An interview with Kyriakides Georgopoulos Law Firm discussing Privacy & Cybersecurity in Greece

Elina N Georgili is head of the data protection and privacy practice at KG Law Firm. She has extensive experience in data protection and specialises in privacy, confidentiality and security issues. Elina has headed important data protection compliance projects in various industry sectors, represented clients before the Greek and foreign data protection authorities, provided legal advice to multinational corporations and groups and drafted Codes of Conduct and important legal opinions. She participates in various legal forums and privacy and banking professional associations and has authored various articles and other publications. Elina acted as member of the Greek Committee for Drafting the Code of Conduct for Lawyers.

Νatalia Soulia is a senior associate in the data protection and privacy practice group at KG Law Firm. Her practice, spanning advisory, public policy, transactional and contentious work, focuses on all aspects of data protection law, with an emphasis on the technology and financial services sectors. Natalia provides strategic legal advice on privacy and e-commerce issues, while she has also participated in multiple due diligence investigations, GDPR compliance and cybersecurity assessment projects and internal audits.

Evangelia Brinia joined the data protection and privacy practice at KG Law Firm. Her areas of expertise on data and privacy originate from a business approach and a theoretical compliance perspective. Her thorough practice field knowledge derives from both current legislative framework study and legal business orientation. She has gained experience through coordination of GDPR compliance projects, drafting of policies and handling matters before the Hellenic Data Protection Authority.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

On 4 June 2021, the Greek National Cybersecurity Authority (NCA) issued the Cybersecurity Manual, which contains the best practices proposed in order to boost the level of organisations’ cybersecurity preparedness.

In line with the Manual, the Digital Transformation Bible 2020–2025 was issued by the Greek Ministry of Digital Governance in June 2021, thus contributing to the formulation of a national strategy on digital transformation. The most important pillars of the new strategy are based on: (i) public administration reform in order to promote access to easy-to-use digital services; (ii) bolstering of private initiative for the use of new digital services; (iii) promoting implementation of new digital tools; and (iv) investing in the digital training of human resources.

2022 is considered to be a milestone year according to the Greek National Cybersecurity Strategy of 2020–2025. During this year, the strategic axes of an integrated Greek cybersecurity policy are expected to be established. These include:

• updating the National Cybersecurity Strategy and developing an action plan;
• developing a cybersecurity best practices handbook;
• preparing a risk assessment study on a national level;
• preparing a cyber crisis management and continuity plan;
• carrying out awareness-raising activities (seminars, workshops, etc) on cybersecurity;
• establishing a platform to protect websites against cyberattacks;
• establishing a platform and a toolkit for vulnerability assessment and penetration testing;
• developing a of cybersecurity R&D agenda;
• developing cybersecurity investment toolkit; and
• establishing a system for monitoring the availability of the websites of governmental organisations and critical infrastructure.

Further, this year marks the operation of the first centralised electronic applications and centralised information systems used for the electronic identification and authentication of citizens (Greek Law 4624/2019) as well as of the Central Internet Portal of the Greek state, which enables citizens’ access to public sector services (Greek Law 3979/2011).

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

A data breach constitutes a security incident affecting a company’s organisational structure and protection systems, which may lead to the unlawful destruction or loss of data processed by the company, thus impacting on its proper operation and reputation.

According to article 33 of the GDPR, a data breach is required to be notified to the competent supervisory authority when it poses a high risk to the rights and freedoms of the data subjects concerned. Notification to the competent supervisory authority should be made without undue delay and in all cases within 72 hours of the data controller becoming aware of that breach. In addition, in accordance with article 34 of the GDPR, in the event that the data breach is likely to present a high risk to the rights and freedoms of the data subjects concerned, the company must also communicate the breach to those data subjects affected thereby immediately.

