Practice Areas
Data Protection & Digital Law
Overview
Data protection, cybersecurity and digital regulation are now board-level legal risks. We advise Greek and international clients on their obligations under the GDPR, Greek Law 4624/2019 and the wider EU digital regulatory framework, helping them manage data, technology and digital operations with clarity and control. Greek Law 4624/2019 supplements the GDPR and regulates the Hellenic Data Protection Authority’s role and powers in Greece.
Our work covers the full life cycle of personal-data processing: governance frameworks, privacy notices, records of processing, processor arrangements, cross-border transfers, DPIAs, DPO support, data-subject rights, HDPA notifications, regulatory complaints, audits and personal-data breaches.
We also advise on cybersecurity, AI governance and the wider EU digital rulebook, including the Digital Services Act, Digital Markets Act, Data Act, Data Governance Act and NIS2. Greece has transposed NIS2 through Law 5160/2024, expanding cybersecurity obligations for essential and important entities, including governance, risk management, incident reporting and supply-chain security.
As digital regulation becomes more technical and more intrusive, we help clients identify the obligations that apply, build workable compliance structures, respond to incidents and manage engagement with regulators, customers, suppliers and internal stakeholders. Our data protection and digital-law work spans the automotive, technology, retail, financial services and healthcare sectors, giving us practical experience of how these obligations play out in different regulatory and commercial contexts. With the EU AI Act becoming fully applicable from August 2026, we are also advising clients on AI governance, risk classification and conformity obligations — a rapidly developing area, particularly for technology and healthcare businesses operating in the EU.
Services
We advise controllers and processors on GDPR and Greek Law 4624/2019 compliance, including privacy notices, records of processing, DPIAs, legitimate-interest assessments, DPO arrangements, processor contracts, data-subject rights, retention policies and internal privacy governance.
We support clients on cross-border personal-data transfers, data-sharing arrangements, intra-group data flows and processor networks. Our work includes Standard Contractual Clauses, transfer impact assessments, joint-controller arrangements, processor terms and contractual data-protection structures for suppliers, affiliates and commercial partners.
We advise on personal-data breaches from containment and legal assessment through notification strategy, communication with the Hellenic Data Protection Authority, affected-individual notices and remediation. Where an incident also engages cybersecurity, sector-specific or NIS2 obligations, we coordinate the legal response across those regimes.
We represent clients in investigations, audits, complaints and enforcement proceedings before the Hellenic Data Protection Authority, and in appeals against HDPA decisions before the Council of State. We also support clients in responding to regulator enquiries, information requests and corrective measures.
We advise essential and important entities, suppliers and regulated businesses on cybersecurity governance, risk management measures, incident reporting, supply-chain security and contractual controls under Greek and EU cybersecurity frameworks, including NIS2 as implemented in Greece. Our work includes legal readiness, breach response planning and coordination with technical advisers.
We advise on AI governance, digital platforms, data access, online services and emerging EU digital regulation. Our work includes EU AI Act readiness, risk classification, deployment obligations, data-sharing arrangements and obligations arising under the Digital Services Act, Data Act and related EU digital frameworks.
Featured Work
- Advised Toyota Hellas S.A. on a comprehensive GDPR compliance programme, including privacy policies, data-processor agreements, international data transfers, cookie and online-tracking compliance, data-subject rights and data-breach incident management.
- Advised Accenture S.A. on employee data-protection and HR privacy frameworks, including employee monitoring, data processing, internal privacy governance and cross-border data flows.
- Advised automotive importers and distributors on data-protection issues relating to connected-vehicle products, including processor agreements, international data transfers, HDPA engagement and breach-incident response.
- Advised major retail and consumer-facing businesses on GDPR compliance, cookie policies, online tracking, e-commerce data-protection requirements and consumer-facing privacy notices.