Business Compliance Consulting
Data protection obligations run through every business process that touches personal data — not just the IT or legal department. We help organizations identify where compliance obligations arise across their operations and implement practical solutions that hold up under regulatory scrutiny.
IT & System Reviews
We assess the data protection implications of your IT infrastructure — cloud services, SaaS tools, analytics platforms, and internal systems. We review data flows, access controls, logging mechanisms, and vendor relationships, and provide actionable recommendations for technical and organizational measures.
Cookie & Tracking Compliance
We analyze your website and digital platforms for compliance with GDPR and the TDDDG, covering consent management, cookie categories, tracking technologies, and the legal basis for each processing activity. We design consent flows that meet regulatory requirements without unnecessarily degrading user experience.
Marketing Data Governance
We review your marketing data practices — CRM systems, email marketing, lead generation, behavioral targeting, and customer profiling — and help you establish a lawful, documented framework for each activity, with particular attention to consent validity, data minimization, and third-party data sharing.
Full-Scope Risk Assessment
We conduct comprehensive privacy risk assessments across your organization, identifying high-risk processing activities, assessing the adequacy of existing safeguards, and prioritizing remediation measures. The output is a structured risk register with clear accountability, timelines, and recommended actions.
Cross-Border Data Transfer
For any organization transferring personal data between Europe and countries outside the EEA — particularly China — cross-border transfer compliance is one of the most heavily scrutinized areas of GDPR. We help you design and implement transfer mechanisms that are legally robust and operationally sustainable.
Transfer Mapping & Gap Analysis
We map all cross-border data transfers within your organization — covering employee data, customer data, vendor relationships, and system integrations — and assess whether each transfer has an adequate legal basis under GDPR Chapter V.
Transfer Impact Assessment (TIA)
Where data is transferred to countries without EU adequacy decisions, a TIA is required. We conduct Transfer Impact Assessments that meet EDPB standards, taking into account local surveillance laws, data subject rights, and available remedies in the destination country.
Standard Contractual Clauses (SCC)
We implement the EU’s Standard Contractual Clauses — selecting the correct module, completing the required annexes, and ensuring the clauses are properly integrated into your vendor and intercompany agreements in a way that is legally coherent and operationally workable.
EU–China Data Flow Strategy
We specialize in EU–China data flow challenges: navigating the interaction between GDPR and Chinese data laws (PIPL, DSL), identifying practical transfer mechanisms for HR data, customer data, R&D data, and autonomous driving test data, and advising on data localization strategies where required.
DPMS Framework Setup
A Data Protection Management System is the organizational backbone of GDPR compliance — the documented framework that governs how your organization handles personal data across all its activities. We design and implement DPMS frameworks tailored to your business model, scalable as you grow, and structured to withstand regulatory review.
Privacy Policy & Notice Development
We draft and review all external-facing privacy documentation — website privacy notices, app privacy policies, employee privacy notices, and customer-facing data processing information — ensuring they are accurate, complete, and written in the plain language required by GDPR.
Records of Processing Activities (RoPA)
Article 30 GDPR requires organizations to maintain a comprehensive record of all data processing activities. We build and implement a RoPA that captures all required information — processing purposes, legal bases, data categories, retention periods, recipients, and transfer safeguards — and establish a process for keeping it current.
Data Processing Workflow Design
We translate your business processes into documented data flows, identifying where personal data enters, moves through, and exits your organization. These workflows form the evidentiary foundation for demonstrating compliance and support effective risk management, DPIA scoping, and vendor management.
Governance Structure Setup
We help you establish internal governance structures — defining roles and responsibilities, setting up escalation paths for data protection issues, and embedding data protection review into your product and procurement cycles — so compliance remains sustained over time.
AI High-Risk Assessment
AI systems that process personal data sit at the intersection of GDPR and the EU AI Act. We help organizations assess, document, and remediate the compliance risks of their AI systems — before they become regulatory problems.
EU AI Act Risk Classification
We assess your AI systems against the EU AI Act’s tiered risk framework, determining which obligations apply — including conformity assessments, technical documentation requirements, and human oversight mechanisms — based on the system’s function and use context.
GDPR Lawfulness Assessment for AI
Using AI to process personal data requires a clear legal basis under GDPR. Certain applications — including automated decision-making and profiling — trigger additional obligations under Articles 22 and 35. We assess the lawfulness of your AI use cases and advise on how to structure processing to minimize legal exposure.
AI Recruiter & HR Tool Assessment
AI-powered recruitment tools, performance monitoring systems, and employee analytics platforms are among the most scrutinized applications under both the EU AI Act and GDPR. We assess HR AI tools for bias risk, transparency obligations, employee rights, and works council consultation requirements under German law.
ChatBot & Conversational AI Review
We review the data architecture, consent mechanisms, retention practices, and transparency disclosures of conversational AI deployments — including LLM-powered tools integrated into customer service workflows — for compliance with GDPR and the EU AI Act.
