Data Sharing for a Pharma Company


We were contacted by an EU-based pharmaceutical company with several subsidiaries in the Balkans region.

For HR purposes, the holding company and its subsidiaries share employee personal data. Besides this, the group shares sensitive personal data including information from medical trials.

The client wanted to be sure these data transfers were compliant with local regulation, as well as with the GDPR.


All existing data transfers between companies were assessed. The client was provided with Art. 28 Data Sharing Agreement which was signed by all companies involved in cross-border transfers of personal data.

In addition, we updated the existing or drafted new data protection policies for the client: HR Privacy Policy, Data Retention Policy, Data Access Policy, Information Security Policy, and the Data Breach Notification Procedure.


All internal and external data transfers were assessed to comply with Articles 44-50 GDPR.

Data Sharing

To clarify controller/processor obligations, an Article 28 Data Sharing Agreement was drafted.


Set of policies was drafted for this client to complement already existing legal framework.

Data Breach

Data breach notification procedure was created to address the Article 33 GDPR requirements.

Facing similar challenges?