Best advice on personal data protection

We’ll provide you with advice on how to do business as usual, while protecting the personal data and privacy of employees, clients and partners.

Our knowledge and experience comes from working on key advisory positions on numerous and complex GDPR compliance projects in Croatia and the region.

GDPR consulting and ongoing support

We provide our clients with operational support and advise them both in regular everyday business activities, as well as in special situations which demand very specific expertise and urgent actions to be taken. Depending on our clients’ needs, we are able to take any inquiries and requests, but would especially like to highlight the following:

Taking appropriate action in case of a personal data breach

Providing breach remediation advice, breach severity assessment, communication and cooperation with supervisory authorities, communication with data subjects (clients, employees, or other persons), maintaining the breach register, determining causes of the breach and advising on appropriate actions in order to prevent breaches from happening in the future.

Fulfillment of data subjects’ rights

Resolving particularly extensive and/or sensitive requests or complaints

Extensive support in preparation for and while being under supervision by a supervisory authority

Preparing documents, reviewing information systems and other evidence depending on the subject of the supervision, preparation of persons who will represent the organization during supervision, representation in supervision, support in further proceedings.

Regulating relationships with data processors

Advising in the process of regulating the rights and obligations between data controllers, processors, and/or joint controllers, defining data processing contracts and defining appropriate technical and organizational measures to be taken by the processor, reliability assessment, and data processor audits.

Legitimate interest assessment (LIA)

Conducting a proportionality assessment for data processing operations based on legitimate interests. Methodology development, assessment, and documentation.

Data protection impact assessment (DPIA)

Assessing risks related to the processing, defining appropriate assessment methodology, conducting the assessment, documenting conclusions.

Third-country data transfers

Advising on the regulation of relationships and the application of security measures in cases of transfers of personal data to business partners or service providers outside of EU/EEA, preparing the documentation and defining appropriate technical protection measures.

Keeping up-to-date with news in the field of personal data protection

Informing the client on a regular basis about all changes in regulations in the field of personal data protection, information security, cyber security, and electronic communications. We highlight the relevant guidelines and decisions of the supervisory authorities, as well as case law of national and EU courts.

Gap Analysis and GDPR Audit

Conducting a gap analysis is useful if you are unsure of the extent to which the GDPR applies to your business and how it is applied in practice, especially for small and medium-sided companies.

Gap analysis identifies the gaps between the current state and the state of full compliance with the GDPR. The result of the analysis is a report that consists of descriptions of the applicable GDPR requirements, the current state of compliance, and the proposals for actions to be taken to reduce risks and achieve full compliance.

In accordance with the accountability principle, organizations must be able to prove compliance with the GDPR, which is achieved, among other things, by regular personal data protection audits. Result of a GDPR audit is a report consisting of a detailed description of any nonconformities and proposals for corrective actions.

The methodology which we use to conduct gap analysis and GDPR audits is based on a vast project experience and best industry practices, and it includes all of the requirements of the GDPR, as well as special regulations that may be applicable in some cases (e.g. GDPR implementation act, electronic communications act, employment act, information act, etc.).

GDPR implementation

Achieving compliance with the GDPR requirements and establishing a personal data protection program is a process that consists of numerous activities and which largely depends on the complexity and the specifics of the organization. Most common project activities include:

  • Identifying business processes in which personal data are processed
  • Establishing the records of processing activities
  • Assigning responsibilities for personal data protection
  • Personal data protection risk assessment
  • Identifying appropriate technical and organizational protection measures
  • Personal data breach management
  • Regulating relationships with data processors and other partners
  • Managing data subjects’ requests and complaints
  • Developing policies, procedures and work instructions
  • Advising on specific industry requirements
  • Training the data protection officer and other employees
  • Identifying protection measures in terms of transferring personal data outside of EU/EEA

The organization will carry out all the necessary project activities with out guidance and support, which will result with achieving compliance with the GDPR requirements and establishing an effective personal data protection management system.

GDPR Compliance for Websites

Websites which allow for collection of personal data and online stores which enable the purchase and payment of products or services must comply with the requirements of the GDPR. If a website also makes use of cookies in order to provide additional functionality, measure performance or monitor user’s behaviour, regulations pertaining to electronic communications must also be taken into account.

Most commonly, collection of personal data on the web takes place when:

  • submitting information through a contact form
  • subscribing to a newsletter
  • registering a user account
  • making reservations / booking
  • processing payment for goods or services in online stores
  • applying for vacancies
  • using Google Analytics and similar tools to monitor performance and user behaviour
  • using Facebook Pixel and other tracking technologies for the purpose of marketing activities and targeted advertising

If your website checks any of the aforementioned points, you are obligated to comply these business processes with applicable regulations.

What’s included with website and online store compliance services?

  • Developing policies describing the use of personal data and the use of cookies
  • Advising on the use of cookies and other tracking technologies
  • Advising on common marketing activities – newsletters, giveaways, etc.

Data Protection Officer (DPO)

Organizations without the need or the resources for a data protection officer on a full-time employment contract may decide to hire external experts for the job.

Horvath Wolf can offer to take over the duties and responsibilities of the data protection officer in your organization. Depending on your needs and the agreed-upon scope of the contract, this includes:

  • Counseling on specific issues
  • Advising in the case of a personal data breach
  • Resolving data subjects’ requests
  • Communicating with the supervisory authorities
  • Consulting on any other matters pertaining to the protection of personal data