Case Studies
Engagement details below have company names and identifying information pseudonymised under NDA. The data landscape descriptions, compliance challenges, approaches, and outcomes are accurate representations of the work performed.
Nordfenn Financial AG
~200-person asset management firm, Zurich. DACH-region client base with some EU institutional investors.
Challenge
Nordfenn's data team had built sophisticated analytics infrastructure over four years. When the DPO initiated an Art. 30 ROPA project ahead of a planned FINMA supervision review, they discovered that the technical team's systems and the compliance team's documentation described entirely different data flows. The ROPA covered the documented processes; the actual pipelines processed substantially more data, including client behavioural data that had not been assessed for legal basis.
Qala Approach
Qala instrumented the data pipelines directly — deploying lineage tooling to map actual data flows from source to destination — rather than conducting interviews alone. This produced a technically accurate ROPA within four weeks. A simultaneous gap analysis identified three processing activities requiring either a lawful basis correction or technical remediation before the supervision review.
Kestrelmed GmbH
~85-person healthcare SaaS platform, Berlin. Processes patient-adjacent data for hospital and clinic customers across DE, AT, and CH.
Challenge
Kestrelmed was expanding into Switzerland and needed to address FADP compliance alongside existing GDPR obligations. Their DPA template with hospital customers referenced Art. 9 processing by hospitals as controllers — but the template had not been reviewed since the revDSG came into force in September 2023, and contained outdated language that would not satisfy Swiss supervisory authority requirements. Additionally, their sub-processor list was nine months out of date.
Qala Approach
Qala conducted a dual-regime compliance mapping covering GDPR and FADP simultaneously, identifying obligations unique to Swiss law. The DPA template was redesigned to address both regimes with modular clauses for CH-domiciled customers. Sub-processor inventory was rebuilt from technical discovery, producing an accurate register with change notification workflow for enterprise customers.
Brakevault Commerce
~120-person multi-channel retailer, Bern. Online and physical retail with loyalty programme and email marketing to ~180,000 subscribers.
Challenge
Brakevault received a data subject access request from a customer that they could not fulfil within the 30-day statutory deadline. The investigation revealed that customer data existed across six systems with no consistent identifier — making DSR fulfilment a manual process that one employee was handling ad hoc. Additionally, their cookie consent banner had been identified as non-compliant by a customer's legal team: the "reject all" option was buried two levels into the settings panel.
Qala Approach
Qala prioritised two parallel tracks: a DSR workflow design that allowed repeatable, auditable fulfilment across all six systems; and a cookie consent audit that produced specific design changes to the CMP configuration. Both tracks delivered within a 6-week engagement, with evidence documentation for the customer who had raised the compliance concern.
Client names and identifying details are pseudonymised under NDA. Engagement outcomes are accurate representations. Figures reflect scope and duration of specific engagements.
Every engagement reflects your actual situation
We do not apply standard packages or pre-configured audit templates. We assess your data landscape, identify the compliance obligations that apply to it, and scope the work to address the specific gaps — nothing broader, nothing narrower.