Responsibilities, duties and powers

The Hellenic Data Protection Authority (HDPA) is responsible for supervising the implementation of the provisions of the GDPR (Article 51(1), recital 123), Law 4624/2019 and other regulations concerning the protection of the individual from the processing of personal data (article 9 of Law 4624/2019).

It contributes to the consistent implementation of the GDPR throughout the European Union and to this end it cooperates with the supervisory authorities of the EU Member States and with the Commission (Article 51(2), recital 123 of GDPR; Article 10 of Law 4624/2019). The HDPA represents Greece in the European Data Protection Board (EDPB) and other data protection committees or bodies and cooperates with relevant authorities of third countries and international organisations (Article 50 of the GDPR; Article 10 of Law 4624/2019).

The HDPA is competent to carry out its tasks (Articles 57 of GDPR and 13 of Law 4624/2019) and to exercise the powers conferred on it (Articles 58 of the GDPR and 15 of Law 4624/2019) in its territory (Article 55(1), recital 122, 129 of the GDPR; Article 9 of Law 4624/2019) with complete independence (Article 52, recitals 117-118, 121 of GDPR; Article 11 of Law 4624/2019).

In particular, the HDPA is responsible, inter alia (Article 57 GDPR, Article 13 of Law 4624/2019):

  • To monitor and enforce the implementation of GDPR, Law 4624/2019 and other regulations concerning the protection of individuals with regard to the processing of personal data.
  • To raise public awareness for data protection issues and draw the attention of controllers and processors to their obligations. Special attention shall be paid to activities targeted specifically at children.
  • To give an opinion on any regulations to be included in a law or regulatory act concerning data processing.
  • To issue guidelines and make recommendations on any issue relating to data processing, without prejudice to the tasks of the EDPB.
  • To provide data subjects with information on the exercise of their rights upon their request.
  • To handle complaints submitted for infringement of GDPR provisions.
  • To carry out investigations or inspections on the application of the legislation on the protection of personal data.
  • To draw up and maintain a list in relation to the requirement for a data protection impact assessment (Article 35(4) of the GDPR) and to provide advice on the processing operations of Article 36(2) of the GDPR.
  • To encourage the drafting of codes of conduct and to approve codes of conduct that provide adequate guarantees.
  • To encourage the establishment of data protection certification mechanisms and data protection seals and marks and to approve the certification criteria.
  • To draft and publish accreditation requirements for bodies monitoring codes of conduct and for certification bodies.
  • To cooperate with other supervisory authorities through exchange of information and to provide mutual assistance to them with a view to ensuring a consistent implementation of the GDPR.
  • To contribute to the activities of the EDPB.

Furthermore, the HDPA has investigative powers as well as corrective, advisory and authorization powers, as these are specified and analysed in Article 58 of GDPR and Article 15 of Law 4624/2019.

When the processing of personal data is carried out by public authorities or by private bodies acting under Article 6(1)(c)[1] or (e)[2] of the GDPR (Article 55(2), recital 128 of the GDPR), only the HDPA is exclusively competent to deal with the issue, whereas the rules of cooperation and consistency referred to below do not apply in relation to the Lead Supervisory Authority (LSA)and the one-stop-shop mechanism (recital 128 of the GDPR).

Moreover, the HDPA draws up an annual report on its activities, which it submits to the national parliament, the government and other authorities and makes it available to the public, the Commission and the EDPB (Article 59 of the GDPR, Article 14 of Law 4624/2019).

 

Cooperation and consistency

In cases where cross-border data processing is carried out[3] (Article 4(23) of the GDPR) the cooperation mechanism between the LSA and the concerned supervisory authorities applies as a general rule (Article 60, recitals 124-126 of GDPR; WP244rev.01[4]). The primary responsibility for supervising the cross-border processing lies with the LSA.

The HDPA may act as an LSA for cross-border processing carried out by a controller or processor, having its principal or sole establishment in its territory, in accordance with the procedure laid down in Article 60 of the GDPR (Article 56(1), recital 124 of the GDPR).Where one of the conditions referred to in Article 4(22)[5] of the GDPR is fulfilled, the HDPA shall act as a concerned supervisory authority (Articles 60, 66, recitals 124-125, 130-131, 143 of the GDPR). Furthermore, it cooperates with the supervisory authorities of the EU Member States by providing mutual assistance and by conducting joint operations, on a bilateral or multilateral basis, in order to ensure the consistent implementation of the GDPR and the adoption of joint control measures (Articles 61-62, recitals 133-134, 138 of the GDPR).

By way of derogation from the general rule, the HDPA is competent to examine a complaint submitted or to deal with a possible breach of the GDPR in cases where cross-border processing with local impact is carried out in its territory,[6] if the LSA decides not to deal with the case after it has been informed by the HDPA (Article 56 (2)-(5), recital 127 of the GDPR). In such an event, the Authority handles the case in accordance with Articles 61 and 62 of the GDPR (Article 56(5) of the GDPR).

In addition, the HDPA applies the consistency mechanism (recital 135 of the GDPR) when it intends to adopt any of the measures provided for in Article 64(1) of the GDPR (recital 136 of the GDPR) or upon request of an opinion to the EDPB on any issue of general application of the GDPR or issue having effects in more than one Member State (Article 64(2) of the GDPR) or in the context of dispute resolution between supervisory authorities by the EDPB (Article 65, recital 136 of the GDPR) and the urgent procedure (Article 66, recital 137 of the GDPR).


[1] Article 6(1)(c) of the GDPR: “processing is necessary for compliance with a legal obligation to which the controller is subject”.

[2] Article 6(1)(e) of the GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

[3] Cross-border is the processing that is carried out a) in the context of the activities of several establishments in more than one Member States of a controller or processor in the Union where the controller or processor is established in more than one Member States or b) in the context of the activities of a single establishment of a controller or processor in the Union but which affects or is likely to substantially affect data subjects in more than one Member State (Article 4(23) of the GDPR).

[4] The “Guidelines for identifying a controller or processor's lead supervisory authority” (WP 244 rev.01), EDPB (2017) are available here.

[5] (a) the controller or processor is established in the territory of the Member State of the Authority; (b) data subjects residing in the Member State of the DPA are or may be substantially affected by the processing; or (c) a complaint has been lodged with the DPA (Article 4(22) of the GDPR).

[6] Data processing is considered to be cross-border with only local effects if the subject matter of the complaint or possible breach of the GDPR concerns only an establishment in the Member State concerned or substantially affects data subjects only in the Member State concerned (Article 56(2), recital 127 of the GDPR).