GDPR Specialization
Compliance audits, policies and guidelines, DPO outsourcing, data processing agreements, data transfers, representation before the data protection authority, risk analyses. These are the processes that give you strategic security. We design GDPR documentation that works for your team. Wroclaw and all of Poland.
Trusted by
We know your business model
Ensuring personal data protection doesn't end with creating a document from a template. It's an architecture of processes and documents tailored to your company's business model, one that we'll help you implement.
A process-driven approach to data security. Instead of theoretical analyses and an abstract list of risks, you get a concrete action plan from us. We map your processes and deliver a ready gap map with assigned priorities and deadlines. Your team knows exactly what to implement and how, the day after the audit.
We implement documents that protect your business: records (RoPA, breach registers), privacy policies, procedures, and data processing agreements (DPAs). We use plain language. We create clear documentation, free of legal jargon, that your developers, PMs, and board will read and understand the first time.
Your trusted advisor embedded in the organization. We take the burden of managing the data protection contact inbox and handling data subject requests entirely off your shoulders. You gain an external DPO who works directly within your tech stack (Teams, Notion, Slack, Jira) and knows the specifics of your industry.
Documents aren't everything. Real security comes from building awareness across your team. We know how to train in a way that delivers results and doesn't bore people. You get access to our automated e-learning platform. Every employee independently builds practical GDPR knowledge, while managers track progress confirmed by certificates.
Problems we know
When your provider suffers a data breach, the first thing the data protection authority will ask is how you vetted them before starting the partnership. Simply signing a data processing agreement (DPA) may not be enough. The lack of a documented assessment procedure means you're fully liable for your partners' mistakes. We implement mechanisms that efficiently vet providers without blocking the business.
You have 72 hours to report an incident to the data protection authority. Without a ready action plan, that window turns into organizational chaos. The issue may be the speed of response itself, but also mistakes made under time pressure and inconsistent information sent to the regulator. With our support, you gain clear role assignments, step-by-step checklists, and full control over the situation.
You can have the most polished GDPR procedures, but they're useless if they sit forgotten on a drive. Dead documentation combined with a lack of knowledge is a ticking bomb, and blurred accountability means compliance exists only on paper. That's why we work on two fronts: we combine practical training with precise role assignment. Everyone knows exactly what they're responsible for, and the data security system finally works.
Users increasingly, and more knowingly, request access to their data, its deletion, or its transfer. Brushing off such emails or responding past the deadline is the shortest path to a complaint to the data protection authority and an unannounced inspection. As part of our DPO outsourcing, we take this problem off your shoulders entirely, handling requests efficiently and in compliance with the law.
Your team uses LLMs, voicebots, or profiling tools, often unaware that public algorithms learn from the data your clients enter. Adopting innovation without a risk analysis means losing control over confidential information. We review the solutions available on the market, recommend safe options, and create guidelines for using artificial intelligence.
AWS, Google Workspace, HubSpot, Slack, or Notion. Most IT companies use them daily, and that means regularly transferring data to servers outside the EEA. Often this transfer is entirely legal. The problem is the lack of awareness and proper documentation. To do it lawfully, you need specific safeguards (TIA analyses, SCCs, or a Commission decision), and the whole thing must be recorded in your processing register (RoPA) and privacy policy. We'll map your tools, carry out transfer assessments, and implement the necessary clauses, giving you legal compliance and control over where your data lives.
Why dotlaw
We're your partner. We don't describe legal risk in the abstract and we don't leave you with "on the one hand... on the other hand." We close every matter with a concrete recommendation. Our legal solutions are meant to grow your business.
We serve companies in the model that fits their stage of growth: from project-based support on a specific contract, through ongoing subscription service, to a fractional in-house model that works like an internal legal department. The form of collaboration is tailored to you.
We've backed our services with GenAI from the very beginning. In line with the European guidelines we helped author, we shift efficiency into sixth gear. This lets us operate effectively even in the most complex matters.
We design contracts, manuals, and guidelines so that your team can read and understand them without trouble. Legal documents no one can understand will never be effective.
How we start
You tell us about your product, your data flow, and what's currently blocking your processes. We immediately assess how we can resolve it efficiently.
Whatever the scale of the project, within two days of our conversation we come back with specifics: how we'll define the scope of work, how we'll approach the audit or implementation, and when you'll get a quote. You know exactly where you stand right away.
