Data Protection Officer & Representative Services

Contact person for Data Subjects Access Requests (SAR)

Data Subjects have the right to make a Subject Access Request (SAR) under the GDPR if a company uses or holds their Personal Data. Our team of Privacy Professionals can support you on this and help you set a process on how to deal with such SARs. Additionally, we can train your employees that need to handle such SARs.

Contact person for the communication with the Supervisory Authority

Our team serves as main contact for the Supervisory Authority. For instance, regarding the notification of a Data Protection Officer (DPO) designation or a Data Breach notification that needs to be carried out without undue delay or 72 hours at the latest. It is also possible that the Supervisory Authority approaches your company with inquiries. Our expert team will be happy to get involved and answer them for you.
Being familiar with the specific requirements of each country, our Privacy Professionals can determine the Supervisory Authority for your company and carry out necessary notifications at short notice.

Data Protection Audits and Reports

Our Privacy Professionals can conduct Data Protection Audits for your company in order to define your company’s status on Data Protection and to fulfil the requirements of the GDPR where necessary. The audits are conducted either on-site at your company or remotely through questionnaires. The audit results could be stated in a Data Protection Report that depicts the status quo and the required measures in order to achieve compliance with Data Protection laws.

Data Protection Officer for a group of companies (Group DPO)

The GDPR grants groups of companies the possibility to appoint a single Data Protection Officer (DPO) either for all or for some of the legal entities of a group. Alongside our regular DPO services, our Privacy Professionals can support you, for example, as an external group DPO regarding the implementation of corporate Data Protection procedures and help define a global Data Protection organization within your company. Our team can support your company, for example, with regard to a global Data Breach management, the implementation of new IT-systems or by drafting Binding Corporate Rules.

Representative of Controllers or Processors not established in the EU

The GDPR is not only applicable to companies based in the European Union. In several cases, the GDPR requires that the Controller/Processor based outside the Union designates a Representative in the EU. This is may be the case either if the company is offering goods to Data Subjects in the EU or if behaviour of Data Subjects within the EU is monitored.
We evaluate whether an EU Representative is necessary for your company according to the GDPR or not. If this applies to you, we are happy to be your company’s Representative in the EU. This means, that we also serve as an additional contact person for the Supervisory Authorities and Data Subjects in the EU.

Specific Data Protection Services

Customised Data Protection Strategies

Our experts support you on developing and implementing a specific Data Protection Strategy customised to your organization’s needs and creating a comprehensive Data Protection Concept.

Data Processing and Intra Group Agreements

Data Processing Agreements (DPAs), Art. 28 GDPR, can play a decisive role when working with External Service Providers. We can not only support you in the revision and adaptation of your existing contracts, but also provide you with our comprehensive templates to meet the requirements of the GDPR. In addition, we monitor all national specifics to ensure you are perfectly prepared in terms of Data Protection. Apart from arrangements with External Service Providers, you might also need to set agreements for the sharing of Personal Data within your group of companies. To be compliant with all Data Protection Requirements, we can either evaluate and adjust your current Intra Group Agreements or provide you with our customized templates.

Data Protection Impact Assessment (DPIA)

According to Art. 35 GDPR, your organization, as a Controller, shall carry out a Data Protection Impact Assessment where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. With over a decade of experience in Data Protection and Privacy, our Privacy Professionals can fully support you on meeting this obligation. In addition, we can also train your employees in order to be able to decide when and how a DPIA should be conducted. Furthermore, we can provide you with a comprehensive template for carrying out such an assessment.

Data Protection Policies and Guidelines

Our Privacy Professionals can review your existing documents and adapt them to both the GDPR and country specific regulations. On the other hand, we can provide you with various customised templates, for instance: Guidelines for maintaining Data Subject Requests (SARs), Privacy Policies or Guidelines regarding information obligations. You have the choice of purchasing only certain templates or an individual combined package, depending on the needs of your business or organization.

ePrivacy Regulation Guidance

The so-called upcoming ePrivacy Regulation has the aim to regulate Privacy and Electronic Communication within the European Union. The ePrivacy Regulation will be directly applicable to all EU Member States. Primarily, it will apply to all companies that use online tracking technology, provide a form of online communication service or conduct electronic direct marketing. Our team will be happy to assist your company in the implementation of the ePrivacy Regulation. We focus on what is especially relevant for your company and support you on taking all necessary steps.

