bring together experience and strategy acquired working with companies in IT, media, banking, online stores and other industries. We’ve been through the creation and assisted in the management of companies whose activity “touched” millions of people. As the Chinese would say - we’ve looked into the eyes of the dragon and lived to tell the tale.Details about our services
We cover legal aspects generated by the use of smart devices on a large scale in modern business society. We also advice line carriers, mobile operators, MVNOs and ISPs on cutting edge regulatory issues.
We cover legal aspects of developing and publishing content, negotiating and drafting industry-specific contracts, virtual worlds, social media, electronic signature, online advertising etc.
We are experienced in providing legal assistance on highly specialised data protection aspects, such as cloud computing, data breaches, behavioural advertising, data retention, international transfer of personal data, privacy impact assessments etc.
We offer legal assistance to our clients on cloud services, finTech, healhTech, hardware developments. We also cover legal aspects of technology disputes, global technology agreements, technology procurement etc.
A survey prepared by Dell at the end of 2016 brought forward some alarming results: more than 80% of respondents know few details or nothing about GDPR, and less than one in three companies feel they are prepared for GDPR.
97% of all companies don’t have a plan to ensure GDPR compliance.
Non-compliance with GDPR can trigger fines of up to 20 million EUR or 4% of the global turnover, whichever is greater. That’s perhaps not the greatest point to start with and we don’t employ scare tactics, but we know that the cost of non-compliance is usually what business owners want to know first.
The GDPR will apply to non-EU entities that process personal data of individuals in the European Union. The current condition of being “established” in the EU will disappear. The application is also not limited to processing of personal data of EU citizens, rather it concerns persons of any nationality as long as they are in the EU.
GDPR provides for the right to be forgotten (already established under CJEU case-law) but also the right to data portability. Data subjects have the right to receive their data in a structured, commonly used and machine-readable format – one of the most challenging changes for digital businesses.
The legitimate grounds for processing do not change, however relying on consent becomes more difficult, since consent will require an affirmative response from the data subject. Consent will have to be more granular (per type of processing) and used only when the data subject has a real choice in the matter.
The appointment of a data protection officer (DPO) will be mandatory for public authorities, companies engaging in regular and systematic monitoring of data subjects on a large scale, as well as for companies processing special categories of data on a large scale.
Controllers must report a data breach to the supervisory authority no later than 72 hours after becoming aware of the breach. The data breach must also be notified to the data subjects, where it is likely to result in a high risk to their rights and freedoms. The controller has the uneasy task of deciding whether the risk is high or not, and most often than not this will require specialised advice.
Data protection impact assessments (DPIAs) will be required for projects likely to result in high privacy risks, and in particular when using new technologies. In plain language, if you want to contract a cloud service, develop an app, implement smart technologies and many more, you will have to first perform a privacy impact assessment, and log the results for possible inspection.
The controller and processor are jointly liable to implement appropriate (but still state of the art) technical and organisational measures to ensure an appropriate level of security corresponding to the risks identified (see previous point on DPIA here). You will have to ensure regular testing, assessment and evaluation of the effectiveness of your (including processor’s) security measures.
Our Headquarters are in Bucharest, Romania