Once you accept the offer, we need a week at most to understand your business model and how your company processes data. We plug into your tools and simply get to work.
FAQ
Yes. But we won't leave you with a vague risk assessment. We'll review the document for unrealistic SLA requirements, contractual penalties, and unlimited liability. We'll point out what you can safely agree to and what needs renegotiation, and we'll prepare redlines to send back to the client. You can also simply connect us directly with your client and hand the entire negotiation process over to us.
Compliance teams primarily check whether you have the fundamentals in place. They most often require a record of processing activities (RoPA), internal procedures and policies, a clear privacy policy, a properly prepared DPA, and documented security measures (TOMs). We'll help you efficiently assemble a package that passes review and unblocks the sale.
GDPR doesn't directly require you to hold cyber insurance, but in the IT industry it's good practice and a market standard. Enterprise clients almost always require liability insurance in data processing agreements (DPAs). Such a policy not only protects your cash flow in the event of a breach, but above all makes negotiating large contracts significantly easier. If you don't have one, we can connect you with a trusted insurance broker who will help you find an offer tailored to your business.
At this point, official GDPR certification is practically nonexistent. When foreign clients ask about compliance, they usually expect a SOC 2 audit or an ISO 27001 certificate. Although GDPR doesn't directly require this, in practice it's the ticket to working with the enterprise sector. We help structure your data protection documentation so that it fits smoothly into the requirements of these security standards. Our team also includes certified ISO 27001 lead auditors, so we can support you in preparing your company for a certification audit.
It's legal, but it requires solid preparation. Before deploying AI-based tools, you need to establish an appropriate legal basis, update your privacy policy, and carry out a data protection impact assessment (DPIA). It's also crucial to ensure, in your agreement with the provider (e.g. OpenAI), that the model won't be trained on your clients' confidential data. As part of our support, we review these tools' terms of service (ToS) and prepare guidelines for your teams on how to use them safely and legally.
You can keep data in the US, but it requires putting additional legal safeguards in place. You need to rely on the Data Privacy Framework (if the provider holds a certification) or sign Standard Contractual Clauses (SCCs) supported by a TIA analysis. Choosing servers in the EEA (e.g. in Frankfurt) takes these formalities off your plate and makes negotiations with European clients easier.
Yes, each of these providers is a processor to whom you entrust data. This requires accepting an appropriate data processing agreement (DPA) and adding these entities to your record of processing activities (RoPA). Since they are US companies, you also need to safeguard the transfer of data outside the EEA and inform users about it transparently in your privacy policy.
A simple banner with just an "I understand" button is a breach of the regulations. You must obtain active, freely given consent for each category of cookies separately (marketing, analytics) before their scripts even load. The only exception is cookies strictly necessary for the technical functioning of the site. Here, an information notice alone is enough.
This kind of monitoring is a very high-risk area. The law allows you to track working time, but taking screenshots is most often regarded by supervisory authorities as a disproportionate and unlawful intrusion into an employee's privacy. Any form of monitoring requires solid justification, a separate set of rules, and formal advance notice to the team.
You have a maximum of 30 days to respond. First, you need to securely verify the sender's identity. Next, you verify whether you actually have an obligation to delete everything. For example, you can't delete data from invoices or billing history, because tax law prevents it. You respond specifically: you state what has been deleted and what you must retain, and on what grounds.
That's a myth. The Polish authority regularly imposes fines on medium-sized and smaller companies, most often as a result of complaints from dissatisfied clients, a lack of cooperation during an inspection, or in cases of flagrant security breaches. Beyond an administrative fine from the data protection authority, the real cost for a tech company can be loss of trust, the risk of civil lawsuits, and blocked B2B sales processes. On top of that come the operational and legal costs of handling the reported breach, the complaint, or the proceedings before the authority.
Assigning the DPO role to a board member is a GDPR violation due to the clear conflict of interest: you can't simultaneously make business decisions and independently oversee them. The obligation to appoint a DPO depends on the scale and type of processing (large-scale SaaS, for example, usually needs one). However, if you have no legal obligation, you can simply designate an internal coordinator for the process. Bear in mind, though, that this person should still have solid knowledge of the regulations and best practices in order to manage compliance.
You tell us what you're building and what's blocking you. You get a concrete answer.
Get in touch