Separate services and prices

Data protection audit (400 – 540 EUR)
The audit gives the state-of-affairs regarding the personal data and the processing of them.
The results are used to compile the necessary documents and conduct training for the staff.

Compiling the register (350 – 650 EUR)

The obligation to keep a personal data register stems from Article 30 of the GDPR. The purpose is to record and keep track of processing activities, incl purposes and retention time.

Compiling the privacy notice (100 – 550 EUR)
A privacy notice is instrumental in order to fulfill the transparency obligation set forth in Articles 13 and 14 of the GDPR. The privacy notice informs your customers and employees about the processing of their personal data and their rights related to it.

Reviewing the relevant contracts (250 – 700 EUR)
According to Article 28 of the GDPR-i the controller must conclude a written agreement with all its processors. The main purpose is to divide the responsibilities between the controller and the processor(s) and set out the conditions for the processor. We compile the controller/processor agreements for you and, if necessary, revise the existing agreements.

Compiling internal rules and guidelines (350 – 600 EUR)
It is necessary in order to comply with Article 25 of the GDPR: the controller has the obligation to implement appropriate technical and organizational measures. The purpose of the internal rules and guidelines is to determine the ways and methods, the security measures, division of tasks and responsibilities between staff members, etc.

Compiling guidelines for data breach response and related training (300 – 400 EUR)

The data breach response guidelines are necessary to comply with Articles 33 and 34 of the GDPR and in certain cases also with Article 8 of the Estonian Cybersecurity Act.


Entry into the Company Register
In Estonia, the name and contact data of the DPO have to be entered into the Company Register. Your customers have the right to address the DPO with their questions regarding the processing of personal data or for exercising their rights under the GDPR and other relevant legislation (e.g. submitting written questions).

Regular review
Article 32 of the GDPR sets forth an obligation to apply appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The purpose of the review is to regularly assess the processes used.

Training of the staff
According to Article 39 (1) of the GDPR, the DPO has to provide regular training of the staff. We provide training over the internet as well as at your premises. A regular training session is at least 2 hours.

Participating in the Data Protection Impact Assessment (DPIA)

If you plan to use new technologies and consider the nature, scope, context and purposes of personal data processing there may be a high risk to the rights and freedoms of physical persons. In such cases the controller must, prior to the processing carry out a DPIA. The obligations are set forth in Article 35 of the GDPR.

According to Article 35 (2) the controller has to use the help of the DPO.

Other obligations set forth by the law

To monitor implementation of the GDPR, other EU or Member State legislation or data protection principles by the controller/processor,  incl division of responsibility, raising of awareness of the staff and training;

liaise with the Data Protection Supervisory Authority in all cases foreseen by the GDPR, incl the prior consultation if the DPIA indicates that processing of personal data would result in a high risk in the absence of measures taken by the controller

On our social media