We are

The boutique law firm specialising in IT&C law

Our Services DPO training

General services

We understand business strategy and IT&C related technical aspects

Our combined experience has seen us facing some very interesting challenges. We bring together experience and strategy acquired working with companies in IT, media, banking, online stores and other industries. We’ve been through the creation and assisted in the management of companies whose activity “touched” millions of people. As the Chinese would say - we’ve looked into the eyes of the dragon and lived to tell the tale.

Details about our services

Communications & Mobility

We cover legal aspects generated by the use of smart devices on a large scale in modern business society. We also advice line carriers, mobile operators, MVNOs and ISPs on cutting edge regulatory issues.

eCommerce & Digital Media

We cover legal aspects of developing and publishing content, negotiating and drafting industry-specific contracts, virtual worlds, social media, electronic signature, online advertising etc.

Privacy & Information Management

We are experienced in providing legal assistance on highly specialised data protection aspects, such as cloud computing, data breaches, behavioural advertising, data retention, international transfer of personal data, privacy impact assessments etc.

Technology & Outsourcing

We offer legal assistance to our clients on cloud services, finTech, healhTech, hardware developments. We also cover legal aspects of technology disputes, global technology agreements, technology procurement etc.


GDPR is coming on May 25th 2018. Are you ready?

A survey prepared by Dell at the end of 2016 brought forward some alarming results: more than 80% of respondents know few details or nothing about GDPR, and less than one in three companies feel they are prepared for GDPR.
97% of all companies don’t have a plan to ensure GDPR compliance.

Our Services

Harsh penalties

Non-compliance with GDPR can trigger fines of up to 20 million EUR or 4% of the global turnover, whichever is greater. That’s perhaps not the greatest point to start with and we don’t employ scare tactics, but we know that the cost of non-compliance is usually what business owners want to know first.

Extra-territorial application

The GDPR will apply to non-EU entities that process personal data of individuals in the European Union. The current condition of being “established” in the EU will disappear. The application is also not limited to processing of personal data of EU citizens, rather it concerns persons of any nationality as long as they are in the EU.

Hello portability

GDPR provides for the right to be forgotten (already established under CJEU case-law) but also the right to data portability. Data subjects have the right to receive their data in a structured, commonly used and machine-readable format – one of the most challenging changes for digital businesses.

Relying on consent will be far less practical

The legitimate grounds for processing do not change, however relying on consent becomes more difficult, since consent will require an affirmative response from the data subject. Consent will have to be more granular (per type of processing) and used only when the data subject has a real choice in the matter.

Data protection officers

The appointment of a data protection officer (DPO) will be mandatory for public authorities, companies engaging in regular and systematic monitoring of data subjects on a large scale, as well as for companies processing special categories of data on a large scale.

Data breach notifications

Controllers must report a data breach to the supervisory authority no later than 72 hours after becoming aware of the breach. The data breach must also be notified to the data subjects, where it is likely to result in a high risk to their rights and freedoms. The controller has the uneasy task of deciding whether the risk is high or not, and most often than not this will require specialised advice.

Get used to privacy impact assessments

Data protection impact assessments (DPIAs) will be required for projects likely to result in high privacy risks, and in particular when using new technologies. In plain language, if you want to contract a cloud service, develop an app, implement smart technologies and many more, you will have to first perform a privacy impact assessment, and log the results for possible inspection.

Data security at the forefront

The controller and processor are jointly liable to implement appropriate (but still state of the art) technical and organisational measures to ensure an appropriate level of security corresponding to the risks identified (see previous point on DPIA here). You will have to ensure regular testing, assessment and evaluation of the effectiveness of your (including processor’s) security measures.

Our Numbers & Things to know

We are experienced in legal assistance to high-profile companies in connection with various IT and data protection aspects, such as cloud computing, cybersecurity, behavioural advertising, data retention, international transfer of personal data, privacy impact assessments, surveillance of employees etc. Our combined experience means, in other words:

Our Services





Know More

About Privacy One

We speak our clients’ language because we’ve been in their shoes countless times. We understand their problems because many of them have been our own. We can anticipate their needs and can see the dangers that await in various stages of their business.

Andreea Lisievici

Andreea has 11 years experience as an attorney dealing with commercial, privacy and business compliance issues. She comes from an informatics high school and is very well-informed in terms of new technologies, which gives her the special advantage of understanding the technical issues behind privacy laws, thus becoming very efficient in providing legal assistance related to various IT and data protection matters such as cloud computing, cybersecurity, behavioural advertising, data retention or surveillance of employees, and also acted as counsel in arbitration cases of IT-related disputes.

Alin Popescu

Alin has over 15 years of experience as an attorney working exclusively in matters related to the internet and to online businesses. He has drafted legislative bills in this field, wrote books about the legal challenges of online businesses, has been a speaker at hundreds of specialised events, assisted some of the biggest internet companies in the world and helped develop, throughout the years, the representative associations for the online advertising industry (IAB Romania) and online publishing (BRAT). During the last 10 years, he has been the CEO of Avocatnet.ro, the online project that explains legislation, each month, to millions of people. He is now CEO of avocatnet.ro.

Our speaking engagements:

May 18th 2017, BRAT Romania
Practical seminar: "2018 brings major changes in personal data legislation. Consequences and direct effects of the GDPR on the online advertising business industry and the publishing industry".

Click here for details!
June 8th, Wolters Kluwer
Practical seminar: "The New General Data Protection Regulation: What you need to know to prepare for the practical application of GDPR".

Click here for details!
June 8th, IDC Romania
Conference: "IDC Security Roadshow 2017. Information Security in the Multi-Platform Era".

Click here for details!
June 22th, BRAT Romania
Practical seminar: "2018 brings major changes in personal data legislation. Consequences and direct effects of the GDPR on the online advertising business industry and the publishing industry".

Click here for details!

Get in Touch with Us

Our Headquarters are in Bucharest, Romania

Iuliu Maniu no. 7, Corp U
4th floor, 030836
Email: contact at privacyone.ro