GDPR and Data Protection

OUR SERVICES | GDPR AND DATA PROTECTION

GDPR & Data Protection

As experienced data protection lawyers, GDPR data protection compliance is one of our core competencies as we partner with companies operating in the EU and globally.

GDPR - data protection law - Srouji avocats

Srouji Avocats, technology law firm

Based in Paris and operating as a boutique law firm of lawyers specialized in technology law, our data protection lawyers are focused on data protection law in the EU and beyond, able to support our clients globally where they operate while drawing on deep expertise in all areas of technology law, including contracts, governance, artificial intelligence and data security. Technology law is at the forefront of our expertise, and we have a strong track record of helping our clients be GDPR compliant as well as compliant with global data protection laws.  

Our data protection lawyers go beyond providing simple advice on data protection regulations and instead partner with our clients to provide pragmatic, perennial solutions that meet their specific needs. Our data protection lawyers are also able to understand the larger implications of client challenges that go beyond GDPR regulations, especially those relating to cybersecurity and data security.

Data Protection Audits

We offer a full suite a data protection audit services with the independence of a boutique law firm of experienced data protection lawyers.

DPO assistance

Our data protection lawyers routinely serve as external DPOs and provide operational support for in-house DPOs.

 

Privacy Governance – DPIA

Our data protection lawyers routinely assist with drafting data protection impact assessments and identifying and mitigating the risks to be compliant with the EU and UK GDPR.

Regulatory assistance

Responding to supervisory authority queries requires expertise and perspective in order to provide timely and technically-complete responses to the regulator.

Data Breach assistance

Managing data breaches is resource-intensive and requires cross-functional support across the organization; our data protection lawyers have the know-how to effectively manage such incidents.

AI Act compliance

Our data protections lawyers understand the cross-roads between data protection and artificial intelligence and can assist with AI conformity assessments to ensure compliance with the AI Act.

Independence of a law firm

Our law firm is independent and rarely if ever impacted by conflicts of interests that often occur with larger law firms and consulting companies. Where needed we are able to call on independent data protection lawyers in jurisdictions in Asia and the US to expand our scope of support and offer optimal solutions for our clients.

International focus

Our data protection lawyers work with large, international companies that have specific needs due to their often complex operational structures. GDPR regulations often impact not just the EU operations of our clients but also those in other parts of the world. Our data protection lawyers, thanks to their diverse backgrounds, are able to support the global footprint of our clients’ business: fluency in English (native speakers) and international experience (EU – US – Asia).

Proven track record

Our data protection lawyers have developed a solid track-record since the firm’s creation in 2016. In addition, the firm’s founder brings extensive experience in data protection law, technology law and compliance as part of this 12+ years with a large international company where he drove the company’s global data protection program. Many of our clients are still engaged with the firm since its creation in 2016, a testimonial to our long-term vision of partnership.

Partnering with our clients

The solutions our data protection lawyers offer clients go beyond legal advice and instead take the form of a partnership to fully understand the client’s business and needs. This can take the form of stepping in as an external DPO to cover staffing shortages or supporting the back-office DPO work for GDPR data protection compliance. We routinely conduct secondment missions that allow our lawyers to fully integrate the client’s compliance or legal team to offer seamless operational support.

Testimonials

What people say about us

Publications

Discover recent articles on data protection from our data protection lawyers, also covering artificial intelligence, business law and regulators affairs, by clicking here.

Contact us

For more information about our services or to schedule an introductory meeting, you can send a message to info@sroujiavocats.com or fill out the below form.

Consultants can bring rich experience when it comes to data protection and have grounded knowledge in business processes and analysis. Data protection lawyers, however, offer the added-value of better understanding the legal risks and are better positioned, for example, to assist in areas such as drafting and negotiating contracts with vendors; responding to regulatory queries; drafting legal memos; and leading (pre)litigation matters. In addition to the deontology requirements imposed on lawyers, it’s also important to note that engagements with law firms have the advantage of being protected by professional secrecy.

The question of appointing a DPO has historically been conducted with a careful analysis of EU or UK GDPR requirements. Today, however, it is considered as best practice and even a key factor of customer trust to designate a DPO (even for B2B businesses). Appointing a DPO also has the advantage of offering the supervisory authority a preferred contact point in the event there is a data breach or other data protection issue.

There are many similarities between data protection regulations and requirements of the AI Act. Companies are today adapting their existing data protection governance structure to meet these new requirements although many data protection specialists may not have the necessary skill set to address the specificities and technical nature of conducting conformity assessments for AI systems. The first step therefore is to assess the delta between the current structure and the required structure while identifying training requirements for existing staff, or perhaps the hiring of specialists depending on the business risk profile (i.e. high risk AI systems).

One of the fundamental shifts of the EU GDPR since 2018, which has also been confirmed via supervisory authority fines, is that processors can also be held fully liable for non-compliance with data protection regulations. Data controllers are increasingly imposing stricter contractual requirements on data processors – mandatory ISO certifications are not uncommon – and indemnity clauses are becoming increasingly onerous on data processors. To make matters worse, there is more scrutiny on subprocessors – the vendors that the data processor uses – to be fully compliant with data protection regulations and adhere to the same terms of the underlying contract between the data controller and data processor.

Our data protection lawyers based in Paris have significant experience with implementing Binding Corporate Rules (BCRs). It’s important to keep in mind that the regulatory review and approval process can take several years, and the estimated budget can be significant. This is why our firm often recommends adopting standard contractual clauses (SCC) or other mechanisms such as adhering to the EU-US Data Privacy Framework as interim measures while the BCR application is being reviewed and processed. Once approved, the BCR can be a genuine market differentiator since they are viewed as the gold-standard of compliance with data protection regulations and intragroup cross-border data transfers.