Data

Data protection and privacy-related matters are under intensified scrutiny by public authorities and individuals. Complementarily, businesses are more focused than ever on ensuring compliance with these requirements during the course of their operations.

Ready to meet the most exigent demands in this area of law, our firm has assembled a genuinely forceful dedicated team. Thus, clients benefit from our outstanding expertise and experience on the full range of data protection and privacy compliance issues applicable to their initiatives, including:

  • employment and human resources management activities
  • internal controls and audits, including FCPA audits
  • data transfers
  • marketing operations
  • database creation, sharing and transfer, including in case of business transfers, acquisitions and mergers, both national and cross-border
  • core activities
  • “cookies” and cloud computing

In addition, to our general advice we believe in preventive action and we proactively offer our clients data protection audits and hold trainings, as one of the most efficient tools in building or strengthening compliance in this field.

Our support includes advice on and representation during discussions with the National Authority for the Supervision of Personal Data Processing on the scope and implications of the regulations issued and obtaining a point of view on our clients various initiatives.

We also assist clients in fulfilling the notification and authorization processes before the Supervisory Authority, for both local processing operations and transfers of data abroad.

Data Protection Audits and Training

To ensure efficiency, coherency and as little business disruption as possible, we help clients structure an approach that builds on their regular arrangements as much as possible. Consequently, we identify processes that are subject to data protection law and assist with implementing solutions to ensure compliance. We aim to strengthen compliance and reduce risks to data security by tailored training sessions, addressing both general-applicability aspects and those relevant for various business units.

Examples of our work in data protection audits and training include services to:

  • a large financial institution and its subsidiaries with conducting an audit of the processing operations within the group to assess compliance with GDPR requirements, drafting an audit report with the findings, preparing an action plan with recommended measures to be implemented by the group to ensure compliance and assisting with the implementation thereof
  • a large retail group in relation to conducting an internal audit to assess compliance with data protection requirements of key departments within the company (including sales, marketing and human resources) as well as preparing and implementing an action plan with the measures set out in the audit report; also provided training to different teams involved with the processing of personal data
  • advice to a large energy group in conducting a GDPR gap analysis concerning the processing operations within the company and its subsidiaries active in the energy, natural gas and services areas, preparing an audit report and an action plan with recommended measures to ensure compliance
  • one of the American IT giants, by conducting an internal audit of processing operations by its Romanian subsidiary, supported by our training sessions with the human resources, sales, and marketing teams concerning the most important data protection aspects of their respective duties
  • the largest generic drug manufacturer worldwide, by conducting a full-scale data protection audit on all data processing operations of the Romanian subsidiary (e.g., HR, educational, business-related) and by subsequent assistance in implementing the actions set out in the audit report (including filing and reviewing notifications with the Supervisory Authority, reviewing internal policies and SOPs, preparing or reviewing privacy policies and information notes, training sessions on data protection matters)
  • a local subsidiary of an American pharmaceutical company, to whose management team we delivered specialized training on the main data protection requirements and on the advisable business conduct in dawn raids from the Supervisory Authority

Database Creation, Sharing and Transfer

We help clients implement data protection related requirements in relation to the creation and transfer of databases, including in case of business transfers.

We provide legal and practical guidance on how to identify and comply with data protection implications of intra-group disclosure of employee and customer data, including when data is transferred within and outside the European Union and the European Economic Area.

We provide practical solutions on switching from Safe Harbor as a legitimate basis for data transfers in the wake of the October 2015 CJEU ruling on the Safe Harbor framework.

Examples of our work include assistance and support to:

  • an important Swiss media company, concerning data protection implications, such as information and notification requirements, in connection with the sale of some of its business units in Romania
  • an American bank, on data protection matters arising from the cross-border merger of the client’s Romanian subsidiary with another affiliate
  • a financial institution, with the assessment of the data protection implications of transferring its portfolio of clients and contracts in Romania to an affiliate and assistance with the applicable formalities
  • the Romanian branch of a British insurance company, concerning the requirements applicable to personal data sharing with another company’s local affiliate
  • the Romanian entities of a major American insurance company, in the transfer of an insurance portfolio between them
  • the Romanian affiliate of a major automotive producer, in relation to the assessment of conditions for the acquisition of a client database from a national distributor and of actions for securing the possibility to use the database for direct marketing purposes

Employment Processes

Our clients rely on us to analyze the requirements and potential restrictions applicable to their various human resources projects.

