IT Law Consulting for StartUps and SMEs

LIBRe Foundation provides organisational and legal counselling to tech startups and established small and medium-sized enterprises on IT Law implementation towards developing the scope of their services and products, including but not limited to: IT systems and applications development, drafting of e-commerce policies, consultations on privacy issues, intellectual property, etc.

The range of consultation topics include:

e-Commerce and Information Society Services:

(legal) consultations and analyses on the requirements for information society service providers and consumer protection within the scope of the Bulgarian e-Commerce Act;

(legal) consultations and analyses with regards to the rights and obligations of service providers/users while using of electronic means of communication;

development of online platforms or software products' terms of use.

e-Payment Instruments:

(legal) consultations on the obligations of payment service providers, requirements for cross-border payments by electronic means, and electronic money;

Smart contracts (legal) consulting.

Intellectual Property:

(legal) consultations on software applications’ copyright and preparation of contracts granting rights of use;

(legal) consultations on copyright and related rights on objects of copyright in the online space (music, movies, e-books) and preparation of contracts granting rights of use;

(legal) consultations on registration of national and EU trademarks;

Consultations on the preparation of audio-visual advertising content in accordance with national and EU legislation.

Personal Data Protection:

(legal) consultations on privacy by design measures for software applications and/or embedded security technologies and controls access to information and resources;

(legal) consultations on the development of privacy policies and personal data protection programs for data controllers, Data Protection Officer as a service, etc.;

consultations on preparation of legal documents and procedures guaranteeing the rights of data subjects, incl. drafting a Code of Conduct under Art. 40 of Regulation 2016/679, privacy policies, policies for using “cookies”, etc.;

development of a comprehensive Data Protection Program for compliance with the General Data Protection Regulation.

Redesign of legal documents in the field of e-Commerce, data protection, etc. using graphical elements that illustrate the content of the document, the rights and obligations of the addressee and the development of legal relations from their emergence through development and termination, by creating alternative and accessible to the general public version of each document that gives a clear picture for the corresponding users for the rights and obligations that arise for them.

Legal and organizational analyzes for the design, development and implementation of software applications with relation to the regulatory requirements of the respective industry and the applied requirements of Information Technologies Law.

Comprehensive consultating on administrative law and information technology law addressing software companies working with public institutions. Consultations may include:

provision of oral and written consultations and opinions on e-Government legislation and related issues;

legal, technological and/or organizational research for the preparation of technical offers in public procurement procedures for software developers providing services for administrative bodies at central, district or municipal level;

'as is' analysis of existing administrative processes and services, drafting of recommendations for their improvement, and development of 'to be' (optimized) model of processes and services, including development of unified procedures and corresponding internal rules and documents;

analysis of the prerequisites and preparation of a plan for the integration of information systems to the e-Government infrastructure, including legal audit of existing information systems or those under development, implementation of specific e-Government legal, organizational, technical, organizational and training measures), etc.

More than 30 private organizations have already trusted our expertise. If the services we provide are of interest to you, please contact LIBRe Foundation team for an individual offer for future cooperation.

Development and implementation of a Data Protection Program

The scope of services towards the development of a Data Protection Program for natural and legal persons processing personal data, with the exception of the activities listed in Art. 2.2 of the General Data Protection Regulation - regardless of the scope of services, field of activity, number of employees, financial turnover and/or number of years on the market; includes:

Initial analysis of the organization’s problems and processing risks and development of an Action plan.

This task involves conducting a kick-off meeting with the management team of the organization – subject to compliance and presenting the main steps towards an effective Data Protection Program and their specifics.

As a result, an Action plan compiling all essential tasks is established followed by appointing а single point of contact on behalf of the client organization. The Action plan includes all interim deadlines (for both parties), including response time in case of questions or specific communication needs, as well as all potentially critical points of the Data Protection Program development.

Data mapping and analysis of data flows.

This task aims at gathering information about the business processes within the client’s organization towards bringing its activities and the activities of its employees in compliance with the Bulgarian and European personal data protection legislation and preparing the internal procedures and documents in accordance with the legal requirements for lawful processing to reduce, counteract or completely eliminate the risks associated with such processing. It includes legal and organizational analyses of the nature, scope, context and purposes of processing personal data by reviewing internal documents and information and providing expert evaluation of: (a) categories of data subjects; (b) categories of personal data processed; (c) processing purposes, including through the organization's technology portfolio and its interrelation with the volumes of information and personal data handled by the organization; and (d) means of processing (description of data repositories, data flows, processes and actors involved, etc.), including internal data flows and interconnections between the client organization and third parties, main establishment, storage limitations, the positions in the organization handling the data or recipients to whom the personal data have been disclosed.

The implementation of this task can be supplemented by a technological audit depending on the activities and capabilities of the client organization.

As a result of this task’s implementation, LIBRe Foundation’s team prepares a report on the analysis carried out, including visualizing the data and/or describing it in a record of processing activities.

The results of this analysis will be at the disposal of the client’s organization to help them obtain detailed information and expert evaluation on: the value of the information at its disposal; the legal, ethical and economic risks to the information security and, in particular, the personal data processed by the organization; and the necessity to undertake specific technical, organizational and legal measures to improve the security of information and the personal data processed by the organization, including evaluating the need to appoint a Data Protection Officer.

