Data Protection & Cybersecurity
Data Protection & Cybersecurity
Our firm is a pioneer in Greece in data protection matters and has developed significant expertise in this area for more than two decades. Our practice combines the solid knowledge of and exposure to the cutting-edge privacy issues and a holistic and business-friendly approach to the needs of our privacy clients. Clients include pharmaceutical, telecom and technology companies, insurance companies, commercial retailers, logistics and transportation firms, as well as education and non-profit organizations.
Our firm’s practice group has been involved in the most innovative and complex data protection projects that have taken place in recent years, such as cloud computing, applications and software platforms used by individuals in the context of medical, insurance and other services, connected devices, implementation of biometric methods and identification technology, handling of cyber-attacks, assessment of legality of data analytics and processing of big data, implementation of monitoring mechanisms in the workplace that aim to prevent data breaches and disclosures of confidential information and profiling activities through automated systems.
Over the years, we have built a close, constructive and interactive relationship with the DPA and have contributed in the formation of the prevailing regulatory approach on several matters.
Our work covers the usual regulatory compliance and related authorizations, data protection audits, due diligence on data protection and privacy issues, privacy impact assessments, whistle-blowing schemes and other privacy policies, internal investigations, data processing agreements, data security, data retention obligations, privacy training and related litigation.
In view of the GDPR and the increased challenges of the legitimate bases for data transfers outside the EU, we advise our clients on the key features of new data protection regimes, we conduct due diligence exercises on their databases, and we provide our advice on the safest mechanisms for data transfers.
In this respect, our practice has undertaken and successfully completed a number of GDPR compliance projects, including the GDPR projects of one of the world’s leaders in beauty products, Greek companies active in the pharma industry (pharmaceutical and medical devices companies), cosmetics, shipping and logistics companies, commercial retailers, as well as NGOs. We have, also, actively participated in the public consultation process launched by the Greek Parliament on the data protection law setting out specific rules and derogations on the GDPR.
Our firm participates, as the Greek member, in the Eurocloud, which is a non-profit organization that delivers know-how, legal orientation, quality guidance and best practices on cloud computing and data protection issues. In this respect, we have contributed to the Cloud Privacy Check (CPC), the largest European information platform whose aim is to provide guidance on data protection issues arising from the use of cloud services throughout the EU (www.cloudprivacycheck.eu).
For example, our firm has recently advised:
- a major cloud provider on its participation in the public consultation process on the new data protection law establishing derogations on the GDPR
- Daimler in relation to the connected cars and related data protection and telecom law issues arising from the features of such cars
- a major insurance company on the use of an application operated through smart devices, which enables the calculation of the insurance premium paid by the customers based on their driving behavior
- GlaxoSmithKline on the assessment of the legality of software which collects metadata and emails for the detection of malware infections and unauthorized disclosure of the company’s confidential information
- Microsoft on its data transfer agreements after the invalidation of the Safe-Harbor scheme
- a French pharmaceutical company regarding the commercialization and use by patients of an online digital cognitive therapy
- ERGO in the context of its merger with another major Greek insurance company on issues related to the gradual transfer of personal data embedded in various and distinct databases
- LafargeHolcim as regards its data protection obligations in relation to internal investigations, whistleblowing schemes and transfer of its HR personal data to US-based cloud providers
- L’Oreal, Aspen and TUI on data protection due diligence exercises re compliance of their processing activities with GDPR
- the Church of Jesus Christ of Latter-day Saints, in relation to the online publication of genealogical records so people can research their family history
- Novartis Hellas on data protection obligations relating to the operation of its databases (e.g. HR, IT incidents, HCP)
- Novartis Pharma on its proposed global structure for data transfers
- Mobil on the structure of its global data transfer agreements
- L’Oreal on data protection issues arising from promotional and marketing activities to consumers and HCP
- Aspen Greece by providing training on the data protection compliance to the local senior management
- LeasePlan on the data protection issues that are raised from its marketing activities conducted through Facebook, as well as from the receipt of financial data relating to creditworthiness of prospective clients from companies providing credit-risk data
- UPS on several data protection issues, including background checks, the organisation of their data transfers and its secrecy obligations arising from its capacity as a courier provider in Greece
- the Graduate Management Admission Council (GMAC) in connection with the personal data of the test-takers of the GMAT exam, obtaining the first permit ever granted to an entity other than a bank, authorising the extension of the preservation period of personal data collected by means of a closed television circuit.