A&A Capital Group is a family-owned holding company with over 30 years of experience operating across Central and Eastern Europe, with primary operations in Poland. Employing over 100 people across multiple cities, the group maintains a stable market position across multiple industries.
The group's portfolio exceeds 250,000 square meters of commercial real estate and spans 12 distinct business entities across real estate, retail, hospitality, financial services, and cultural sectors.
Business Context: As a diversified holding managing valuable physical assets, financial transactions, and customer data across real estate, retail, hospitality, and financial services, A&A required sophisticated data governance and compliance infrastructure to meet evolving EU regulatory requirements.
A&A's diversified operations created a complex regulatory landscape spanning multiple EU frameworks:
I implemented a comprehensive compliance framework addressing data protection, operational security, and AI readiness across A&A's diversified portfolio.
Multi-Entity Data Mapping
Conducted comprehensive data flow analysis across all subsidiaries, documenting personal data processing activities for 12,000+ active leases, creating unified Records of Processing Activities (ROPA) covering 47 distinct data processing categories.
Privacy by Design Implementation
Established data minimization principles reducing collection fields from 47 to 23, implemented purpose limitation controls, and designed automated data retention schedules with automated purging workflows.
Cybersecurity Architecture Review
Assessed security posture across 14 critical systems, implemented MFA for 89 administrative accounts, RBAC with 12 distinct permission levels, and encryption standards (AES-256 at rest, TLS 1.3 in transit).
Incident Response & Business Continuity
Developed group-wide incident response plan with 72-hour breach notification procedures per GDPR Article 33 and created business continuity protocols for critical tenant services.
AI System Impact Assessment
Evaluated planned AI initiatives against EU AI Act requirements, classified systems under risk-based framework, and documented compliance requirements for each category.
Regulatory Monitoring Infrastructure
Implemented ongoing surveillance of EU regulatory developments with quarterly compliance reviews providing advance warning of regulatory changes.
Data Processing Activities
Documented and classified ROPAs across holding
Security Controls
Implemented technical and organizational measures
Personnel Trained
Employees across all business units
Data Subject Requests
Processed within 30-day SLA (100% on-time)
Regulatory Risk Reduction
Commercial Benefits
Due to the sensitive nature of real estate operations, tenant data, and proprietary business information, I have signed a Non-Disclosure Agreement with A&A Capital Group. The information presented has been carefully reviewed and approved for public disclosure.