Contract Management
Every relationship in which personal data is shared, processed, or transferred requires a contractual framework that clearly allocates responsibility and meets GDPR’s documentation requirements. We draft, review, and negotiate the full range of data protection agreements.
Data Processing Agreements (DPA)
Where you engage a vendor or processor to handle personal data on your behalf, GDPR Article 28 requires a written DPA. We draft agreements that meet all statutory requirements, address the specific processing activities involved, and include technical and organizational measures that genuinely apply — not generic boilerplate.
Joint Controller Agreements (JCA)
Where two or more organizations jointly determine the purposes and means of processing — common in joint ventures, marketing partnerships, and shared platforms — GDPR Article 26 requires a transparent arrangement. We structure JCAs that accurately reflect the operational relationship and allocate compliance responsibilities both parties can fulfill.
Standard Contractual Clauses (SCC)
We select the correct SCC module, complete all required annexes including the Transfer Impact Assessment, and integrate the clauses into your broader contractual framework in a legally coherent and operationally workable way.
Agreement Review & Clause Negotiation
We review existing DPAs, JCAs, and SCCs against current GDPR requirements and enforcement practice, identify material gaps, and provide redlined revisions. Where counterparties push back on data protection terms, we provide negotiation support — advising on which positions are legally required and where reasonable compromise is possible.
Training & Culture Building
Sustainable compliance cannot be maintained through documentation alone. It requires an organization where people at every level understand their obligations, recognize data protection issues when they arise, and know how to respond. We design and deliver training that builds genuine capability — not just checkbox completion.
Employee Privacy Awareness Training
We develop and deliver foundational data protection training for all staff — covering GDPR principles, day-to-day obligations, secure data handling, and incident response. Training is adapted to your organization’s specific context and the data your employees actually work with.
Role-Specific Training
Different functions face different challenges. We develop targeted modules for HR teams, IT teams, marketing departments, and operational managers — each focused on the specific data protection issues relevant to their work and the decisions they make.
Management & Board-Level Briefings
Data protection is a governance issue. We provide executive-level briefings that give senior leadership a clear understanding of the regulatory landscape, the organization’s current risk exposure, and their responsibilities under GDPR — without requiring them to become legal experts.
Organizational Compliance Enablement
We help organizations build the processes and habits that make compliance self-sustaining — establishing escalation paths, creating decision-support tools for common scenarios, and embedding privacy review into project management and procurement workflows.
Data Breach Response
When a personal data breach occurs, the clock starts immediately. GDPR requires notification to the relevant supervisory authority within 72 hours. How an organization responds in the first hours determines not only its legal exposure but also the lasting reputational impact. We provide expert guidance through every stage of the process.
Breach Detection & Initial Assessment
Not every security incident involving personal data constitutes a notifiable breach. We help organizations rapidly assess whether an incident meets the notification threshold — evaluating the nature of the data affected, likely consequences for individuals, and risk level — and document the assessment in a format that demonstrates regulatory compliance regardless of the outcome.
Regulatory Notification (72-Hour Deadline)
Where a breach requires notification, we draft and submit the notification to the relevant data protection authority within the statutory deadline — managing the communication process and handling follow-up exchanges with the supervisory authority.
Data Subject Notification
Where a breach is likely to result in high risk to affected individuals, we assess whether direct notification is required, draft the communication in clear and plain language, and advise on the most appropriate channel and timing.
Post-Incident Review & Remediation
Once the immediate response is complete, we conduct a structured review to identify root causes, assess the adequacy of existing safeguards, and develop a remediation plan that reduces the risk of recurrence — producing documentation that demonstrates to regulators that the organization has acted responsibly.
DSR Request Handling
GDPR grants individuals a comprehensive set of rights over their personal data. These rights are enforceable, the deadlines are strict, and failure to respond is itself a violation — independent of whether your underlying data processing is lawful. We design the processes and provide the expertise to handle Data Subject Requests reliably and in full compliance.
DSR Process Design
We design end-to-end workflows for receiving, verifying, processing, and responding to data subject requests — covering all right types under GDPR: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), and objection (Art. 21). The process is documented, assigned to named roles, and integrated into your operational workflows.
Identity Verification & Response Drafting
We advise on verification procedures that are both secure and compliant with GDPR’s anti-obstruction requirements. We draft responses to data subject requests — including access responses, erasure confirmations, restriction notices, and legally grounded refusal letters — reviewed for accuracy before dispatch.
Regulatory Complaint Management
Where a data subject escalates to a supervisory authority, we provide support throughout the complaint handling process — liaising with the authority, preparing the organization’s formal response, and advising on corrective measures where appropriate.
Ongoing DSR Support
For organizations with high volumes of data subject requests — common in consumer-facing businesses and large employers — we provide ongoing operational support: request intake management, response quality review, and regular reporting on volumes, response times, and outcomes.