Data controller (Controller)
Determines the purposes and means of processing. Priority: ROPA, legal basis, handling of data subject requests (DSAR), DPIA, breaches and accountability.
GDPR for businesses
We guide your company from applicability and role assessment to full operational readiness: documentation, incidents, data transfers and a 0-9 stage plan.
Brands we've worked with
scope of GDPR support in the 2026 reality
We build compliance that works operationally: from defining the regulatory role to implemented processes, documentation and inspection readiness.
Joint controller (Joint Controller)
Joint determination of purposes and means. Priority: joint controllership agreement, allocation of responsibilities and consistent information for data subjects.
Data processor (Processor)
Processes data on behalf of the data controller. Priority: data processing agreements (DPAs), sub-processor management, security and a register of processing categories.
Non-EU entity
If you offer services to people in the EU or monitor their behaviour, GDPR usually applies extraterritorially and requires a full compliance system.
Lawfulness, fairness, transparency
Clear communication and a correct legal basis for every process.
Purpose limitation
Data used only for clearly defined and legitimate purposes.
Data minimisation
Data scope adequate to the process and business risk.
Accuracy
Up-to-date data and processes for error correction.
Storage limitation
Retention and erasure of data in line with the purpose and legal obligations.
Integrity and confidentiality
Technical and organisational safeguards proportionate to the risk.
Accountability
Documentation and evidence of compliance ready to present to the authority.
Sanctions and risk
The most serious breaches may result in fines of up to EUR 20 million or 4% of annual turnover, and other breaches up to EUR 10 million or 2% of turnover.
2026 priorities
Transparency (Articles 12-14), dark patterns, data transfers and the AI Act + GDPR overlap are the main enforcement areas.
Enforcement scale
Total fines in the EU have exceeded EUR 5.88 billion, with supervision focused on process quality, not just formal documents.
Legal status/material: 21 February 2026.
documentation and procedures: obligation → process → outcome
We design documentation so that it supports day-to-day business decisions and genuinely reduces operational and sanctions risk.
In practice, organisations most often fail not because of a missing single document, but because of inconsistent processes between business, IT and compliance.
That is why we organise the entire chain: from ROPA and legal bases, through DSAR and DPIA, to SCC/TIA transfers and incident procedures.
- Clear allocation of responsibilities and SLAs for key actions
- A consistent set of documents for the board, teams and auditor
- Documents ready to use from day one of implementation
ROPA and data mapping
Inventory of processes, data categories and flows in the organisation.
Outcome: Process map + ROPA
Legal bases and LIA
Assignment of Article 6 legal bases to each process and documentation of legitimate interest balancing tests.
Outcome: Legal basis matrix + LIA
Article 13/14 clauses and privacy notice
A complete set of clauses for channels and groups of data subjects, including transfers and AI processes.
Outcome: Clause set + privacy policy
Data subject rights and DSAR
Procedures and forms for handling access, erasure, objection and portability requests.
Outcome: Request procedure + register
DPIA and privacy by design
Impact assessments for high-risk processes, including LLM/ML deployments and profiling.
Outcome: DPIA register + checklist
DPA, SCC and TIA
We organise the processor chain and transfers outside the EEA with risk controls.
Outcome: Contracts + transfer register
DPO outsourcing and data governance
A model for organisations that need ongoing expert oversight, board support and practical decisions at the intersection of law, IT and operations.
We help assess whether a DPO is mandatory (large-scale monitoring, special categories of data, public sector) and implement an operating model adapted to the organisation's scale.
- Designation of the DPO role and scope of responsibility
- Independence of the function and absence of conflicts of interest
- Incident support and board reporting
- Prioritisation of actions and oversight of the 0-9 stage plan
DPO operating model
We set the rhythm of cooperation, escalation channels and decision standards for business projects.
Breaches and 72 hours
We design the breach procedure from internal reporting to the decision on notifying the Polish DPA.
Ongoing oversight
We run periodic compliance reviews, KPIs and a remediation plan.
