from $450/day
EU Privacy Attorneys
State Bar FLC Registered
EU Regulators Registered
Attorney-Client Privilege

"One can find so many pains when the rain is falling" (John Steinbeck)


Virtual Data Protection Officers

Given the approaching May 2018 deadline, an EU-registered virtual DPO is your safest way to implement the GDPR at an affordable cost.

The GDPR gives the possibility to outsource a shared DPO on a service contract basis. That’s what we do: interim, part-time, or on assignment DPO, you can get GDPR compliant from inside your company and know what to look for when you are ready to hire a permanent DPO.

Under Article 37 of the GDPR, the Data Protection Officer provides legal advice on EU data protection law and practices to data controllers and processors. In the United States as well as in the EU, providing legal advice for compensation can legally only be done by licensed attorneys. We fill that need, advising on EU privacy as Foreign Legal Consultants registered with US State bars. Our expertise stems out of 20 years of Data Privacy practice with the 1995 EU Privacy Directive.

Our founder is a licensed European attorney who holds a Master in Laws in EU Privacy & Multimedia Law from the University of Strasbourg (France), home to the European Parliament that voted the GDPR. He also holds a Master degree in Cybersecurity and Data Privacy from Loyola Law School (Los Angeles), and is registered with the French data protection authority CNIL as a “Correspondant Informatique et Liberté” (CNIL registered Data Protection Officer).


We fit around your business needs

– From a few days per month to monthly assignment

– Usually a baseline set of days plus on-demand flexible visits

– On-call the rest of the time should any emergency command your DPO’s presence (such as a data breach)

– Complete immersion into your business from Day One

– Neither too techie nor too legal: the point is to resolve compliance issues with your business at heart first, not to be a GDPR naysayer at every turn

– Onsite visits, remote phone and video conferences, off site document review and reporting

– Both an adviser and a doer, your virtual DPO transforms a data privacy mandate into a customer experience enhancement, orchestrating your transition to GDPR full compliance :

The Data Protection Officer
The Data Protection Officer
STEP 1: Your virtual DPO spends a few days with you and your legal and IT teams to make sure the source and origination of any personal data is identified and documented. He reviews your current privacy notices and analyses them against GDPR.

STEP 2: He develops a Data Inventory of what, where, who, why, when and how your data is held, and collects information about your data processes and procedure, such as how you obtain user consent and how it is recorded and updated. He works with your teams to make sure every department is GDPR-aware (if not yet a privacy advocate). Once you’re almost set, he conducts an independent Privacy impact Assessment (GDPR, Article 33).

STEP 3: He works closely with your business executives and legal team, including outside counsel, to deploy operational privacy changes and procedures in order to implement GDPR new user rights, such as data deletion or modification (right to be forgotten or right to access and modify) or data export (right to request one’s personal data in easily readable format). He suggests GDPR-motivated changes to your incident response plan (or helps you set up one) and runs tabletop exercises against the (unrealistic) 72-hour data breach notification GDPR obligation.

STEP 4: He conducts a set of reporting activities throughout his mission such as monthly operational reviews, GDPR compliance ongoing assessment, periodic personal data mapping and process report. He assures privacy training of your personnel via online video sessions, both live and on-demand for more flexibility. He acts as your lobbyist and first point of contact with the main EU data protection regulators (the French “CNIL”, the UK “ICO”, the German “BDSG”, etc…)

Being an active member of the EU Bar gives your virtual DPO the credibility he needs to facilitate communications with the GDPR watchdogs.
Should they decide to fine you, your virtual DPO can put his attorney hat on and explain how filing a complaint with the administrative courts will push the fines away for many years. At Avocatis, we don’t take the GDPR for granted. We already know how to challenge the GDPR to the maximum extent permitted by law (just like our American peers do with the Amendments to your Constitution and any regulation that needs to be challenged, including Presidential Executive Orders). However, we believe negotiation with the EU regulators should always be a must, and putting an EU lawyer in your DPO corner will certainly smooth things over.

Privacy Impact Assessment

Article 33 of the GDPR requires your Company to perform an assessment of the impact on privacy before personal information is processed. Your virtual DPO provides an independent Privacy Impact Assessment to help you implement an effective personal information processing when handling EU data subjects’ personal information. He or she assesses the collect, process and transfer of your customers’ personal data, reviewing and documenting the information flows, and identifying and mitigating the risks in an assessment report.

