Jump to main content

Legal Services

Privacy & GDPR

Complete GDPR compliance for companies — audit, data policies, outsourced DPO, incident management and training. No technical jargon, actionable solutions.

GDPR is not bureaucracy — it is a legal obligation with real consequences

The General Data Protection Regulation has been in force since 2018 and has generated millions of euros in sanctions across Europe. In Romania, the ANSPDCP has already imposed significant fines on both large companies and SMEs.

Boian, Gaina & Associates SPARL provides data protection legal services tailored to your business reality — not generic templates, but policies and procedures that work in the company's daily practice.

We work with companies across various sectors — retail, HR-tech, e-commerce, financial services, healthcare — helping them achieve compliance and, more importantly, maintain it over time.

GDPR compliance is not a project with a completion date — it is an ongoing process that must be embedded in organisational culture.

Boian, Gaina & Associates SPARL

Services

What we cover

GDPR compliance audit

Complete assessment of your current position — data flows, legal bases for processing, data categories, international transfers, processor contracts. Detailed report with prioritised remediation plan.

Data protection policies & procedures

Drafting privacy policies, processing notices for employees and customers, internal GDPR procedures (access, erasure, portability requests), Records of Processing Activities (ROPA).

Outsourced DPO (Data Protection Officer)

We provide the outsourced DPO function — mandatory for certain categories of controllers (public bodies, large-scale processing, special category data). We assume legal responsibility toward ANSPDCP and data subjects.

Data security incident management

Support in the event of data breaches — assessing notification obligations (72 hours to ANSPDCP, notifying data subjects), incident documentation, communication with the supervisory authority and reputational damage limitation.

Employee training & GDPR awareness

Customised training sessions for teams handling personal data — HR, marketing, sales, IT. Materials adapted to the company's specifics, with practical examples and real-world scenarios.

DPIA (Data Protection Impact Assessment)

Mandatory for high-risk processing activities — profiling, biometric processing, systematic monitoring. We conduct full assessments under Art. 35 GDPR, with risk reduction recommendations.

Why Boian, Gaina & Associates

Legal approach, not IT

GDPR compliance is primarily a legal obligation. We provide genuine legal advice, not technical checklists — including in disputes with ANSPDCP or complaints from employees.

DPO with assumed responsibility

The outsourced DPO function comes with legal accountability to the supervisory authority. We do not delegate this responsibility — we assume it directly.

Practically applicable solutions

The policies and procedures we draft are designed to be understood and applied by employees — not to gather dust. We adapt the language and procedures to the client's organisational culture.

Continuous regulatory monitoring

The GDPR framework evolves constantly — EDPB guidelines, CJEU decisions, ANSPDCP practice. Clients on GDPR retainer receive automatic documentation updates.

Frequently Asked Questions

  • Q

    Who is required to appoint a DPO?

    Under Art. 37 GDPR, appointing a DPO is mandatory for: public authorities and bodies, controllers carrying out large-scale systematic monitoring (e.g. companies with extensive CCTV, profiling platforms), controllers processing special category data on a large scale (health, biometric data, etc.). Other companies may appoint a DPO voluntarily — which is often recommended.

  • Q

    What fines does a non-compliant company risk?

    GDPR provides two levels of administrative fines: up to €10 million or 2% of global annual turnover (for procedural breaches) and up to €20 million or 4% of global annual turnover (for breaches of core principles). ANSPDCP can also impose complementary measures — temporary processing bans, remediation obligations.

  • Q

    Do I need a cookie policy on my website?

    Yes, if the site uses non-essential cookies (analytics, marketing, preferences). The cookie policy must be clear, accessible and allow granular consent. The cookie banner must offer genuine options — not just "Accept all". ANPC and ANSPDCP have begun actively checking Romanian website compliance.

  • Q

    What do I do if an employee or customer requests deletion of their data?

    An erasure request ("right to be forgotten", Art. 17 GDPR) must be resolved within 30 days. Not all requests must be honoured — exceptions exist for legal obligations, public interest or the exercise of legal rights. We assist with evaluating each request and formulating the correct legal response.

Is your company truly GDPR compliant?

A quick 30-minute audit identifies the main risks. Contact us for a free initial assessment.

Free consultation