Data Protection & Cybersecurity
Data Protection & Cybersecurity
Our firm is a pioneer in Greece in data protection and cybersecurity issues and has developed significant expertise in this area for more than two decades. Our practice combines the solid knowledge of and exposure to cutting-edge privacy issues and a holistic and business-friendly approach to the needs of our clients. Clients include telecom and ICT companies, pharmaceutical and insurance companies, commercial retailers, logistics and transportation firms, as well as education and non-profit organizations.
Our practice group has been involved in state-of-the-art data protection projects, including inter-connected devices, products with AI capabilities, cloud computing, innovative applications and platforms for medical and insurance services, use of biometric methods and identification technology, implementation of monitoring systems in the workplace and automated profiling activities.
Over the years, we have built a close and constructive relationship with the Hellenic Data Protection Authority and have contributed in the formation of the prevailing regulatory approach on several matters.
Our work covers the usual regulatory compliance required under the GDPR and national law, the performance of data protection audits and privacy due diligence exercises and the management of personal data breaches. Our team advises on marketing campaigns, whistle-blowing schemes and internal investigations, handles data protection litigation, conducts privacy impact assessments and offers advice on data retention periods.
In view of the GDPR and the increased challenges of the legitimate bases for data transfers outside the EU, we advise our clients on the key features of the new data protection regime, we conduct data mapping exercises and implement the safest mechanisms for trans-border data flows. To that end, our practice has undertaken and successfully completed several full compliance projects. We have, also, participated in the public consultation process on the domestic GDPR law with a significant number of our comments included in the statutory provisions.
Also, we frequently advise cloud providers, online shops and other digital service providers on their increased obligations in relation to network and information security arising from the NIS Directive, the PSD2 Directive and other related legislation.
Our firm participates as the exclusive Greek member in EuroCloud, which is a non-profit organization that delivers know-how, legal orientation, quality guidance and best practices on cloud computing and data protection issues. In this context, we frequently contribute to the Cloud Privacy Check (CPC), the largest European information platform whose aim is to provide guidance on data protection issues arising from the use of cloud services throughout the EU (www.cloudprivacycheck.eu).
For example, our firm has recently advised:
- a major cloud provider on its participation in the public consultation process on the new GDPR national law
- UBER on its cybersecurity obligations under the Greek framework incorporating the NIS Directive
- a tech giant on the launch of its new products featuring AI capabilities
- H&M on its marketing campaigns in Greece
- Media Saturn on all data processing operations performed through the company’s website
- Daimler in relation to the launch of its first connected car
- a major insurance company on the use of an app that tracks driving behavior and adjusts the insurance premium
- One of the biggest domain name registrars in Greece on data breach notification obligations arising from data protection and cybersecurity legislation
- Roche Diagnostics on the operation of its eHealth app on patients with heart failure
- Turkish Airlines on the company’s obligation to share PRN with the Greek authorities
- a leading mobile technology company on its value-added services and the processing of subscribers’ data for profiling and data analytics
- L’Oreal in relation to its compliance with the GDPR and the ePrivacy legislation, including advising on promotional and marketing activities to consumers and HCP
- a French pharmaceutical company regarding the commercialization and use by patients of an online digital cognitive therapy
- ERGO in the context of its merger with another insurance company on the gradual transfer of personal data embedded in various and distinct databases
- LafargeHolcim on internal investigations, whistleblowing schemes and transfer of HR personal data to US-based cloud providers
- Stavros Niarchos Foundation on several data protection issues, including the sharing of personal data with other affiliated entities located outside the EU
- the Church of Jesus Christ of Latter-day Saints on the online publication of genealogical records providing access to family history
- Novartis Pharma on its proposed global structure for data transfers
- Aspen by training the local senior management on data protection compliance
- LeasePlan on the performance of marketing activities and the use of credit scoring data of prospective clients
- UPS on background checks, data transfers and secrecy obligations arising from its capacity as a courier provider
- the Graduate Management Admission Council (GMAC) in connection with the personal data of the test-takers of the GMAT exam.