Your virtual DPO also develops a Data Inventory with the definition and implementation of processes for consent management of your EU users, the disclosure of stored personal data, the correction of erroneous personal data, the right to be forgotten and the data portability. He also discusses with you what your organisation needs to consider as personally identifiable information, building a Data Flow Map of personal data. His assessment includes recommendations for an incident response plan to data breaches.

Your virtual DPO’s well-executed Privacy Impact Assessment brings certainty and control to the data handling practices of your EU digital activity.

It details the steps you need to take to implement security safeguards and mechanisms necessary to be fully GDPR compliant by May 25, 2018.

EU Privacy Training and Awareness

Following the GDPR requirement for Data Protection Officers to provide “awareness raising and training of staff involved in the processing operations”, your virtual DPO offers flexible training options for your personnel and legal staff to raise their privacy capability and avoid unnecessary business cost with your EU data privacy activities.

The sessions can be completed during business hours or online at home, and include all materials necessary to get a thorough understanding of the GDPR and its impact on your organization.

Your virtual DPO offers you both online and workplace training sessions of 1 hour, 3 hours, or 6 hours, depending on the availability of your staff and executives. This covers the GDPR foundation with an overview of key requirements and compliance activities, including data breach prevention and reporting.

Our DPO services can also include tabletop exercises to stimulate and develop team work on a given set of facts. It will make your company reasonably defensible when a privacy risk situation arises in the European Union after May 25, 2018.


72-Hour Breach Notification

Likely to Affect or Likely to Harm, That Is the Question.

Either the breach of personal information will likely affect any user to any degree of certainty, or it may also harm users. In the first case, the users only must be notified within 72 hours of the discovery of the breach. In case of harmful breach, bring into the 28 EU data protection regulators.

Thanks to the GDPR and the worldwide reach of the internet, you now can tell your Board that you need to keep track not just of our 50 states, DC, Puerto Rico etc., where your Company might have users, but also those who live in Austria, Latvia, Bulgaria, Malta, Lithuania, Croatia, Cyprus, Czech Republic, Denmark, Poland, Estonia, Slovakia, Finland, Romania, Sweden, Greece, Slovenia, Hungary, Netherlands, Portugal, and the usual suspects France, Italy, Belgium, Luxembourg, Germany, Spain, Ireland and, perhaps, United Kingdom if it has not yet Brexited at the time of the breach.

Try to stay away from storing financial data that would trigger the “harm” threshold if breached. If only user ID, email or just IP address are breached you just have to notify your users and none of the EU data watchdogs.


My Data, My Choice

In a nutshell, European nationals control their online destiny giving OPT-IN consent before you can share or transfer to Big Data any of their personal information, whereas people in the U.S. must actively OPT OUT to protect their privacy.

Asking for permission on the Old Continent has always been King. It seems that we lost that mentality when we crossed the Atlantic to populate the burgeoning America with Freedom Lovers.

The Old World Strikes Back!

Over two centuries later, the Silicon Valley comes back to us with the culture of Winners take all your privacy away. We don't have kings anymore (almost...) but comes the new data privacy law in the EU, we want to give you back and help you stay away from trouble with budget-savvy solutions by EU licensed attorneys specialized in privacy and technology EU laws.


Privacy by Design

You will sound smart when droping "Privacy by Design" at your next meeting with your engineers. Unless you're an attorney practicing data privacy for a living, chances are that you never heard of Article 25 of the GDPR that requires your engineers to set privacy at a high level by default.

Your company does not necessarily sell anything online in the EU, but you want to be able to explain to your Board and your Chief Information Officer that "Privacy by Design" simply means to make sure your whole data processing life-cycle complies with the GDPR, from collecting personal information in the EU to share it with Big Data in the US (or elsewhere) for a buck. Our contract DPO will explain to your marketing team why they should start thinking to process personal information only when necessary for a specific purpose. Then everyone can go for that Happy Hour on Friday, refill the drinks, talk Dodgers, Cubs or Cardinals.


Right to Access

By May 25, 2018 your Company needs to thoroughly maintain accurate internal records of all stages of the entire data life-cycle of EU users who are allowed to request access to that data and top correct any errors. Although some software solutions provide some technical support to meet that requirement, our contract Data Protection Officer will be the point-person responsible with the 28 EU privacy watchdogs to meet the GDPR record keeping requirements that involves pulling data activities from many departments and affiliates in the US and abroad.

