Costin Sandu



Costin joined our SAA team as Counsel in the TMT and Data Privacy departments, adding innovative perspective to our firm.

With more than 17 years of experience, Costin specialises in tech law and compliance work, particularly in data protection and cybersecurity. His professional background also includes banking and finance, financial services regulatory and compliance and corporate and M&A. 

Before joining SAA, Costin led the data protection department of one of the first international law firms on the Romanian market. Prior to that, he was a member of the banking and finance groups at several prestigious international law firms in Bucharest.

Costin regularly assists clients on all aspects of data protection and cybersecurity compliance and risk mitigation, ranging from gap assessment reviews and advice on implementation actions to complex risk and impact assessments, security incidents or data sharing structures. He also advises clients on Tech projects on matters such as IT contracts, use of trust services, remote identification, or regulatory matters. Building on his banking regulatory background, Costin has a focus on compliance and tech law work in the financial services area.

His extensive experience includes assisting both local and international clients in various industries such as energy, banking, retail, FMCG.

Costin has been a member of the Bucharest Bar since 2005.



Romanian – English – French



2020 – Certified trainer (Ministry of Labour)

2005 – Master’s in Law (LL.M./ D.E.A.)

Université Montesquieu Bordeaux IV

2004 – Bachelor of Laws (LL.B.)

Faculty of Law, Bucharest University

2004 – Bachelor of Laws (LL.B.)

Université Paris 1 Panthéon – Sorbonne, Collège Juridique Franco-Roumain



  • Coordinated and conducted gap assessment reviews and implementation of data protection and e-privacy requirements and related assistance to clients;
  • Provided seamless assistance to clients on Networks and Information Systems legislation cybersecurity requirements;
  • Assisted clients in relation to data processing agreements, data sharing and transfer structures;
  • Advised an international energy group on data protection and cybersecurity compliance and risk matters;
  • Advised a major Romanian bank on contracts for cloud computing services and software licensing from data protection, financial regulatory, and cybersecurity perspectives;
  • Advised a Romanian infrastructure company in relation to a bank fraud and related security incident;
  • Advised international groups in relation to group data sharing structures involving transfer of personal data outside the European Union;
  • Advised clients on various tech matters such as use of electronic signatures, mobile banking, e-commerce, cloud computing services, IT contracts,
  • Advised local clients on current data protection matters such as managing data subjects’ requests, legitimate interest and data protection impact assessments, privacy notices, data processing agreements, data sharing structures;
  • Acted as external data protection officer;
  • Assisted clients on data breaches and security incident initial assessment, notification and management;
  • Assisted clients with third-party risk assessments and operational audits from a data protection and information security perspective;
  • Prepared and delivered trainings on data protection and cybersecurity matters for clients. 



one herastrau office

30-32 Daniel Danielopolu Street, One Herastrau Office, 6th Floor, Bucharest, 014134, Romania

Phone: +40 (21) 316 87 49

Fax: +40 (21) 316 87 56


09:00 – 19:00



Digital Park, 15A Mihai Viteazul Street, 6th Floor, Chisinau, MD2004, The Republic of Moldova

Phone: +373 (22) 994 990; +373 (22) 009 109

09:00 – 19:00