top of page

Authority inquiry service

If your organization, as a data controller, has previously committed any kind of data protection incident that you are not even aware of, you may be informed based on an official inquiry received from the NAIH. The Authority usually sets a 15-day response deadline for inquiries. 


We will help you during this period!


Your organization may have released data when it shouldn't have, or handled a stakeholder's inquiry improperly, deleted something it shouldn't have, or simply didn't delete the data within the specified time.


Did the authority ask 10-15 questions? Not sure what the right answer is? Not sure if you even have the requested document or record?


We explain which document is what. We will update the documentation taking into account the Authority's request. 


Unfortunately, we cannot undo the possible mistakes made, but if necessary, we can help you avoid collective punishment by involving a data protection lawyer. 


In which we help

  • Providing NAIH data obligation answers

  • We write the answers to NAIH questions 

  • We prepare the necessary protocols 

  • We provide a statement on the legal basis and purpose of data management 

  • We justify the data management activity based on the legitimate interest 

  • We propose corrective measures to prevent this from happening again

Who do we recommend?

To whom

  • the Authority contacted, 

  • received a summons from a lawyer. 

  • as the next step, the complainant indicates the notification to the data protection authority in his complaint. 

Why is it good?

Official fines can be avoided or reduced. If it is a matter of consulting a lawyer, even the report can be avoided. 

Authority attitude

Based on our experience, the Authority specifically evaluates if the Data Controller corrects the error during the investigation following its inquiry, but does not specifically evaluate if the Data Controller passively waits for the authority's decision. 

What should we not do?

When asked, it is not good to approach it in a pock-marked way: DON'T let this be the answer: "but we've always done it this way, there's no question, we can't solve it any other way, it would be an amazing resource..."

Why Gill & Murry?

We have more than 20 years of information security and management experience. We have already participated in several GDPR Authority processes. We have a partner who reported an event to the authority within the deadline, properly justifying the data management activity, and was NOT punished by the authority, only received a warning. 


In addition to responding to official requests for incident management, we also have a lot of experience in full GDPR audits and preparation, and we fill the positions of DPO (Data Protection Officer) and IBF (Information Security Officer) in many organizations.


We can help you avoid and reduce the penalty. 

bottom of page