GDPR training and audits
We build competencies and measurable readiness: separate tracks for the board, compliance, HR, marketing and IT, plus an annual audit with a remediation plan.
Management board
Governance, accountability and risk decisions.
Compliance / DPO
ROPA, DPIA, SCC/TIA transfers, DSAR, breaches.
HR
Employee data, recruitment, monitoring and retention.
Marketing / IT
Cookies, dark patterns, profiling, AI and Article 22.
All employees
Awareness, red flags and rapid incident reporting.
Audits
Full compliance review and action plan for the next period.
Privacy Notice Audit
Review of privacy notices for the EDPB 2026 priority.
Security and transfers audit
Review of DPAs, SCC/TIA, DSAR SLAs and the effectiveness of incident procedures.
GDPR key dates timeline
We base the work plan on deadlines and trends that genuinely affect compliance priorities and the organisation's budget.
25 May 2018
Start of full GDPR application in the EU.
Q4 2025
Digital Omnibus: direction of simplifications and standardisation.
September 2025
Confirmations on transfers and adequacy (including DPF).
2026 (CEA transparency)
Coordinated EDPB enforcement actions for transparency obligations under Articles 12-14.
2 August 2026
Full AI Act obligations for high-risk systems and strong overlap with GDPR.
2031
Horizon for some systemic changes and adequacy in selected regimes.
Legal status/material: 21 February 2026.
GDPR implementation plan: stages 0-9
We close each stage with a specific document so that the board and teams have control over progress and risk.
Stage 0 — applicability and role
We check whether and how GDPR applies to the organisation — we assess the activity, data scope and Controller, Joint Controller and Processor roles. The deliverable is an applicability assessment.
Stage 1 — processing map and ROPA
We build a full data processing map — we inventory processes, systems, flows and retention periods. The deliverables are a processing map and ROPA.
Stage 2 — legal bases and clauses
We standardise the lawfulness of processing and information notices — we map legal bases, prepare LIAs and a full set of Article 13/14 clauses. The deliverables are a legal basis matrix and a clause set.
Stage 3 — data subject rights (DSAR)
We ensure timely and repeatable handling of data subject requests — we design the procedure, forms, identity verification and the DSAR register.
Stage 4 — DPIA and privacy by design
We assess and mitigate risk in high-risk processes — we implement DPIAs, Privacy by Design checklists and an AI DPIA standard for LLM/ML-based processes.
Stage 5 — DPAs and the processor chain
We organise data-processing vendors contractually — we update DPAs, roles, sub-processor management and due diligence. The deliverables are data processing agreements and their register.
Stage 6 — data transfers
We secure data transfers outside the EEA — we map transfers, implement SCCs and TIAs and an adequacy monitoring process. The deliverables are a transfer register and TIA.
Stage 7 — breaches and 72 hours
We ensure swift response to personal data incidents — we build the breach procedure, escalation path, notification templates and register.
Stage 8 — DPO and regulatory integration
We connect GDPR management with related regulations — we design the DPO model and a map of GDPR, AI Act, DORA, NIS2 and AML. The deliverables are a DPO model and a regulatory matrix.
Stage 9 — training, audit, improvement
We maintain compliance and inspection readiness — we run a training programme, annual audit and remediation cycle.
integrating GDPR with other regulations
We build a single compliance management model to avoid duplication and conflicts between requirements.
GDPR + AI Act
DPIA, Article 22, transparency and human oversight for AI systems.
GDPR + DORA
Coherent management of ICT incidents and personal data breaches.
GDPR + NIS2
Common security standards, escalation and cyber supervision.
GDPR + AML
Compliant retention, legal basis and proportionality of processing for AML obligations.
GDPR + DSA/DMA
Transparency of profiling, advertising and platform user data.
GDPR + e-Privacy
Consent management, cookies and elimination of dark patterns.
GDPR service packages
We tailor the scope of work to the organisation's stage: from quick diagnosis to full implementation and an ongoing compliance maintenance model.
