Cărămidariu Druță Bunu SCA – Societate civilă de avocați din Timișoara

Data Protection (GDPR)

Practice areas

Data protection (GDPR): compliance, audit, and representation

We provide legal assistance in implementing and reviewing GDPR measures, analyze data flows, assess compliance documentation, and represent controllers and data subjects in investigations and litigation.

We can help quickly with:

  • • ANSPDCP investigations and authority requests
  • • security incident notification workflows
  • • drafting mandatory documentation (ROPA, policies, notices)
  • • responses to data-subject requests
Schedule a consultation

Core practice areas in data protection

We manage legal operations related to personal-data processing, ensuring that documentation and internal workflows comply with Regulation (EU) 2016/679.

GDPR audit and compliance assessment

We evaluate data flows, existing documentation, legal bases, and risks generated by processing activities.

Internal documentation and GDPR policies

We draft internal policies, procedures, privacy notices, processing records (ROPA), and data-protection clauses.

Contracts and data transfers

We prepare clauses for controllers/processors, assess international transfers, and review supplier compliance.

Data-subject rights

We handle requests for access, rectification, erasure, portability, restriction, and objection, ensuring compliant responses.

ANSPDCP investigations and inspections

We assist with requests for information, onsite inspections, and challenges against authority decisions.

Security incidents and notifications

We analyze data breaches, determine notification obligations, and prepare all required documentation.

Comprehensive legal expertise tailored to each data controller

We combine legal analysis with operational review of data flows. We prepare required documentation, evaluate risk exposure, and align internal processes with GDPR and applicable sector rules.

Ongoing GDPR advisory

Support for day-to-day processing activities, legal clarifications, and internal policy review.

Compliance and internal audit

Procedure review, risk identification, and updates to mandatory documentation.

Representation in ANSPDCP investigations

Support in authority investigations, responses to requests, defense preparation, and challenges to imposed measures.

Frequently asked questions

The answers below are for guidance only. A concrete assessment requires reviewing the relevant documents.

Yes. Missing the legal response deadline may lead to corrective measures or sanctions if the delay is not justified and properly documented.

No. Notification is required only when the incident presents a risk to data subjects, and the risk assessment must be documented.

Not as final documents. Templates are only a starting point; GDPR documentation must be tailored to actual processing activities, data flows, and legal bases.

Transfers outside the EU require a legal basis (SCCs/adequacy decision) and proper safeguards; without them, the transfer may be sanctioned as unlawful.

A DPO is mandatory only in GDPR-defined situations (for example, large-scale systematic monitoring). If not mandatory, the role can be managed internally or outsourced.

Yes. ANSPDCP decisions can be challenged in court, including on legality, proportionality, and adequacy of reasoning.

Do you have a GDPR matter right now?

Send the documents and a short description of the situation. We return with a preliminary assessment and recommended next steps within one business day.

Schedule a consultation