Data Protection (GDPR) Training

Other Courses

Data protection is not only a legal obligation – it is also a matter of trust with your clients, employees, and partners.

Our training programs are designed to provide practical, clear, and applicable guidance for everyday situations involving personal data – from recruitment and HR administration, through sales and marketing, to IT, security, and customer support.

We offer two tailored tracks:

GDPR training for managers (executives, HR, DPOs/coordinators, IT/InfoSec, marketing, and sales) and
GDPR training for employees (a broad audience).

GDPR trainings are delivered on-site at your company or online. In addition to tailor-made programs, we regularly host webinars on the Zunic Law Academy page covering focused, deep-dive topics.

Formats: On-site, Online, or Blended

On-site (at your premises): workshops with case studies from your practice; optional work directly on your documents (e.g., privacy policy, forms, internal rules).
Online (live): equally interactive—moderated discussion, Q&A, mini-quizzes, and polls; ideal for distributed teams and multiple sessions.
Blended approach: an introductory in-person module plus shorter online sessions by function (HR, IT, marketing, management).
Language: Serbian and/or English.
Materials: practical checklists, decision trees, and templates for notifications and internal forms.
Proof of attendance: electronic certificate; optional short post-test.
Recording and LMS: by arrangement, we can provide a recording/SCORM package for your internal learning platform.

Two Targeted GDPR Training Tracks: Managers and Employees

1) GDPR Training for Managers (executives, HR, DPO/coordinator, IT/InfoSec, marketing, and sales)

Focus on accountability, processes, and demonstrability. We work through scenarios on how to act immediately, which document to prepare, how to communicate, and what must always be recorded.

What managers gain:

Confidence in decision-making: standardized steps and timelines across processes.
Risk reduction: consistent documentation and clear allocation of roles.
Practical tools: “if → then” scripts, checklists, and templates.

Outline topics (examples—the final selection is agreed with the company):

Fundamentals and principles: lawfulness, minimization, accuracy, purpose limitation, security, accountability.
Roles and responsibilities: controller/processor, joint controllers, subprocessors; who signs what and who is responsible.
RoPA and the data lifecycle: records of processing, identifying lawful bases, retention periods, deletion/anonimization.
DPIA/LIA in practice: when impact assessments are required, risk criteria, how to run and approve the process.
Incidents and data breaches: detection, risk assessment, notifications to authorities and data subjects; decision matrices and message templates.
Vendors and contracts (TPRM): DPA clauses, subprocessors, audit rights, information on processing locations, and international transfers.
Marketing and cookies: consent vs. legitimate interest, newsletters, remarketing, campaign measurement, banners, and a preference center.
HR and internal processes: recruitment, employee file, video surveillance, and tool monitoring, BYOD/remote work, access, and logs.
IT and security: access control, encryption, logging policy, testing, backup and recovery; cooperation with the InfoSec team.
Communication and culture: explaining privacy requirements to teams/vendors/partners; a “privacy champions” network.
Industry focuses: e-commerce (checkout, payments), SaaS (telemetry, DevOps), manufacturing (OHS + identification records), finance (standardized partner questionnaires).

Note: topics can be shortened or deepened – for example, “Incidents and breaches” as a two-hour module for IT/InfoSec and the DPO.

2) GDPR Training for Employees

Focus on practical rules, clear examples, and early escalation. Employees receive a roadmap: how to act correctly, whom to contact, and how to document.

What employees gain:

Understanding of the rules without legal jargon.
Safe channels for questions and reporting (internal contacts and procedures).
Quick guides and micro-quizzes for typical situations.

Outline topics (examples – the final selection is agreed with the company):

Privacy basics at work: what personal data is, what data may be requested/sent, internal sharing, and the “need-to-know” principle.
Email and documents: secure sending, CC vs. BCC, classification, and sharing via cloud tools.
Cookies and marketing in everyday work: handling contact lists, events, and newsletters.
Remote work and BYOD: home network, devices, passwords, screen, and documents, public spaces.
Incident – what now? Whom to notify, what never to do, and how to describe the event; examples include phishing and a misdirected recipient.
Data subject rights: recognizing requests (access, deletion, objection) and routing them correctly.
Confidentiality and social media: posting rules, internal photos, and media relations.

Tailor-Made Corporate Trainings and Public Webinars

How to set up RoPA and retention schedules for all teams.
DPIA in 20 minutes: when it’s mandatory, how to conduct and approve it.
Incidents and breaches: from minute one to closure—checklist and templates.
Cookies, banners, and preferences: consent vs. legitimate interest in marketing.
DSAR in practice: identification, verification, timelines, exemptions, and clear communication.
Vendor due diligence and mandatory DPA clauses; working with subprocessors.
HR focus: personnel file, recruitment, monitoring, video surveillance, reference checks.
SaaS and telemetry: privacy by design, logs, environments, and test data.

All topics are indicative – the final content is agreed upon with the specific company.

How Typical Training Runs

Quick discovery (30–45 min): we review your processes and internal acts; define the audience (managers vs. employees) and objectives.
Proposed agenda: you receive a proposal of modules and duration; together, we fine-tune priorities and examples.
Delivery: interactive lecture plus casework; in-person or online; parallel sessions for teams if needed.
Q&A and “what-if” scenarios: we address concrete situations from your business, and simulations such as DSAR and incident drills.
Materials and follow-up: checklists, templates, and short summaries; an optional mini-quiz to verify knowledge.
Report and recommendations: what to implement in policies/processes, where the key risks and quick wins are.

Duration, Group Size, and Additional Options

Duration: 90 minutes (micro-modules), 3–4 hours (half-day), or 6–7 hours (full-day). A series of modules for different functions is available.
Group size: recommended 10–25 participants per session for maximum interaction; for larger groups we propose a webinar format with segmented Q&A.
Documentation: we can optionally adapt your policies/forms (notices, DPA, RoPA, incident templates).
Evaluation: pre-test/post-test, short satisfaction surveys, and a management report.
Confidentiality: standard NDA; examples are anonymized with no confidential data.

Proposed Agendas (Example)

Managers – half-day module

Block 1 – Fundamentals, roles, and RoPA (90′)
Block 2 – DPIA and incidents (90′)
Block 3 – Marketing/cookies or HR focus (60′)
Q&A (30′)

Employees – 2 × 90′

Module 1 – Everyday rules, email/documents, BYOD/remote, incident “first aid”
Module 2 – Data subject rights, channels for questions/reports, social media, and confidentiality

Outcomes for Your Organization

Fewer legal and reputational risks through consistent, documented practice.
Faster and safer managerial decisions: clear steps and standardized templates.
Clear expectations for employees: fewer mistakes and incidents, quicker responses to requests.
Compliance and audit-readiness: policies, forms, and records prepared for review.
A recognizable privacy mindset throughout the organization.