We assist with the development of the full range of data protection documentation in order to meet the legal requirements in the field. This covers both informing the employees on how their data is processed by our clients (information and consent forms) and instructing the employees on the rules for handling personal data in their activity (privacy policies). The documentation may cover general human resources activities as well as more specific activities, such as acceptable use of electronic equipment, whistleblowing, fleet management, “bring your own device”.

We regularly advise on the rules to be followed when accessing equipment and documents during internal investigations and cross-border data flows.

We also advise on data protection implications of share option and similar benefits plans.

Examples of our work in this area include services and support to:

  • an American IT giant, in drafting data protection clauses for the standard individual employment agreement of its Romanian subsidiary
  • the Romanian affiliate of a major multinational IT and telecom company, concerning the most important data protection requirements for the processing of its employees’ personal data, including minimum information obligations, rules and limitations for recruiting, and notification with the Supervisory Authority
  • the largest oilfield services group, on various data protection and privacy compliance for its Romanian subsidiaries, including the localization for Romania of the group level computer use policy
  • the local subsidiary of a French food services and facilities company, in fulfilling the legal requirements for the implementation of a whistleblowing policy, involving the processing and transfer of data abroad and requiring our creation of information notices for employees and submissions to the Supervisory Authority
  • an American medical technologies firm, concerning the rules governing background checks during the recruitment process and the notification obligations in case of the transfer of employees’ data abroad
  • a leading multinational manufacturer of personal care and household cleaning goods, on data protection and privacy requirements and implications of implementing a “bring your own device” program at the level of the Romanian subsidiary
  • various entities, including a Spanish energy generator and supplier and an American pharmaceutical company, on the protection of personal data in employee whistleblowing schemes
  • a leading steel manufacturing corporation based in Luxembourg, in meeting the data protection information requirements for its worldwide employees’ share purchase plans, and in obtaining confirmation from the Supervisory Authority of a notification exemption
  • an American electronics manufacturer, concerning the data protection implications of its long-term incentive plan, including the possible transfer of employees’ data from the Romanian affiliate

Marketing-Related Data Processing

Marketing and customer services in the new era are data-driven. This means new compliance challenges for our clients. For example, we:

  • identify and explain the specific implications of new developments in data protection law for our clients’ marketing initiatives
  • draft compliant and commercially appropriate wording for promotional campaigns, in particular for obtaining consent for using personal data for marketing communications
  • draft data protection provisions for commercial agreements, especially agreements providing for database sharing for marketing campaigns
  • advise our clients on rules governing the deployment of loyalty or similar programs aiming at gathering clients’ data for further behavioral advertising

Examples of our work in this area include advice and support to:

  • a leading Finnish telecommunication equipment manufacturer, concerning various privacy matters related to its sales activities, such as the minimum required information for the privacy policy published on its website
  • a Polish real estate developer, by drafting the data protection related wording in marketing materials prepared for loyalty programs in shopping centers, and submitting the notifications to the data protection authority
  • a large American nutrition and food supplements company, concerning the data protection requirements applicable to its distribution structure and promotional campaigns in Romania
  • the local subsidiary of an American fast-moving consumer goods company, about the data protection requirements for marketing campaigns, including a review of the regulations and individual participation forms, in order to provide the minimum information required by law
  • a major tobacco manufacturer, concerning the categories of sensitive data that may be collected from individuals during marketing activities, and the development of data collection justifications to be provided to the Supervisory Authority
  • a leader in the cosmetics industry, on aspects of e-privacy and e-commerce issues in the implementation of a social networking site for its Romanian affiliate
  • a leading biotechnology company, in drafting a privacy policy for its clients’ data processing activities

Cookies and Cloud Computing

The legal and practical implications of the new “cookie consent” rules for websites and implementing the newly-developed requirements of the Supervisory Authority became the norm as advice we offer in today’s virtual communication context. Also, we provide advice and assistance to cloud computing clients and providers, as well as to business associations in relation to the data protection implications of cloud computing.

