No one builds a company to deal with data privacy.

GDPR should help your business move forward, not get in the way.

GDPR is often ignored until it blocks deals or creates legal problems. Missing documentation slows down sales and due diligence.

Weak GDPR setups expose companies to fines, claims, and enforcement in the EU.

But it doesn’t have to be like that.

Your legal partner for EU compliance

Hi, I’m Kolja Strübing – German – qualified lawyer and data protection officer (DPO) with 5 years of work experience. I’m specializing in data protection, IT law, and information security.

In the past, I have been lawyer and CEO of a legal start up, then DPO and data privacy consultant. Later, as head of the data data privacy and information security department in a consulting company, I have led compliance projects for clients in Europe, the US, and Asia.

Now, I help international companies in achieving compliance with EU regulations.

Let’s Turn GDPR into Something That Actually Works

Below are three GDPR implementation packages, designed to fit different stages of growth and regulatory complexity.

At the beginnging, we will determine together which building blocks your company actually needs.

GDPR Foundation

Module A: Scope & Structure

Final definition of scope (company, products, markets)
Role clarification: controller vs. processor
Governance baseline

Module B: Core Documentation

Record of Processing Activities (core processes)
Data categories, purposes, recipients
Focus on real processing activities, not formal completeness

Module C: Vendors & Tools

Identification of relevant processors
Classification under Art. 26 / 28 GDPR
Gap list

Module D: Data Subject Rights Basics

DSAR intake process
Responsibility matrix
Deadlines and workflow definition

Module E: Incident Readiness

72-hour breach response process
Decision tree
Responsibilities

GDPR Business

everything from GDPR Foundation and:

Module F: Complete RoPA & Maintenance Process

RoPA covering support, marketing, HR, and product processes
Ongoing maintenance process
Clear ownership per processing activity

Module G: Vendor Contracts

Review of existing DPAs
Role clarification with partners
Actionable recommendations per gap

Module H: International Data Transfers

Identification of all third-country elements
Risk classification (high / medium / low)
Decision framework for SCCs / TIAs

Module I: DPIA Framework

Threshold analysis logic
Decision support: “DPIA required or not”
Full DPIAs optional

Module J: Governance & Documentation

Data protection concept/ policy
DPO requirement assessment + documentation
Management readout

GDPR Premium

everything from GDPR Business and:

Module K: International Transfers Deep Dive

SCC setup or review
Transfer Impact Assessments
Additional legal safeguards
Binding Corporate Rules optional

Module L: Privacy by Design

Embedding privacy into decision-making
Review of products with regard to the principle of privacy by design
Product and change management processes

Module N: Training & Enablement

Management briefing
Training of key teams (e.g. Product, Marketing, Operations)
Focus on decision-making capability, not legal theory

Module O: Closure & Handover

Executive summary
12-month roadmap
Optional preparation for DPO onboarding

The regulatory environment around data is changing.

Especially if you work with AI or provide connected products or services.

This is why we need a legal data strategy.

What is a data strategy?

I know this isn’t what you want to hear, but
GDPR no longer stands alone.

Today, data is governed by overlapping rules: GDPR, the EU Data Act, the AI Act, contract law and trade secret protection. They regulate different aspects of the same question: who may access, use, and control data.

Also, they interfere with one another and this interplay should be considered when it comes to data governance. For example, AI systems affect personal data or trade secrets and the same is true for Data Act access requests.

A legal data strategy is the structure that connects these rules in one place and makes them workable in practice.

That is why this site is called datastrategy.law and that’s why I offer additional packages to consider those regulations (the Data Strategy Add Ons).

While you can book each package and module seperately, these are not to be considered optional, because compliance with these regulations is required by the law.

Data Strategy Add Ons

IT Contract Law

Legal support for software development, cloud, and outsourcing projects:

IT and SaaS agreements
Software licensing and development contracts
General terms and conditions (GTCs)
Outsourcing and service level agreements
IT project contracts involving data protection and information security

Data Act

Supporting companies in implementing the EU Data Act and developing transparent, legally sound data structures:

Analysis of data flows and access rights
Drafting of data sharing and access agreements
Governance structures for data access, use, and sharing
Integration of GDPR, Data Act, the protection of trade secrects, AI Act etc. into a coherent data strategy

AI Law

Advising on the requirements of the AI Act for the use and development of AI systems:

Classification of AI systems (including high-risk systems)
Creation of internal policies, risk analyses, and compliance documentation
Contract drafting in line with AI Act requirements
Training on legal obligations and accountability in order to obtain AI – literacy (Art. 4 AI Act)

But who owns data protection once the project is done?

Once the core structure is in place, data protection becomes an ongoing responsibility.

As an external Data Protection Officer, I take over that role and act as a stable legal point of reference for your company.

This includes:

Acting as external Data Protection Officer under Art. 37 GDPR
Ongoing legal support for management, product, and IT teams
Guidance on data protection decisions in day-to-day operations
Support in handling data subject requests
Advice on communication with supervisory authorities
Targeted data protection training for relevant teams

The goal is not paperwork for its own sake, but continuity:
clear responsibilities, reliable answers, and a compliance setup that actually works over time.

Or maybe you just want to solve one very concrete issue

„Is my website actually GDPR-compliant?“

I review your website in regard to:

cookies and tracking tools,
pictures, videos & copyright,
legal texts, e.g. privacy policy and imprint,
data protection principles,
E-commerce law,
email Marketing,
and the needs in your individual case.

A quick reality check

As a lawyer working with international tech companies and fast-growing startups, I often see the same situation: Teams know they have to “do something about GDPR”; they just don’t know where to start. At the same time, GDPR – fines can be up to 20 Mio. € or 4 % of the annual turnover, whichever is higher.

The truth is, filling out endless compliance checklists and using pre-made templates won’t get you anywhere if you don’t know what they are for.
What you need is a clear, practical structure that fits your business and scales with it.

If you’re scaling in Europe, now is the right time to build the legal foundation that supports your growth instead of slowing it down.

This looks like:
✍️ Making sure your GDPR setup actually matches how your product and data flows work.
✍️ Reviewing your commercial contracts, data processing agreements, and vendor terms before you expand.
✍️ Setting up a consistent legal framework that keeps your product launch-ready for new markets.

You don’t want to lose a deal or delay an investor meeting because of a missing clause or an outdated privacy setup.

Good legal protection should be clear, practical, and affordable, something that makes your next step easier, not harder.

I help you understand exactly what you need to operate confidently in the European market.