GDPR consulting for IT companies

GDPR consulting for IT companies

How we help IT & C companies protect user data and deliver GDPR compliant solutions


If you have any questions, please contact us!

We are happy to help:

Dan Gurghian

Data protection expert

Project Manager & DPO

For over 4 years we have been offering GDPR compliance services for:

We have complied for our customers:

Some of our customers are IT companies

Why you and your team will enjoy working with us:

Who we are and why choose us?

We are a team of specialists with over 10 years of experience in management, law, and IT. We are a reliable partner with long-term partnerships with over 800 multinational companies, SMEs, and public institutions, who want to comply with the data protection law, privacy, and personal data of employees, customers, collaborators, and who wish to avoid GDPR fines and sanctions.

Conf. Dr. Nicolae Ploiesteanu

Conf Univ Dr Nicolae Ploeșteanu
GDPR Expert – Legal

Hilda Șumălan

GDPR Expert – Legal

Dan Gurghian

GDPR – IT consultant

Anca Suciu

Anca Suciu

GDPR Marketing

Ionel Orza DPO

Ionel Orza

Project Manager-DPO

Ionela Avram

DPO Specialist

Darius Farcas

DPO instructor

Maria Enea


Laurențiu Rîcu

Laurențiu Rîcu
Physical Security Risk Assessment Specialist

Ruxandra Săplăcan - GDPR Specialist

Ruxandra Săplăcan

GDPR Specialist

Our vision: we want to change the mentality about GDPR compliance in Romania, to raise the level of professionalism and to align it with European standards, by offering the highest quality services, with friendship, honesty, integrity and with the pride that we are part of a team of data protection professionals.

Do you develop software or applications?
Here’s what you need to know about GDPR:

Every new or existing software application must be fully GDPR compliant. The GDPR requires IT companies to protect user data and privacy.

Companies that manage the personal data of European users need to build their data protection systems and processes from the design phase onwards, develop and maintain them.

When a company decides to outsource some of its functions (eg IT outsourcing), it remains responsible for the personal data transferred to the outsourcing provider . The only way a company can avoid GDPR liability is to ensure that it cannot access personally identifiable information under any circumstances, which is often impossible in practice.

Good to know: We can help you with Data Processing Agreement (DPA) for Software Development


The seven key principles in GDPR that you need to keep in mind when programming and developing software solutions:

GDPR sets out seven key principles underlying the processing of personal data:

  • Legality, fairness and transparency;
  • Purpose limitations;
  • Minimize data;
  • Accuracy;
  • Storage limitations;
  • Integrity and confidentiality (security);
  • Responsibility.
GDPRcomplete - GDPR principles

Companies need to be able to clearly describe what data they collect, for what purpose, for how long, and who can access it, among other things. It is important that you share relevant documents so that you can prove that the necessary steps for the GDPR have been completed.

We can also help you with this because we have already helped many companies that have developed websites, software platforms and mobile applications.


Although the GDPR does not require companies that collect data from EU citizens to provide their users with automated data management tools, it is in the interest of every company to do so. Without these automated personal data management capabilities, every request related to personal data (e.g. exercising the right to access personal data) should be followed by a lengthy identity verification process to prevent breach of GDPR (e.g. providing this data to others).

What are the key requirements for software applications
which you need to keep in mind:

Pseudonymy by default: Aliases must be created for each person, and the person’s identity data must be stored in a fully partitioned area separate from other user data (for example, personal account information in an application or software platform) .

The right to be forgotten: Every EU citizen has the “right to be forgotten”, which means that, upon request, companies are obliged to give up all personal data related to a certain person. Therefore, your software or database should include tools that allow you to isolate and delete personal data as needed.

Right to be portable: According to this requirement, users must retain the ability to transfer their personal data from one service provider to another service provider. The company must configure the software to allow users to do this.

Mandatory reporting of security incidents involving personal data: The IT company must inform the affected users and the ANSPDCP (National Authority for the Supervision of Personal Data Processing) within 72 hours. Therefore, the IT company needs to detect the incidents in a very short period of time. When developing software or a mobile application, it is generally best to maximize security measures and include a security incident detection and reporting tool that can send notifications to the technical team (in real time if possible).

Design privacy: GDPR requires privacy by default, which means that the software, mobile application, or website must, by default, provide users with the highest level of security and privacy. For example, instead of automatically using a person’s name or email address as their username, the software should provide a completely random username during the account creation process.

Informed consent: Users must be allowed to provide informed consent for the collection and processing of their data. An example of informed consent applies to checkboxes when you sign up for an account on websites, software platforms, and mobile applications. In most cases, checkboxes do not need to be checked by default; the user must check them manually.