Examples of our work on such matters include services to:

  • the Romanian affiliate of one of the world’s leading suppliers of cement and aggregates, in drafting a cookie policy and implementing a cookie consent mechanism for its website, in compliance with the practice of the Supervisory Authority
  • the Romanian affiliate of a leading IT company, in relation to offering cloud computing services in Romania
  • foreign investors’ associations, as member of the core team, in drafting a practical guide on how data protection requirements should apply in a cloud computing context, submitted for the consideration of the Supervisory Authority
  • the Romanian affiliate of one of the world’s leading suppliers of cement and aggregates, in relation to the formalities before the Supervisory Authority for notifying and obtaining the Supervisory Authority’s authorization for a data transfer in the context of using cloud computing services

Data Breaches and Investigations; Data Subject Inquiries

Clients frequently turn to us for advice on data breaches and complaints received from data subjects.

As employees are becoming more aware of their data protection rights, we encourage and guide clients to conduct compliance checks and investigations into potential breach of policies and ethical business behavior in accordance with data protection principles. Also, we work together with our clients for timely response to the requests of data subjects about the processing of their personal data. Complementarily, we help clients addressing data protection inquiries to data controllers and to the Supervisory Authority.

Examples of our work in relation to data breaches, investigations and inquiries include services to:

  • a major international pharmaceutical company, in the internal investigation on privacy breach allegations made by former employees in the Romanian subsidiary
  • a Romanian subsidiary of a multinational client, in the investigation of an unlawful disclosure of employee sensitive personal data by a service provider to the client, data further propagated among the client’s employees
  • a Romanian subsidiary of a US-based multinational client, in the investigation of a breach of business ethics, by drafting documentation for the information of the employees about the investigation and related accessing of their IT equipments and business files and correspondence
  • a client in the pharmaceutical sector, on data sharing alternatives as part of a FCPA investigation; preparing related information and consent documentation for employees
  • a client in the pharmaceutical sector, in relation to responding to a data access request and to inquiries regarding a privacy policy received from employees of its Romanian subsidiary
  • employees of the Romanian affiliate of a large European Union-based retailer, in preparing data intervention requests in relation to unlawful, hidden camera, recordings by a television station, addressed to the media company and the Supervisory Authority
  • a natural person researcher, in preparing data intervention requests and a request based on the “right to be forgotten” in relation to the unlawful (excessive and incorrect) processing of its personal data by way of blacklisting and excessive publication of data, addressed to an NGO operating the blacklist, to a public authority processing data excessively, to a search engine company and to the Supervisory Authority

Relations With Authorities

The Supervisory Authority has been developing a complex, if somewhat non-transparent, practice whose knowledge is, more than ever, important when providing thorough advice on data protection matters. On behalf of our clients, we keep permanent contact with the Supervisory Authority and are attuned to its practice as it further evolves. This approach is aimed at obtaining timely and favorable resolutions for our clients’ projects, while balancing their legal requirements with the practice of the authority.

Thanks to this wealth of expertise and experience, we:

  • assist in preparing and filing processing and transfer notifications with the Supervisory Authority
  • advise on applicable exemptions from notification
  • provide representation in discussions concerning the application of regulations, guidelines initiated by the Supervisory Authority and any other matters of interest for our clients

We also provide assistance in controls carried out by the Supervisory Authority in connection with the notified processing operations or as a result of individual complaints.