Data Protection Impact Assessment (DPIA) – a process of risk assessment of the identified inconsistencies. It is designed to describe the processing activities in a systematic and functional way, assess the needs and the respective proportionality levels, and help manage the risks to the rights and freedoms of individuals arising from the processing of personal data by analyzing and determining the proper measures towards resolving these risks. DPIA is an important tool for the accountability preparedness of the data controller, as it helps not only to comply with the requirements of the General Data Protection Regulation but also to demonstrate that appropriate data protection measures have been taken.

As a result, LIBRe Foundation’s team provides an assessment report, which includes: (a) a list of potential GDPR non-compliances, indicating the most serious risks to be addressed as a matter of priority; (b) a risk assessment plan covering both risks to the rights and freedoms of data subjects (e.g., discrimination, disproportional interference with the right to privacy etc.) and risks to the security of processing, which includes: a description of the objectives of the risk assessment; identifying the appropriate risk assessment methodology; and a description of the risk assessment procedure to be followed; and (c) evaluation of the risks and recommendations for specific mitigation measures, the results of which are documented in the report.

The expert assessment of the organization's activity will provide specific recommendations for organizational and technological measures, incl. security measures to overcome identified risks to the security of the processing.

Development of internal rules and procedures through which the organization will operate in accordance with the applicable legal norms and principles for lawful personal data processing. It goes under two sub-stages: a) development of a Data Protection Program implementation plan taking into account the specifics of the organization and its activities, which may require the preparation of additional documents and/or procedures; and (b) drafting of the respective documentation required for the management of the Plan.

During the development of the required documentation, we help the client organization to develop a record of processing activities, policies and terms of use for services provided by electronic means, internal instructions and procedures, data breach policy, internal control procedures, data protection impact assessment policy and procedures, action guidelines and procedures for guaranteeing data subjects to exercise their rights, including the right to be forgotten, the right to data portability, etc.

In addition, we develop templates for contracts or contractual clauses for transfers of personal data to non-EU countries and/or redraft ongoing or develop new subcontracting contracts for imposing the data protection obligations to data processors working for/with the client organization. This way the client organization will align its partner relationships with the requirements for lawful personal data processing while, at the same time, guaranteeing the optimal protection of the rights of individuals whose data have been processed.


Data Protection Officer as a Service

GDPR introduces an obligation for data controllers and data processors to designate a Data Protection Officer in a number of hypotheses of personal data processing.

The need for specific expertise and knowledge of data protection law and practices (both from legal and technological perspectives) implies dedication of serious efforts and financial resources to secure this position as internal to the organization.

LIBRe Foundation team offers a complex implementation of a Data Protection Officer activities as a subscription service based on four key conditions: lack of conflict of interest, independence, confidentiality and observance of professional secrecy. This service may include:

informing and regularly advising the highest manage ment level of the controller or the processor, including their staff (where applicable), with regards to their obligations under GDPR and related provisions at European or national level;

monitoring the compliance with the requirements of GDPR and GDPR-related provisions at European or national level and the controller/processor's privacy policies, including assignment of responsibilities, awareness-raising and training of staff involved in the processing operations and internal audits;

advising and supporting the implementation of data protection programs and procedures for personal data protection, including (if applicable) consultating on related security and information security systems, and introduction of monitoring mechanisms;

advising and supporting the implementation of procedures for internal control, registering and reporting of violations and data protection breaches within the client organization, analyzing the impact of these violations and proposing and/or implementing effective preventive measures;

advising, when required, on the data protection impact assessment and DPIA monitoring processes, upon introducing new or updating existing technological solutions and/or procedures;

advising and supporting the process of administering requests for access to personal data processed for patients/customers or requests for access to information for patients/customers from external and internal parties, prioritizing the requests and ensuring their effective consideration and implementation in due time, in accordance with current legislation and ethical standards, including maintaining relevant registers;

communicating with partners and the organization's management bodies on personal data protection issues;

cooperating with the national supervisory authority (for Bulgaria this is the Commission for Personal Data Protection) and fulfilling the role of point of contact for the supervisor in matters related to the processing; and

advising on any other issues related to personal data protection.


Drafting a Code of Conduct under Art. 40 of Regulation 2016/679

According to Art. 40 of Regulation 2016/679, Member States, supervisors, the European Data Protection Supervisor and the EC encourage the development of codes of conduct designed to contribute to the correct implementation of the Regulation, taking into account the specificities of the different data processing sectors and the specific needs of micro-enterprises, small and medium-sized enterprises. Adherence by a controller/processor of personal data to an approved code of conduct or an approved certification mechanism may be used as evidence to demonstrate compliance with the relevant legal obligations.

Associations or other bodies representing categories of controllers or processors of personal data are encouraged to draw up codes of conduct within the framework of Regulation 2016/679 in order to facilitate its effective implementation, taking into account the specificities of data processing in certain sectors and the specific needs of enterprises in these areas. In particular, these codes of conduct can establish the parameters of the duties of controllers and the processors, taking into account the risk that is likely to arise from the processing of data on the rights and freedoms of individuals.