GDPR readiness diagnosis
For companies that want to quickly assess their starting point before a larger implementation or audit. You get a gap analysis and a priority plan.
Privacy notice audit (EDPB 2026)
For organisations with multiple contact channels and profiling that are preparing for marketing campaigns or inspections. You get an audit of Article 12-14 clauses and implementation recommendations.
Full GDPR implementation
For companies building a full compliance system — when entering a new market or scaling operations. You get a complete set of procedures, documentation and a data governance model.
DPIA package — processes and AI
For teams implementing high-risk processes, scoring, profiling or AI automation. You get a DPIA package, a risk register and safeguard recommendations.
Review of data processing agreements and transfers
For organisations with an extensive vendor network that have changed tools or jurisdictions. You get a review of DPAs, SCC/TIA and a map of transfers outside the EEA.
Ongoing GDPR support
For companies that, after implementation, need ongoing compliance oversight. You get periodic supervision, documentation updates and incident support.
expert leading the GDPR area
In GDPR projects we combine legal, operational and technology perspectives to move from risks to measurable results faster.
Expert support from the diagnosis stage
- Prioritisation of risks and management decisions
- Rapid closure of critical compliance gaps
- Ongoing support at the intersection of business, IT and law
Podcasts | Legal Geek
- Experience in GDPR projects for e-commerce, IT and fintech
- GDPR integration with AI Act, DORA, NIS2 and AML
- Support for incidents and supervisory authority inspections
GDPR contact
Zofia Babicka-Klecor
Founder
Lawyer, e-commerce expert
Zofia is the founder of Legal Geek and an expert in consumer rights and e-services law. She advises on e-commerce, digital business models, and data protection. As a Partner at Legal Geek she leads legal support for e-commerce and GDPR matters.
LinkedIn
FAQ: most frequent questions from boards and teams
Below we have collected the questions most frequently raised in implementation and audit projects.
Does every company fall under GDPR?
If you process the personal data of natural persons, GDPR generally applies regardless of company size. Exceptions are narrow — they mainly concern purely personal or household activities.
When is a DPIA mandatory?
When a process may pose a high risk to the rights and freedoms of individuals, e.g. profiling, large-scale monitoring or AI solutions processing personal data. The Polish DPA publishes a list of operations that always require a DPIA — it is worth checking before launching a new project.
What does the 72-hour deadline mean?
It is the maximum time for notifying a breach to the supervisory authority (UODO) after detecting an incident that meets notification criteria. If you do not yet have all the data within 72 hours, you may submit an initial notification and supplement it later.
How to organise DSAR in practice?
What you need: a procedure, a form, identity verification, a case register and clear SLAs between departments.
Are SCC and TIA still required?
Yes, for transfers outside the EEA based on SCCs a transfer impact assessment (TIA) and ongoing change monitoring are required.
How to combine AI and Article 22 GDPR?
You need to assess the impact of automated decisions, ensure transparency and implement adequate human oversight.
When is a DPO mandatory?
Among others, when the activity involves regular large-scale monitoring or large-scale processing of special categories of data.
Can GDPR be implemented in stages?
Yes. First a diagnosis and critical gaps, then a 0-9 stage plan with business priorities. This approach allows you to quickly close the most important risks before the full documentation is completed.
What does inspection readiness look like?
The organisation has up-to-date documentation, working procedures, decision registers and a confirmed audit and training cycle.
GDPR materials at every stage of implementation
We leave you with practical materials that help you start the diagnosis faster, organise documentation and prepare the team for operational work.
GDPR legal guide
Starting point for stages 0-2: scope of applicability, roles and core data controller obligations.
Download the guideInfographic and checklist
Quick checklist for stages 1-4: ROPA, clauses, data subject rights and DPIA.
Download the checklistWebinars and implementation practice
Materials for stages 5-9: transfers, breaches, governance and integration with the AI Act.
View seriescontact us about GDPR implementation
We will choose the right stage of work: diagnosis, target implementation or a model for compliance maintenance and incident support.