Practice Areas
Data Protection & Digital Law
Overview
Data protection, cybersecurity and digital regulation are now board-level legal risks. We advise Greek and international clients on their obligations under the GDPR, Greek Law 4624/2019 and the wider EU digital regulatory framework, helping them manage data, technology and digital operations with clarity and control. As the regulatory landscape shifts towards convergence—driven by the EU AI Act and the upcoming Digital Omnibus reforms—we ensure our clients’ compliance structures transition smoothly into the next generation of digital law.
Our work covers the full life cycle of personal data processing, structured across three core pillars—Strategic Governance & Readiness, Operational Compliance & Digital Operations, and Incident Response & Regulatory Defence—allowing us to support clients from initial compliance design and implementation through to day‑to‑day operational support, complex cross‑border data environments, and high‑stakes regulatory engagement.
We also advise on cybersecurity, AI governance and the wider EU digital rulebook, including the Digital Services Act, Digital Markets Act, Data Act, Data Governance Act and NIS2. Greece has transposed NIS2 through Law 5160/2024, expanding cybersecurity obligations for essential and important entities, including governance, risk management, incident reporting and supply-chain security.As digital regulation becomes more technical and more intrusive, we help clients identify the obligations that apply, build workable compliance structures, respond to incidents and manage engagement with regulators, customers, suppliers and internal stakeholders. Our data protection and digital-law work spans the automotive, technology, retail, financial services and healthcare sectors, giving us practical experience of how these obligations play out in different regulatory and commercial contexts. With the EU AI Act becoming fully applicable from August 2026, we are also advising clients on AI governance, risk classification and conformity obligations — a rapidly developing area, particularly for technology and healthcare businesses operating in the EU.
KEY CONTACT
Services
We advise data controllers and data processors on GDPR, Greek Law 4624/2019, and the guidelines, regulations and decisions of the Hellenic Data Protection Authority. Our expertise covers privacy notices, data mapping, records of processing, DPIAs, DPO arrangements, data processing agreements, data-subject rights, retention policies and internal privacy governance. We place a strong emphasis on workplace privacy, guiding corporate clients through HR data processing, employee monitoring policies (including CCTV, GPS, and IT systems), and internal compliance investigations.
We support clients on cross-border personal data transfers, data-sharing arrangements, intra-group data flows and processor networks. Our work includes Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), transfer impact assessments (TIAs), and the drafting and negotiation of complex data protection agreements, including Controller-to-Processor (C2P), Controller-to-Controller (C2C), Processor- to Processor (P2P) , and Joint-Controller arrangements, as well as contractual structures for suppliers, affiliates and commercial partners.
We advise on personal-data breaches from containment and legal assessment through notification strategy, communication with the Hellenic Data Protection Authority, affected-individual notices and remediation. Where an incident also engages cybersecurity, sector-specific or NIS2 obligations, we coordinate the legal response across those regimes.
We represent clients in investigations, audits, complaints and enforcement proceedings before the Hellenic Data Protection Authority, and in appeals against Hellenic Data Protection Agreement’s decisions before the Council of State. We also support clients in responding to regulator enquiries, information requests and corrective measures.
We advise essential and important entities, suppliers and regulated businesses on cybersecurity governance, risk management measures, incident reporting, supply-chain security and contractual controls under Greek and EU cybersecurity frameworks, including NIS2 as implemented in Greece (Law 5160/2024). Our work includes legal readiness, breach response planning and coordination with technical advisers.
We advise on AI governance, digital platforms, data access, online services and emerging EU digital regulations. Our work includes EU AI Act readiness, risk classification, deployment obligations, data-sharing arrangements and obligations arising under the Digital Services Act, Data Act and related EU digital frameworks. Additionally, we handle comprehensive website compliance, covering cookie frameworks, tracking technologies, and opt-in/opt-out consent mechanisms.
Featured Work
- AdvisedToyota Hellas S.A. and its commercial network, DNV S.A., DKG Group, Hellas Gold S.A., DHR Group, and Tigger Hellas SA on comprehensive GDPR and local law compliance. This included drafting privacy policies, consent forms, data processing agreements, data retention policies, DPIAs, and establishing internal privacy governance, alongside managing international data transfers (SCCs/BCRs), employee monitoring, CCTV compliance, and cookie/online-tracking mechanisms.
- Advised Accenture S.A. on employee data protection and HR privacy frameworks, including employee monitoring policies, specialized data processing, internal privacy governance, cross-border data flows, information security, and NIS2 compliance readiness.
- Provide ongoing data protection counsel to multinational retail, fashion, apparel, FMCG, hospitality, and leisure groups operating in Greece—including Golden Goose Hellas P.C., Mango Garments Hellas Ltd, Mars Hellas S.A., Royal Canin Ltd, Camper (Mancor S.A.), Rosewood Hotels Hellas P.C., and Flying Tiger Hellas SA.
- Advised Greek financial services institutions, including Attica Bank and Pancreta Bank, on aligning GDPR and Law 4624/2019 compliance within highly strict, sector-specific regulatory frameworks.