International Data Transfer Agreements

Even for small and medium sized enterprises, international data transfers are quite common nowadays. If the GDPR applies to your organization such international transfers may require certain arrangements in case Personal Data will be transferred to so-called third countries outside the EU and EEA. Currently 12 third countries outside the EEA have been subject to the European Commission’s adequacy decision. This means that these countries are recognized for providing an adequate level of Data Protection as defined by the GDPR. As an exemption, in Canada only commercial organizations are covered by the adequacy decision, while US organizations must be registered under the Privacy Shield Framework. KINAST can offer assistance with the registration procedure.

If Personal Data are about to be transferred to third countries that are not subject to such an adequacy decision, the GDPR requires data exporters to ensure an adequate level of Data Protection through appropriate safeguards such as Binding Corporate Rules (BCR) or the use of the European Commission’s approved Standard Contractual Clauses (SCC). As your Privacy Professionals, we can offer you guidance concerning the appropriate measures that safeguard your organization’s data transfers to third countries. For a multinational concern or group of companies, BCRs can be an effective instrument.

Joint Controller Agreements

Where two or more Controllers jointly define the purposes and means of processing, the GDPR refers to them as Joint Controllers (Art. 26 GDPR). In order to fulfil the GDPR requirements, the Controllers must determine their respective responsibilities in a transparent manner. For companies it is often not easy to recognize whether a business relationship represents a Joint Controller- or a Controller-Processor Relationship. Thanks to our extensive experience, we can quickly assess which form applies to you. Either, we can provide you with a suitable template that considers all GDPR presumptions and ensures compliance with the applicable Data Protection Requirements or if you already have a Joint Controller Agreement in place, we will be happy to review and – if necessary – make any mandatory amendments.

Marketing Campaigns

Marketing is one of the fields that include specific considerable Data Protection issues. All marketing actions, including marketing campaigns, customer cards, lotteries, or newsletter refer to customer communication and interaction, which always implies the collection, use and storage of Personal Data. We can help you to set up an effective marketing strategy in a way that is compliant with the applicable Data Protection Laws. We also support you on implementing procedures that ensure a GDPR compliant communication and interaction with (potential) customers.

Monitoring of local Data Protection Legislations

Data Protection legislations are subject to changing circumstances and not all EU countries have yet adopted GDPR implementation laws. Therefore, it is important to keep an eye on current developments. Our Privacy Professionals monitor the development of local Data Protection legislations in countries that are of interest to your company and keep you up to date regarding important changes and potential measures. This also includes the monitoring of opening clauses granted by the GDPR and consideration of local guidelines published by Supervisory Authorities. Through our many years of international experience, we can offer support on Data Protection in almost every country, including Australia, Canada, India, Japan and the USA. As for issues arising from the United Kingdom’s “BREXIT”, we are also happy to clarify any questions that you may have.

Online Presence

Both the European General Data Protection Regulation (GDPR) and the upcoming ePrivacy Regulation set legal requirements for the owner of a website. It is essential to comprehensively inform users about the processing activities on your website in a privacy statement and, if necessary, to have a cookie banner in place or information regarding possible tracking.
Your social media presence also requires special attention in terms of data protection. The GDPR requires your organization to inform (potential) customers and other individuals about the data processing that you perform as a data controller. Furthermore, communicating with or obtaining personal data from (potential) customers via social media is also subject to the GDPR and you may have an information obligation towards the affected individuals.
As for e-commerce activities such as operating an online shop, you need to consider various aspects as well. For example, you have to ensure that you only ask for personal data that is necessary, for example, for setting up a user account or informing credit institutions in order to complete payments.
Our team has experience with these issues and offers comprehensive support on implementing the required processes, drafting documents and applying further necessary measures for your online presence, whether it is for your website, online shop or your organization’s social media account.

