Vita (short)

• Studies of Laws at the University of Hamburg, Germany, completed with the first state examination (Erstes Staatsexamen)
• Member of the management board of a Hamburg-based property developer
• Legal clerkship in Hamburg
• Admission to the bar since 2003 as a lawyer and practicing since then
• Managing partner of PrivCom Datenschutz GmbH in Hamburg
• Certificate in Specialist Lawyer Course in Information Technology Law
• In 2018, founding of Anna Cardillo Management Consulting in Berlin, which provides external data protection officers and external data protection managers, supports the implementation of data protection management systems, coaches and trains data protection officers, conducts data protection audits and organises data protection training courses

Focus

Anna has been advising companies and public authorities on data protection, IT and information security law since 2006. Her work focuses on strategic advice at the intersection of law, technology and organizational structures.

A particular focus of her work is the review of service providers and digital supply chains, especially processors and their subcontractors. Anna supports companies in the legal and organizational safeguarding of complex IT service structures – from contract drafting and audit processes to the implementation of regulatory requirements. This topic is becoming increasingly important, particularly due to current developments in data protection enforcement practice and case law, as well as new regulatory requirements arising from NIS2, the Cyber Resilience Act and other European digital regulations.

Through her many years of experience as an external Data Protection Officer, Anna has extensive practical expertise in organizing and implementing data protection and information security structures within companies. This perspective enables her not only to assess the requirements from a legal standpoint, but also to design pragmatic and operationally feasible solutions.

Anna also supports organizations in implementing and governing digital processes, integrating data protection and information security into corporate structures, and managing conflict and crisis situations. Clients value her ability to combine legal requirements with business and technical realities.

She has many years of leadership experience, a strong entrepreneurial perspective, and additional training as a business coach.

Anna is a regular speaker, podcast and interview guest, and publishes in legal journals, commentaries and handbooks, particularly on topics at the intersection of information security, data protection and digital regulation.

She advises clients in German, English and Turkish.

Anna was recognized by WirtschaftsWoche as a Top Lawyer for Data Protection Law in 2023 and 2024. She was also recommended in the “Top Lawyers 2026” ranking by the F.A.Z. Institute, which is based on a comprehensive analysis of client feedback and peer recommendations.

Publications (excerpt)

2025

A Procedural Model for Generic Data Protection Impact Assessments (DPIAs) in the Context of Employee Monitoring, DuD – Datenschutz und Datensicherheit, 2025, 468–473 (co-authorship with Martin Rost)

2025

“Monitoring in the Shadows? Commentary and Practical Report”, Datenschutz-Berater, 2025,13–16

2024

in: Auer-Reinsdorff/Conrad (Hrsg.), C.H. Beck Verlag, Handbuch IT- und Datenschutzrecht, 4. ed., in the process of publication (publication in German language; co-authorship)

2024

Data protection control of suppliers |ISO/IEC 27001-certificate – errors and chances, in: Sowa (ed.), Springer Fachmedien, IT-Prüfung, Datenschutzmanagement und KI-Audit. Neue Ansätze für die Arbeit der IT-Revision, in the process of publication (publication in German language; co-authorship)

2024

The SDM Cube for Legal Practitioners, DuD – Datenschutz und Datensicherheit, 2024, 646–650 (co-authorship with Martin Rost)

2023

Coordinated investigation on position and tasks of DPOs, Datenschutz-Berater, 2023, 142-145 (publication in German language; co-authorship with Guido Hansch, Wolfgang Lehna and Heiko Markus Roth)

2021

ISO/IEC 27001 certificate: How can porcessors score with controllers?, Datenschutz-Berater 2021, 38-41 (publication in German language; co-authorship with Andreas Bethke)

2021

ICO fine against Marriott: PCI DSS and still not safe?, Datenschutz-Berater, 2021, 104-107 (publication in German language; co-authorship with Manuel Atug)

2021

The „non-negotiable“ main body of ISO/IEC 27001 and ist meaning for data protection, Datenschutz-Berater 2020, 273-276 (publication in German language; co-authorship with Andreas Bethke)

2020

ISO/IEC 27001 certificate: Sufficien guarantees of the processorwithin the meaning of Art. 28 para. 1 of the GDPR?, Datenschutz-Berater 2020, 200-202 (publication in German language)

2017

Guidelines 10010 for the structured data protection management, VdS Schadenverhütung GmbH, 2017, Verlag (publication in German language; co-authorship)

Talks (excerpt)

2024

Data Protection Conference Düsseldorf (Data Protection Advisor) 2024: Security? Absent! How Data Processors Fail to Provide Proof

2024

German Lawyers’ Day: Employee Data Protection and International Data Transfers in Corporations

2024

BvD Autumn Conference: Legitimacy of Logging – A Look at Data Protection in IT

2023

12th Frankfurt IT Law Day: Information Protection Act and the implications for data protection law

Interviews / Podcasts

• c’t / heise „Auslegungssache“ (episode 123): „Neue Dimensionen der Mitarbeiterüberwachung“, available under https://www.heise.de/hintergrund/Auslegungssache-123-Neue-Dimensionen-der-Mitarbeiterueberwachung-10181275.html
• Rechtsanwalter & Lebenskünstner – der Compliance-Podcast von Schulte Rechtsanwälte (S04E11): „Zweiter Anlauf zum NIS-2-Umsetzungsgesetz“, available under https://podcasts.apple.com/ca/podcast/s04e11-zweiter-anlauf-zum-nis-2-umsetzungsgesetz/id1649563379?i=1000721006413
• c’t / heise „Auslegungssache“: „Jahresrückblick 2025: Datenschutz unter Beschuss“, available under https://ct-auslegungssache.podigee.io/149-new-episode
• Datenschutz-Guru: Podcast 14.9.2020: “ISO 27001 als Freifahrtschein für Auftragsverarbeiter” – Im Gespräch mit Rechtsanwältin Anna Cardillo, available under: https://podcasts.apple.com/us/podcast/iso-27001-als-freifahrtschein-f%C3%BCr-auftragsverarbeiter/id1034321062?i=1000491147023
• Heise Online: Podcast Auslegungssache, Folge 33, 26.2.2021: “Datenschutz leben lernen” – Datenschutzauditorin Anna Cardillo hilft Organisationen, DSGVO-Anforderungen umzusetzen. Sie sagt, beim Datenschutzmanagement stinkt der Fisch oft vom Kopf, available under: https://www.heise.de/hintergrund/Auslegungssache-33-Datenschutz-leben-lernen-5069736.html
• Stiftung Datenschutz: Webinar Datenschutz am Mittag, 23.5.2023: “Spannungsfall(e) Datenschutzbeauftragte” – Anna Cardillo und Daniela Will, available under: https://stiftungdatenschutz.org/veranstaltungen/unsere-veranstaltungen-detailansicht/spannungsfall-datenschutzbeauftragte-388
• Michael Rohrlich und Marc OIliver Thoma, 12.05.2023: Im Interview Anna Cardillo, available under: https://www.youtube.com/watch?v=afofNLacOqY

Lectureship

University of Bamberg, at the Chair of Privacy and Security in Information Systems (Data Protection Module)