Privacy & data protection

Data protection and security compliance and risks affect every company and organisation. With the EU General Data Protection Regulation (GDPR) and the EU Network Information Security (NIS) Directive, in the EU data protection and information security are regulated by a comprehensive legal framework.

Our team has vast experience organizing, managing and coordinating clients’ international and national data protection and information security compliance projects. Since the adoption of the GDPR, we have been assisting many companies and organisations with their GDPR compliance exercises. We also have been involved in the drafting of various EU, Belgian and foreign data protection and information security legislation, and have close contacts with local regulators in the EU. We are frequently invited as speakers on these topics at international and national conferences, seminars and webinars.

GDPR & NIS COMPLIANCE

We assist in a wide range of compliance aspects, such as:

• GDPR compliance check
• In-house GDPR compliance training to CxOs, employees and DPOs
• Privacy and cookie policies
• Information security policies
• Data processor agreements
• Joint-controller agreements
• Data mapping and records of processing activities
• International data transfers (data transfer agreements, Binding Corporate Rules (BCRs), model clauses, etc.)
• Data protection impact assessments (DPIAs)
• Data subject access requests (SARs)
• Data subject opposition and right to be forgotten requests
• Data breaches and information security incidents
• Employee monitoring and whistle-blowing

DPO AS A SERVICE (GDPR)

Since the GDPR, some companies and organisations are required to appoint a Data Protection Officer (DPO). And even when appointing a DPO is not legally required, it may still be recommended to do so on a voluntary basis.

A DPO needs to have expert knowledge of data protection law and practices, and be independent. A DPO can be a member of a company’s personnel, but companies and organisations that do not have the required in-house expertise or resources can appoint an external DPO on the basis of a service contract. Such companies and organisations can appoint us as their external DPO, so that they can stay focused on their core business activities.

GDPR LITIGATION

The GDPR can be a source of litigation by data protection authorities, data subjects, and businesses and organisations:

• The GDPR has strengthened the investigation and enforcement powers of data protection authorities. They can conduct inspections at controllers’ and processors’ premises, order them to cease processing personal data, impose fines, etc.
• The GDPR confers a right to an effective judicial remedy for data subjects against any unlawful processing of their personal data by a data controller or processor. In addition, the GDPR provides any person suffering damage as a result of an infringement of the GDPR with the right to receive compensation. This thus can result in lawsuits by data subjects and consumer or civil liberties organisations before courts or data protection authorities for, e.g., processing without consent, unlawful data transfers, loss of personal data, unlawful retention of data, denial of data portability, etc.
• Companies that made investments to comply with the GDPR may find out that a competitor does not comply with its GDPR obligations, resulting in an unlawful competitive advantage for the latter. Companies may thus initiate cease-and-desist court proceedings against such  competitors in order to force them to also invest in GDPR compliance.

In such cases, our team can assist in conducting such proceedings, either on the plaintiff’s or the defendant’s side. We have a track record of successful litigation outcomes.