There is no easy way to deliver such task: the same data may be used in different ways, by different services or departments. HR might receive the personnel information of overseas EU employees via the company's intranet forms, while Finance needs some of that information to process payroll, and Operations to keep track of performances and, say, bonuses. Not to mention how Marketing is trying to monetize that information at all cost...


Right to be Forgotten

The "right to be forgotten" gave rise to a new "right to seek erasure" under the GDPR, where EU online users can request erasure of their personal information under several grounds, including your business interests as a data controller is overridden by the interest or the fundamental right of an EU data subject (think "user") whom personal data needs to be protected.

At this point, your CEO may ask the difference between the Right to be forgotten and the Right to seek erasure. Remember Johnny Depp telling Sometimes it just means, ‘forget about it'? Well, your best educated guess might well be: Sometimes, the Right to seek erasure just means the Right to be forgotten. The GDPR people tried hard to look creative and not to plagiarize the European Court of Justice' legalese.

So ask the difference between the Right to be forgotten and the Right to seek erasure at your next Happy Hour gathering, you'll feel like Johnny Depp and make new C-suite friends!




'Forget about it’ is like if you agree with someone, you know, like Raquel Welch is one great piece of ass, ‘forget about it.’ But then, if you disagree, like a Lincoln is better than a Cadillac? ‘Forget about it!’ You know? But then, it’s also like if something’s the greatest thing in the world, like mingia those peppers, ‘forget about it.’ But it’s also like saying ‘Go to hell!’ too. Like, you know, like ‘Hey Paulie, you got a one inch pecker?’ and Paulie says ‘Forget about it!’ Sometimes it just means, ‘forget about it'. - 'Donnie Brasco' (Johnny Depp) - Sony Pictures


-- The Right to be Forgotten in EU Legalese --

Google Spain v. AEPD, Mario Costeja González - 13 May 2014

"Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question."

An enlightening scene from 'Donnie Brasco' (Sony Pictures)
An enlightening scene from 'Donnie Brasco' (Sony Pictures)



Secured Data Processing

Your Company must demonstrate by May 25, 2018 that it has considered high-quality and reliable technology to monitor its systems for unauthorized access or changes in real time, and/or opted for the anonymisation and encryption of personal data during all transmissions. Our contract Data Protection Officer will make sure these functions are actually occurring, as required by Article 32 of the GDPR:

Article 32 - Security Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.


Right to Data Portability

Last but not least, this is a tough GDPR requirement. Basically, comes May 25, 2018, any EU user can ask you or Google to give him his complete profile, all his personal information accumulated over the years, his surfing habits, his searches, his buying habits, everything, and take that personal data dump to a competitor or a privacy EU attorney... Yes, the GDPR gives EU users the right to get for free their own personal information in a usable format. They can sell it on their own to Big Data, or maybe just frame it in their living room.

To put it in EU legalese, internet users will be able to copy, move or transfer their personal data from one IT environment to another in an easy and safe way, on-demand and for free "without usability issues".

Some people believe this right just concerns the personal information directly communicated by the user in online form. Not true! The Article 29 Working Party (which is the working group born out of the article 29 of the EU 1995 Data Privacy Directive) considers this covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity.


Sanctions by 28 EU Privacy Watchdogs

You have heard by now that the GDPR national authorities may fine your company up to 20 million Euros or 4% of its global annual turnover, whichever is the greatest. Such fines may be imposed independently by each EU data watchdog for the same privacy breach in each country, multiplying the amount of fines by a possible factor of 28 (less the UK Information Commissioner's Office when Brexit is achieved in March 2019).

However, there is no such one-size-fits-all fine in the GDPR. The maximum amount may be reached if your Company breaks the data processing basic principles like disregarding the valid consent requirement to process personal information, or being in contempt of one or more EU member state Data Protection Authorities (DPA). But if the violation is about the "Privacy by design" requirement, the maximum fine is limited to 10 million Euros or 2% of the total worldwide annual turnover, whichever is greater.

Our contract DPOs are EU attorneys who practiced privacy with most EU watchdogs under the 1995 Data Protection Directive. They are best suited to talk to the EU regulators before a first warning or a request letter is issued. If the fines hit the fan, their EU law office will protect your financial interests before the local administrative courts to dispute a DPA's sanction, a process that may take over 10 years to reach a final decision.


+1 213-234-4290