Examples of our work in this area include advice and support to:

  • a major telecommunications operator, in proposing to the Supervisory Authority the potential extension of the access to credit bureaus regulations to allow telecom operators access to data required for financial exposure prevention purposes
  • a global leader in infrastructure and business intelligence software, in the notification of data transfers to states not recognized as ensuring an adequate level of protection of personal data, including in the control procedure performed by the Supervisory Authority for the purpose of issuing data transfer authorizations
  • a leading software company, in relation to the notification of data transfers to a country not recognized as ensuring an adequate level of protection of personal data and representation during the control of the Supervisory Authority
  • a leading global contract research organization, during the control performed by the Supervisory Authority with the Romanian affiliate in relation to the client’s policies regulating access to IT equipments and electronic folders and communications in case of investigations, further to the filing of a notification by the client with the Supervisory Authority
  • a leading distributor of medicines, during the discussions with the Supervisory Authority regarding the possibility and conditions for RFID monitoring of high importance medicine, against the risk of misappropriation

Core Business

Clients turn to us for tailored assistance in order to ensure compliance with data protection requirements and to fulfill related formalities specific to a main fields of activity, such as pharmaceuticals, financial, insurance, electronic communications and business information sectors.

Examples of our work on sector-specific data protection matters include services to:

  • a leading group in the pharmaceuticals distribution sector, in relation to the implementation of the data protection formalities for its business-specific data processing activities (including medicines transport programs and pharmacovigilance)
  • a major Swiss pharmaceutical company, concerning the data protection requirements applicable to clinical trials, including issues such as the sufficiency of data-related provisions of service agreements with entities conducting the trials and information notices for clinical trial participants
  • a significant SEE investment management company, on data protection matters in relation to the acquisition of a local bank, including post-transaction assistance in remedying aspects identified during the due diligence exercise
  • the Romanian branch of a multinational insurance corporation, on day-to-day compliance with privacy formalities and requirements and related procedures
  • an American information services company, about the data protection requirements for the establishment of directories based on data bases maintained by telecommunication services providers, for the purpose of providing directory inquiry services
  • the Romanian affiliates of a leading provider of IT solutions for the claims processing industry for vehicles, advising and assisting on data protection and privacy implications of providing data bases with records of damages suffered by vehicles and assisting in formalities, discussions and correspondence with the Supervisory Authority
  • the Romanian affiliate of an important European provider of business information services, advising and assisting on data protection and privacy conditions and formalities for providing a data base of business information in relation to companies, but also including personal data

Data Processing and Transfer Agreements; BCRs

We either draft processing and transfer agreements with Romanian and foreign data processors and data controllers, or advise on how to structure the collaboration with data processors and sub-processors.

With a tailored approach to our clients’ needs and the particularities of the data transfers, we assist in relation to transfer agreements based on the contractual clauses approved by the European Commission or with ad hoc agreements for transfers to countries not recognized as ensuring an adequate protection of personal data or on the minimum requirements of Romanian data protection legislation for transfers within European Union states.

Since the Supervisory Authority has agreed to rely on Binding Corporate Rules for authorizing data transfers within the group, we have been assisting several clients with the related formalities before the Supervisory Authority.

We also draft representation agreements for clients from outside the European Union who do not have a local presence in Romania.

Examples of our work on sector-specific data protection matters include services to:

  • the Romanian affiliate of a leader in business analytics software and services, in preparing data transfer agreements based on the controller – processor standard clauses approved by the European Commission covering the client’s HR, marketing and sales functions and obtaining data transfer authorizations in relation thereto from the Supervisory Authority
  • various on-line gambling companies without a presence in Romania, in drafting representation agreements necessary for compliance with data protection legislation in the context of offering on-line gambling services in Romania
  • the Romanian affiliate of the largest generic drug manufacturer worldwide, in preparing an ad-hoc data transfer agreement involving the use of a processor based in the European Union with sub-processors in non-EU countries
  • the Romanian affiliate of a global management consulting, technology services and outsourcing company, in obtaining from the Supervisory Authority a data transfer authorization in relation to the envisaged implementation of a data loss prevention tools based on the group’s Binding Corporate Rules
  • the Romanian affiliates of the largest oilfield services group, in drafting data transfer agreements based on the controller – controller and controller – processor standard contractual clauses approved by the European Commission for its HR and related functions and obtaining data transfer authorizations in relation thereto from the Supervisory Authority