We are

The boutique law firm specialising in IT&C law

Our Services DPO training

General services

We understand business strategy and IT&C related technical aspects

Our combined experience has seen us facing some very interesting challenges. We bring together experience and strategy acquired working with companies in IT, media, banking, online stores and other industries. We’ve been through the creation and assisted in the management of companies whose activity “touched” millions of people. As the Chinese would say - we’ve looked into the eyes of the dragon and lived to tell the tale.

Details about our services

Communications & Mobility

We cover legal aspects generated by the use of smart devices on a large scale in modern business society. We also advice line carriers, mobile operators, MVNOs and ISPs on cutting edge regulatory issues.

eCommerce & Digital Media

We cover legal aspects of developing and publishing content, negotiating and drafting industry-specific contracts, virtual worlds, social media, electronic signature, online advertising etc.

Privacy & Information Management

We are experienced in providing legal assistance on highly specialised data protection aspects, such as cloud computing, data breaches, behavioural advertising, data retention, international transfer of personal data, privacy impact assessments etc.

Technology & Outsourcing

We offer legal assistance to our clients on cloud services, finTech, healhTech, hardware developments. We also cover legal aspects of technology disputes, global technology agreements, technology procurement etc.


GDPR is coming on May 25th 2018. Are you ready?

A survey prepared by Dell at the end of 2016 brought forward some alarming results: more than 80% of respondents know few details or nothing about GDPR, and less than one in three companies feel they are prepared for GDPR.
97% of all companies don’t have a plan to ensure GDPR compliance.

Our Services

Harsh penalties

Non-compliance with GDPR can trigger fines of up to 20 million EUR or 4% of the global turnover, whichever is greater. That’s perhaps not the greatest point to start with and we don’t employ scare tactics, but we know that the cost of non-compliance is usually what business owners want to know first.

Extra-territorial application

The GDPR will apply to non-EU entities that process personal data of individuals in the European Union. The current condition of being “established” in the EU will disappear. The application is also not limited to processing of personal data of EU citizens, rather it concerns persons of any nationality as long as they are in the EU.

Hello portability

GDPR provides for the right to be forgotten (already established under CJEU case-law) but also the right to data portability. Data subjects have the right to receive their data in a structured, commonly used and machine-readable format – one of the most challenging changes for digital businesses.

Relying on consent will be far less practical

The legitimate grounds for processing do not change, however relying on consent becomes more difficult, since consent will require an affirmative response from the data subject. Consent will have to be more granular (per type of processing) and used only when the data subject has a real choice in the matter.

Data protection officers

The appointment of a data protection officer (DPO) will be mandatory for public authorities, companies engaging in regular and systematic monitoring of data subjects on a large scale, as well as for companies processing special categories of data on a large scale.

Data breach notifications

Controllers must report a data breach to the supervisory authority no later than 72 hours after becoming aware of the breach. The data breach must also be notified to the data subjects, where it is likely to result in a high risk to their rights and freedoms. The controller has the uneasy task of deciding whether the risk is high or not, and most often than not this will require specialised advice.

Get used to privacy impact assessments

Data protection impact assessments (DPIAs) will be required for projects likely to result in high privacy risks, and in particular when using new technologies. In plain language, if you want to contract a cloud service, develop an app, implement smart technologies and many more, you will have to first perform a privacy impact assessment, and log the results for possible inspection.

Data security at the forefront

The controller and processor are jointly liable to implement appropriate (but still state of the art) technical and organisational measures to ensure an appropriate level of security corresponding to the risks identified (see previous point on DPIA here). You will have to ensure regular testing, assessment and evaluation of the effectiveness of your (including processor’s) security measures.

Get in Touch with Us

Our Headquarters are in Bucharest, Romania

Bd. Aviatorilor nr. 47, etaj 2
Bucharest, Romania
Email: contact at privacyone.ro