Anna Cardillo

Partner

Anna Cardillo

Anna is a trusted advisor to companies and public authorities on data protection and information security law. She is specialized in strategic advice, conflict resolution and digital transformation, earning recognition as a Top Lawyer for Data Protection Law by Wirtschaftswoche in 2023 and 2024.

Languages
  • German

  • English

  • Turkish

Anna Cardillo

Partner

Anna Cardillo

Anna is a trusted advisor to companies and public authorities on data protection and information security law. She is specialized in strategic advice, conflict resolution and digital transformation, earning recognition as a Top Lawyer for Data Protection Law by Wirtschaftswoche in 2023 and 2024.

Languages
  • German
  • English
  • Turkish

Additional Qualification

  • Business Coach
  • Data Protection Auditor
  • Data Protection Officer
  • Consultant for Data Protection Management Systems

Vita (short)

  • Studies of Laws at the University of Hamburg, Germany, completed with the first state examination (Erstes Staatsexamen)
  • Member of the management board of a Hamburg-based property developer
  • Legal clerkship in Hamburg
  • Admission to the bar since 2003 as a lawyer and practicing since then
  • Managing partner of PrivCom Datenschutz GmbH in Hamburg
  • Certificate in Specialist Lawyer Course in Information Technology Law
  • In 2018, founding of Anna Cardillo Management Consulting in Berlin, which provides external data protection officers and external data protection managers, supports the implementation of data protection management systems, coaches and trains data protection officers, conducts data protection audits and organises data protection training courses

Focus

  • Anna has been advising companies and public authorities on data protection and information security law since 2006. Her focus is on strategic advice. Anna specialises in resolving conflicts and supporting the implementation and enforcement of digital processes. Clients benefit from Anna’s leadership experience, business orientation and additional training as a business coach. She is a regular speaker, podcast and interview guest and publishes in legal journals, commentaries and handbooks, particularly on topics at the intersection of information security and data protection. She is also a lecturer at the University of Bamberg as the Chair of Privacy and Security in Information Systems. Anna advises clients in German, English and Turkish.
  • In 2023 and 2024, Anna, along with other colleagues, was awarded the title of Top Lawyer for Data Protection Law 2023 and 2024 by a leading German weekly Business news magazine (“Wirtschaftswoche”).

Publications (excerpt)

2024

in: Auer-Reinsdorff/Conrad (Hrsg.), C.H. Beck Verlag, Handbuch IT- und Datenschutzrecht, 4. ed., in the process of publication (publication in German language; co-authorship)

2024

Data protection control of suppliers |ISO/IEC 27001-certificate – errors and chances, in: Sowa (ed.), Springer Fachmedien, IT-Prüfung, Datenschutzmanagement und KI-Audit. Neue Ansätze für die Arbeit der IT-Revision, in the process of publication (publication in German language; co-authorship)

2024

SDM-cube for lawyers, DuD 2024, im Erscheinen (publication in German language; co-authorship with Martin Rost)

2023

Coordinated investigation on position and tasks of DPOs, Datenschutz-Berater, 2023, 142-145 (publication in German language; co-authorship with Guido Hansch, Wolfgang Lehna and Heiko Markus Roth)

2021

ISO/IEC 27001 certificate: How can porcessors score with controllers?, Datenschutz-Berater 2021, 38-41 (publication in German language; co-authorship with Andreas Bethke)

2021

ICO fine against Marriott: PCI DSS and still not safe?, Datenschutz-Berater, 2021, 104-107 (publication in German language; co-authorship with Manuel Atug)

2021

The „non-negotiable“ main body of ISO/IEC 27001 and ist meaning for data protection, Datenschutz-Berater 2020, 273-276 (publication in German language; co-authorship with Andreas Bethke)

2020

ISO/IEC 27001 certificate: Sufficien guarantees of the processorwithin the meaning of Art. 28 para. 1 of the GDPR?, Datenschutz-Berater 2020, 200-202 (publication in German language)

2017

Guidelines 10010 for the structured data protection management, VdS Schadenverhütung GmbH, 2017, Verlag (publication in German language; co-authorship)

Talks (excerpt)

2024

14th NRW IT Law Day: AI, Data Law, and Interactions with GDPR, organized by the Cologne Lawyers’ Association

2024

Data Protection Conference Düsseldorf (Data Protection Advisor) 2024: Security? Absent! How Data Processors Fail to Provide Proof

2024

German Lawyers’ Day: Employee Data Protection and International Data Transfers in Corporations

2024

BvD Autumn Conference: Legitimacy of Logging – A Look at Data Protection in IT

2023

12th Frankfurt IT Law Day: Information Protection Act and the implications for data protection law

Podcasts / Interviews

2023

Stiftung Datenschutz: Webinar Datenschutz am Mittag, 23.5.2023: “Spannungsfall(e) Datenschutzbeauftragte” – Anna Cardillo und Daniela Will, available under: https://stiftungdatenschutz.org/veranstaltungen/unsere-veranstaltungen-detailansicht/spannungsfall-datenschutzbeauftragte-388

2023

Michael Rohrlich und Marc OIliver Thoma, 12.05.2023: Im Interview Anna Cardillo, available under: https://www.youtube.com/watch?v=afofNLacOqY

2021

Heise Online: Podcast Auslegungssache, Folge 33, 26.2.2021: “Datenschutz leben lernen” – Datenschutzauditorin Anna Cardillo hilft Organisationen, DSGVO-Anforderungen umzusetzen. Sie sagt, beim Datenschutzmanagement stinkt der Fisch oft vom Kopf, available under: https://www.heise.de/hintergrund/Auslegungssache-33-Datenschutz-leben-lernen-5069736.html

2020

Datenschutz-Guru: Podcast 14.9.2020: “ISO 27001 als Freifahrtschein für Auftragsverarbeiter” – Im Gespräch mit Rechtsanwältin Anna Cardillo, available under: https://podcasts.apple.com/us/podcast/iso-27001-als-freifahrtschein-f%C3%BCr-auftragsverarbeiter/id1034321062?i=1000491147023

Lectureship

University of Bamberg, at the Chair of Privacy and Security in Information Systems (Data Protection Module)