GDPR Hub
GDPR
Our Experience

Our team leader is Associate Professor Dr. Grigoris Lazarakos

Since September 2016 Grigoris and his team have already completed and are in the process of completing a wide variety of GDPR compliance projects in relation to
  1. The National Center For Scientific Research – “Demokritos”
  2. The Hellenic Association of Independent Schools and through it, 55 private schools
  3. Six Major Insurance Companies in Greece
  4. Two shipping companies
  5. A company providing training programs to Seamen
  6. A multinational mass media and entertainment network of studios specializing in filmed entertainment
  7. An international and a Greek pharmaceutical company
  8. A corporation managing major shopping centers
  9. A Major Airline Company in Greece
  10. A Greek Systemic Bank
  11. A major Greek news - broadcasting website
  12. A major Greek company organizing and conducting games of chance
  13. An e-health company
  14. A retail company
  15. Two Leasing Companies
  16. A factoring company
  17. A mutual fund management company
  18. A Greek credit servicing company
  19. An insurance expert company
Compliance - Steps

  • Processing of data in a transparent manner - Principle of transparency (Recital 39 GDPR)

    It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed. Information relating to such processing (including the identity of the controller and the purposes for processing) shall be easily accessible and easy to understand.

  • Creating and keeping records of proceesing activities (Art.30 GDPR)

    This obligation refers to controllers/joint controllers/processors. The relevant record shall contain all the specific information listed in the relevant article and thus it is recommended that the relevant exercise be thoroughly performed.

  • Implementing appropriate technical and organisational measures depending on the degree of risk of the processing activities (Art. 5, 25 and 32 GDPR)

    Processing should always be performed in a manner that ensures protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. The relevant measures shall ensure a level of security appropriate to the risk.

  • Data protection by design and by default (Art. 25 GDPR)

    Technical and organisational measures shall be implemented from the stage of the design of each processing operation so as to afford the best possible privacy protection. The measures implemented shall ensure that by default only personal data which are necessary for each specific purpose are processed.

  • Data protection impact assessment (Art. 35, 36 GDPR)

    When the processing of data is likely to result in a high privacy risk, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. When the DPIA indicates that the processing would result in a high risk in the absence of mitigation measures, the Controller shall consult the supervisory authority.

  • Appointing dpo, if necessary (Art. 37, 39 GDPR)

    A DPO shall be appointed by the controller and processor when

    1. processing is carried out by a pubic authority
    2. processing operations require regular and systematic monitoring of data subjects on a large scale
    3. processing is conducted on a large scale of special categories of data.

  • Notifying the dpa and data subjects in case of data breach (Art. 33, 34 GDPR)

    The controller shall notify the data breach without undue delay and within 72 hours unless the breach is unlikely to result in a risk. The notification shall include the nature of the breach, the DPO or other contact point, the likely consequences and the measures taken.

  • Supervising processor (Art. 4 Par. 8, Art. 28, 29 GDPR)

Our Services - What We Offer

  • Data Mapping

    Personal data environment mapping is the first essential operational phase of a structured and efficient Data Protection compliance strategy and is a prerequisite to the subsequent Gap Analysis phase. We use a planned and structured approach to review a Company’s existing Data Map (or start from scratch) by identifying, understanding and mapping the Company’s business units, processes, data type and flow, IT systems, key players and stakeholders that are involved in the data processing activities.

    The key objective is to confirm that the Company’s personal data register is in line with the specified provisions and attributes of the GDPR Article 30.

  • Gap Analysis

    We perform a maturity assessment/ we review the current situation vis-à-vis the requirements of the General Data Protection Regulation (EU) 2016/679 and the client’s requirements in order to identify what the main gaps are that the Company needs to address in order to be compliant with the GDPR.

    In order to perform our maturity assessment / Gap Analysis, during this phase, we identify the applicable GDPR requirements for the Company’s data processing areas, through workshops. As such we obtain an understanding of existing privacy related processes & assets (processes, technology and buildings) and finally we identify the risks and recommend areas of improvement. The abovementioned activities will enable a Company to establish a clearer picture of the control domains/ business processes that will require improvements.

  • Implementation

    We check and adjust any existing action plan which has been developed by the Company/Organisation or we undertake the implementation of specific measures of compliance with the GDPR. For example we draft Data Privacy and Data Processing Policies, information notices (for website users, employees, vendors etc), contracts between data controllers and processors or joint controllers etc.

  • Drafting DPIAs and PIAs

    • In liaison with the Company’s DPO we assess whether the processing of data is likely to result in a high privacy risk. If so we carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. During this exercise we liaise with the Greek DPA as necessary.
    • We also support both processors and developers in carrying out PIAs. The purpose of a PIA is to inform the controller about the aspects of a product that relate to personal data.

  • DPO Services or DPO Support

    • When performing DPO services we assist our clients in remaining compliant with the GDPR requirements. The DPO remains easily accessible and acts as the point of contact with the Authorities and the data subjects as well as with all the sectors of the Company and its personnel. The DPO remains involved in the various data processes whilst acting in an objective manner and reports to the Management.
    • Alternatively we offer support/advice to the DPO of a company in the exercise of his/her duties.

  • Legal Support in Case of Data Breach

    We offer hands-on advice as to the actions which need to be taken in case of a breach (always provided that we are instructed in time).

  • Representation before the Greek DPA and Courts of all Instances

    We represent our clients before the Greek DPA and Courts of all Instances regarding any sort of data protection issue which may arise in the context of processing of data by enterprises.

  • EuroPriSe Seal

    As our team leader is a legal expert (CEPE L PS) at European Privacy Seal GmbH (EuroPriSe), the leading Certification Authority in Europe, we are in the pleasant position to contribute -in this capacity- to the acquisition of a certification to manufacturers and vendors of IT products and IT-based services. The procedure consists of an evaluation of the product or service and a validation of the evaluation report. In the near future we will be in a position to also offer website privacy certification which is awarded to websites that are compliant with EU data protection law and that meet all of EuroPriSe's high-quality data protection requirements.

GDPR
Our Privacy Team