Our team leader is Associate Professor Dr. Grigoris LazarakosSince September 2016 Grigoris and his team have already completed and are in the process of completing a wide variety of GDPR compliance projects in relation to
It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed. Information relating to such processing (including the identity of the controller and the purposes for processing) shall be easily accessible and easy to understand.
This obligation refers to controllers/joint controllers/processors. The relevant record shall contain all the specific information listed in the relevant article and thus it is recommended that the relevant exercise be thoroughly performed.
Processing should always be performed in a manner that ensures protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. The relevant measures shall ensure a level of security appropriate to the risk.
Technical and organisational measures shall be implemented from the stage of the design of each processing operation so as to afford the best possible privacy protection. The measures implemented shall ensure that by default only personal data which are necessary for each specific purpose are processed.
When the processing of data is likely to result in a high privacy risk, the controller shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. When the DPIA indicates that the processing would result in a high risk in the absence of mitigation measures, the Controller shall consult the supervisory authority.
A DPO shall be appointed by the controller and processor when
The controller shall notify the data breach without undue delay and within 72 hours unless the breach is unlikely to result in a risk. The notification shall include the nature of the breach, the DPO or other contact point, the likely consequences and the measures taken.
Personal data environment mapping is the first essential operational phase of a structured and efficient Data Protection compliance strategy and is a prerequisite to the subsequent Gap Analysis phase. We use a planned and structured approach to review a Company’s existing Data Map (or start from scratch) by identifying, understanding and mapping the Company’s business units, processes, data type and flow, IT systems, key players and stakeholders that are involved in the data processing activities.
The key objective is to confirm that the Company’s personal data register is in line with the specified provisions and attributes of the GDPR Article 30.
We perform a maturity assessment/ we review the current situation vis-à-vis the requirements of the General Data Protection Regulation (EU) 2016/679 and the client’s requirements in order to identify what the main gaps are that the Company needs to address in order to be compliant with the GDPR.
In order to perform our maturity assessment / Gap Analysis, during this phase, we identify the applicable GDPR requirements for the Company’s data processing areas, through workshops. As such we obtain an understanding of existing privacy related processes & assets (processes, technology and buildings) and finally we identify the risks and recommend areas of improvement. The abovementioned activities will enable a Company to establish a clearer picture of the control domains/ business processes that will require improvements.
We check and adjust any existing action plan which has been developed by the Company/Organisation or we undertake the implementation of specific measures of compliance with the GDPR. For example we draft Data Privacy and Data Processing Policies, information notices (for website users, employees, vendors etc), contracts between data controllers and processors or joint controllers etc.
We offer hands-on advice as to the actions which need to be taken in case of a breach (always provided that we are instructed in time).
We represent our clients before the Greek DPA and Courts of all Instances regarding any sort of data protection issue which may arise in the context of processing of data by enterprises.
As our team leader is a legal expert (CEPE L PS) at European Privacy Seal GmbH (EuroPriSe), the leading Certification Authority in Europe, we are in the pleasant position to contribute -in this capacity- to the acquisition of a certification to manufacturers and vendors of IT products and IT-based services. The procedure consists of an evaluation of the product or service and a validation of the evaluation report. In the near future we will be in a position to also offer website privacy certification which is awarded to websites that are compliant with EU data protection law and that meet all of EuroPriSe's high-quality data protection requirements.