Skip to content
Truong Suarez

Services / Data & Automation / Consent & Governance

GDPR-compliant AND tracking-effective.

Data protection isn't "deactivate everything". I build consent setups that are legally sound while staying tracking-capable — with documentation that passes any data-protection audit.

Legally sound

ECJ/BGH-compliant, without dark patterns. A cookie banner that passes BfDI and state-authority inspections.

Tracking-capable

Consent Mode v2 + server-side, so performance tracking uses consented data correctly.

Audit-ready

Cookie inventory, processor-agreement list, TOM documentation, RoPA entries. What an authority wants to see is there.

Find the right auditFree intro call

What you can book

Six building blocks, individually or as a package

Audit first — cookies are often just the tip of the iceberg. Data flows, processor agreements and RoPA are the depth.

Compliance audit

Cookie scan, data-flow map, processor-agreement inventory, privacy-policy check, Consent Mode status.

Cookie banner setup

Cookiebot, Usercentrics or Klaro. ECJ-compliant, without dark patterns, with granular control.

Consent Mode v2

Google Consent Mode v2 with correct default states. So server-side tracking forwards consented data.

DPA / SCC documentation

List of all processors, DPA templates, SCC modules for US data transfers. RoPA entries.

Privacy policy

Tool descriptions, legal bases, retention periods. In collaboration with your DPO or lawyer.

Pre-audit for authorities

Preparation for state-authority and BfDI inspections. Documentation folder, response templates, escalation path.

How do we differ?

Three ways to buy GDPR compliance

Data-protection lawyer, compliance tool or senior operator with a tracking understanding.

 Data-protection lawyer
Classic legal advice		Compliance tool
Cookiebot direct, OneTrust		Truong Suarez
Compliance + tracking reality
Tracking understandingRarely deeply technicalTool defaults, often over-restrictiveServer-side + consent + performance thought through together
Documentation depthVery strongly legalCookie inventory automaticHybrid: cookie inventory + DPA list + RoPA + tracking docs
ModelHourly rates €200–400Tool subscription + setup costsFixed-price audit + implementation
Best phaseConcrete disputes, authority proceedingsSetup for smaller websitesPerformance stack with audit prep, EU-only migration
Connection to marketingRarelyNot in scopeConsent setup accounts for CAPI, server-side, marketing tools

Comparison based on publicly available information, as of 2026. If your situation would be better served elsewhere, I'll tell you so in the intro call.

How we work

Five phases, one point of contact

Compliance audit + documentation + setup — with a lawyer brought in for specialised legal questions.

01 · Week 1–2

Audit

Cookie scan, processor-agreement inventory, data flows, banner check. Output: map.

02 · Week 2–3

Consent setup

Cookiebot/Usercentrics, Consent Mode v2, default states, banner layout.

03 · Week 3–4

Documentation

DPA list, RoPA, cookie inventory, privacy-policy update.

04 · Week 4–5

Tracking integration

Connecting server-side, CAPI and the Events API with Consent Mode v2.

05 · quarterly

Refresh

Repeating the cookie scan, capturing new processor agreements, incorporating legal updates.

Stack

What we work with

No black-box tools. Everything we use, you can run yourself — if you want to.

Cookie banner

  • Cookiebot
  • Usercentrics
  • Klaro (open source)
  • CookieYes (budget alternative)

Scan / analysis

  • Cookiebot scanner
  • WebbKoll
  • Manual browser audit
  • Data-flow mapping

Documentation

  • Notion (RoPA, DPA list)
  • Markdown templates
  • Loom (explanations for DPO)
  • Trello / Linear (workflow)

Lawyer interface

  • Partner law firms
  • Templates for RoPA, TOMs
  • Standard DPA texts
  • Escalation protocols

Recommended entry point

Two paths, depending on where you stand

A quick check for the banner or a complete compliance refresh — the depth follows your status.

For you if

Cookie banner + tracking connection

You have a banner but don't know whether it runs cleanly. Tracking data may be distributed wrongly — too much or too little.

€890fixed price

5–7 days · report + 30-min call

Starter Audit / Tracking

  • Cookie scan & banner check
  • Consent Mode v2 status
  • Top 3 compliance risks
  • Quick-wins list
Book the Starter Audit
Deeper plan

For you if

Cleaning up complete governance

Ahead of an authority inspection, an internal audit, or simply to put an end to sprawl. Cookie + DPA + RoPA + documentation.

€1,290fixed price

7–10 days · report + 60-min call

Core Audit / Inventory

  • Complete cookie inventory
  • DPA inventory map + gaps
  • RoPA entries draft
  • Authority-inspection preparation
Book the Core Audit

Not sure? The symptom triage on the audits page helps you choose. The audit fee is credited toward a follow-up project.

When this becomes relevant

Typical starting points

Three recurring situations where consent & governance is the right tool.

Compliance

GDPR consent compliance

How a cookie banner becomes both legally sound and tracking-effective.

Tracking recovery

Tracking despite consent loss

A GDPR-compliant way to make 30–50% of lost conversions visible again.

Accessibility

BFSG accessibility 2025

Why your consent banner must meet WCAG 2.2 AA from 2025 — and how that works.

FAQ

What clients often ask before the first collaboration

Cookiebot or Usercentrics?

Cookiebot is the standard for SMEs — simple setup, automatic scanner, low cost. Usercentrics goes deeper (enterprise, multi-brand, A/B banner tests) but is more expensive. Klaro as the open-source variant for privacy-conscious teams without SaaS lock-in.

What does the BFSG change for consent banners?

Banners must be WCAG 2.2 AA compliant — contrast, keyboard navigation, screen reader. Cookiebot/Usercentrics ship this, but it must be configured. We check this explicitly in the audit, because many standard setups miss the accessibility requirements.

What to do about an authority request?

We deliver a documentation bundle (cookie inventory + DPA list + RoPA entry) that answers most questions. For legal correspondence we bring in a lawyer from our network — we're not legal advice, but we know the documentation requirements very precisely.

Cloud Act and US tools — what is safe?

Fully safe are EU-only tools (Cookiebot DK, Usercentrics DE, Klaro, Plausible, Matomo). US tools with EU hosting (HubSpot, Klaviyo, Salesforce) are usable with a DPA + SCC + transfer-impact assessment. For especially sensitive data (health, finance) we recommend an EU stack.

Can I book just documentation without banner setup?

Yes. Some clients already have the banner but need a DPA list, RoPA entries or a privacy-policy update. That runs as a separate module within the Core Audit. We don't do banner configuration without documentation — being audit-ready needs both.

Contact

Let's talk

Three paths — depending on where you are.

Specific problem

Book audit

Tracking, relaunch or growth — packaged, fast, with a report.

from €890

Direct

Email

When you already know what you want and prefer to talk directly.

john@truong-suarez.de