Records of Data Processing Activities

The Records of Data Processing Activities (RPAs) are a crucial requirement of the GDPR, but also an essential instrument to guarantee the Data Protection Accountability of your organization. The RPAs serve as an overview of all systems, processing activities and the respective Data and IT-Security measures of your organization. Therefore, it is important to properly create and maintain RPAs , as they can serve as a demonstrating compliance tool. KINAST can provide your organization with useful RPA templates. We can also check your RPAs in order to evaluate whether a Data Protection Impact Assessment (DPIA) may be required.


Our Privacy Professionals can provide on-site services and work directly with you in case you need direct support at your company on a regular basis. We can provide support for Data Protection issues in your daily business or take the lead in terms of project management for the desired timeframe. This could be a certain number of days per week or a full-time support for several months.

Support on Implementation of New Systems

The Implementation of New Systems requires that an organization, already in the planning phase, considers compliance with the Data Protection requirements. Before introducing a new system, it is necessary to take into account privacy by design and privacy by default in order to reduce, where possible, for example, the amount of Personal Data via anonymization and take proper Data and IT-Security measures. Our team has a comprehensive understanding and practical experience of what is required in order to comply with the applicable Data Protection Laws, but we also know about the needs of an agile and efficient organization. Therefore, we support you on developing and facilitating the process for the Implementation of New Systems, improving your Data Protection Accountability and ensuring an effective business continuity.


Our Privacy Professionals have broad practical experience in all business branches, so they are able to support you on setting up a survey that considers the relevant provisions of the GDPR. KINAST Attorneys at Law offers you guidance concerning the information that needs to be given to your customers or employees and assesses how to proceed with the survey in details. In addition, if you use a third party provider in order to conduct the survey, we offer you guidance concerning the relevant data protection contractual issues.


If you are the organizer of or the exhibitor at such an event, you have to consider certain aspects like how to use photos and videos and how to deal with Personal Data of different target groups like customers, suppliers or potential employees. Our Privacy Professionals are able to support you on all of these issues and help you to find the best practice strategy for your tradeshow or your performance at such an event.


We can train your employees in terms of handling Personal Data in their daily business. We offer live or web-based trainings worldwide and we are happy to provide you with some training material.


The European Union (EU) is currently working towards standardised Whistleblowing requirements throughout its Member States. Our team of privacy lawyers can thoroughly support you in creating a safe internal reporting channel and we can adequately inform and train you on how to deal with personal data.

Works Council

Some countries have institutionalised employee representatives, which, for example, have a right of co-determination regarding data protection issues relating to employees.
We can support you on individual topics regarding the Works Council and assist you with the review or draft of Works Council Agreements regarding data protection topics. Considering that Works Councils also process personal data of employees as part of their activities, we can review the existing data protection standards and make recommendations to meet the requirements of the GDPR.

Special Data Protection Products


In the area of Data Security, our Privacy Lawyers work with the Data Security experts of our sister company the dataKonform GmbH, which awards the dataKonform Data Protection Seal® of approval for IT security. We conduct IT-Security Audits to review whether the implemented measures regarding Data Security are in accordance with the technical, organizational and legal requirements of the GDPR. The dataKonform Data Protection Seal® demonstrates compliance with the technical and organizational measures, for example needed in accordance with Art. 28 GDPR.

Data Breach Management Tool

According to Art. 33 (1) GDPR, a Data Breach has to be notified within a period of 72 hours. In order to meet the deadline your company needs an efficient Data Breach Management Tool, which takes into account the specific requirements of the GDPR. We can provide you with a Notification Tool and a Data Breach Management Process that enables you to notify and document Data Breaches electronically. Upon your choice, our Privacy Lawyers and Professionals can then handle the required Data Breach Notification to the competent Data Protection Authority. The Electronic Notification Tool is currently available in German and for German jurisdiction.