GDPR Article 39(1)(b) requires Data Protection Officers to conduct awareness-raising and training for all staff involved in data processing. Without documented training programs, supervisory authorities treat data breaches as organizational failures — with fines up to €20 million. We deliver practical, role-specific GDPR training that satisfies regulatory requirements and measurably reduces human error.
How to recognize and handle access requests, erasure requests, data portability, and right to object — with practical workflows for each department.
Understanding the six legal bases under GDPR Art. 6, when each applies, and why "legitimate interest" is not a catch-all justification.
The 72-hour notification obligation, how to recognize a breach, internal escalation procedures, and what to report to the supervisory authority.
Valid consent requirements, cookie consent, opt-in vs opt-out, withdrawing consent, and common mistakes that invalidate consent.
When DPIAs are required, the step-by-step methodology, risk evaluation criteria, and how to document and present findings to the DPA.
Transfer mechanisms after Schrems II: adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules, and transfer impact assessments.
Processing health data, biometric data, trade union membership, and other sensitive categories — additional safeguards and explicit consent requirements.
Industry-specific case studies: handling customer data requests in retail, patient data in healthcare, employee monitoring, and marketing campaign compliance.
GDPR applies to every employee who handles personal data — not just the IT or legal department. Different roles need different levels of depth.
Foundation-level awareness: what personal data is, basic handling rules, and how to report concerns.
Employee data processing, recruitment privacy, retention periods, and lawful basis for HR activities.
Consent management, cookie compliance, email marketing rules, profiling restrictions, and social media data.
Privacy by design, data minimization in systems, access controls, encryption, and secure development practices.
Verifying identity for data requests, handling complaints, documenting interactions, and escalation procedures.
Accountability obligations, regulatory risk overview, budget implications, and personal liability under GDPR.
Multiple GDPR articles explicitly or implicitly require documented employee training. Supervisory authorities actively check for training evidence during audits and inspections.
Free 30-minute consultation — assess your training needs, define scope, get a tailored proposal
While GDPR does not explicitly state "all employees must be trained," Article 39(1)(b) requires the DPO to conduct awareness-raising and training for staff involved in processing operations. Since virtually every employee handles some form of personal data (customer records, colleague contact details, HR documents), supervisory authorities expect organization-wide training programs. The Croatian Data Protection Agency (AZOP) regularly requests evidence of conducted training during inspections.
Best practice is annual mandatory training for all employees, with additional sessions when: significant regulatory changes occur, new processing activities are introduced, after a data breach incident, or when new employees join the organization. Supervisory authorities expect documented evidence of regular, ongoing training — not a one-time event.
At minimum: what personal data is and how to recognize it, the lawful bases for processing, data subject rights and how to handle requests, breach identification and internal reporting procedures, data minimization and retention principles, and the specific obligations relevant to each department's role. Advanced training for DPOs and compliance teams should cover DPIAs, international transfers, and regulatory engagement.
Yes. We offer flexible delivery formats: on-site workshops for interactive learning, e-learning modules for scalability and scheduling flexibility, and hybrid approaches combining both. The key requirement is documented attendance, completion tracking, and knowledge assessment — regardless of format. Online formats also support multi-location organizations and remote workers.
Yes. Every participant receives a completion certificate documenting the training content, date, duration, and assessment results. These certificates serve as evidence for supervisory authority inspections and internal audit requirements. We also provide organizations with a comprehensive training report including attendance records and aggregate assessment scores.
Foundation-level awareness training for all employees typically runs 60–90 minutes. Role-specific training (HR, marketing, IT) runs 2–3 hours. Advanced DPO development programs span multiple sessions over several weeks. We recommend shorter, more frequent sessions over long one-time workshops — research shows better knowledge retention with spaced learning approaches.
GDPR Article 39 requires documented employee training. Start with a free consultation to assess your training needs, define the program scope, and get a tailored proposal.