To mitigate these risks, each company should adopt a dedicated data breach management policy and procedure, on the basis of which it will be able to assess the risks arising from a security incident in order to decide whether to notify the data breach to the competent supervisory authority and whether to communicate it to the data subjects affected. Furthermore, in light of the principle of accountability as enshrined in article 5(2) of the GDPR, the company should comprehensively document any personal data breaches that occur, whether or not such data breaches require notification.

The key factors that a company should assess in order to decide whether to notify a security incident to the competent supervisory authority and to the affected data subjects are primarily the nature of the personal data affected and the severity of the risk resulting from that breach. The company should also consider the technical and organisational measures implemented as soon as it becomes aware of the data breach, in order to prevent or reduce the risk arising to the freedoms and rights of the persons affected.

It is required that the data protection officer (or the other competent persons) make a proper assessment of the factors leading to the notification of a data breach to the supervisory authority or to the data subjects affected, or both, as the data controller has the dual obligation of ensuring compliance with the data protection legal framework and mitigating any reputational damages as a result of the publicity that the data breach may receive.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

Proper and secure data processing is vital for a company’s operation, reputation and continuity. Despite the existence of a robust legal framework on the protection of personal data established by the GDPR, the risk of security incidents affecting company data is constantly increasing.

Companies typically have to protect two major types of data: business-critical data, comprising the data assets needed the company’s operation, and private information, which includes employees’ personal data (eg, payroll data and health data), customer and third party personal data, etc.

The biggest issue that a company has to deal with when it suffers a data security incident is to protect the corporate and personal data in its possession that are affected by this incident. To this end, the company should adopt dedicated, robust policies, such as a data breach policy and an incident response plan, which are intended to enable timely identification of security incidents and appropriate mitigation of the consequences thereof.

Against this background, the company should immediately manage the data security incident by taking at least the following steps. First, suspected or confirmed data security incidents should be reported internally (eg, to the company’s DPO) in a timely manner by the employees who became aware of them. Second, a thorough investigation must be carried out by the competent persons to ascertain whether the incident qualifies as a personal data breach, which may require notification to the supervisory authority or relevant communication to data subjects, or both. For this reason, the company should assess the immediate consequences of the data breach, and perform an evaluation of the following factors:

• the causes of the incident;
• personal data affected;
• the impact to the data subjects affected; and
• a whether other company systems are threatened with immediate or future risk.

Following this assessment, there should be an immediate adoption of all necessary technical and organisational measures to mitigate consequences of the breach. In the event that the security data breach is expected to pose a risk to the rights and freedoms of data subjects, then the company should notify the competent supervisory authority without undue delay and in all cases within 72 hours of becoming aware of it. The notification to the supervisory authority should contain detailed information on the nature of the data breach, a description of the likely consequences to the data subject or other subjects affected and a description of the measures taken or proposed to be taken by the company to mitigate the risk. Where the company concludes that the security data breach is likely to pose a significant risk to the rights and freedoms of data subjects affected, it is required to communicate the breach to data subjects involved as well. Where the company has taken robust measures to ensure that the high risk to the subjects is no longer likely to materialise, communication towards the latter is not necessary.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

Among the key requirements for improving cybersecurity preparedness is an inventory of hardware and software hosted on the company’s physical infrastructure, as well as the secure configuration of servers, network devices and applications. In addition, restricting access to the company’s information systems only to authorised users could lead to satisfactory preparedness results against any form of threat that may arise. Further, of great importance is the establishment of user authentication systems. These systems are the first targets for any cyberattacker, given that weak passwords, non-secure storage of passwords by the user and phishing could result in the theft of the user’s identity and the acquisition of unauthorised access to a company’s valuable resources. In addition, practices such as the creation of strong passwords, the implementation of two-factor authentication and screen locking after a period of user inactivity are regularly followed.

With regard to the most recent developments in the area, the majority of private companies and public organisations have now implemented a remote working model, which has fostered the appearance of cyberattacks. Developing a remote work policy, updating the VPNs and network equipment of the institution with the latest software patches and security configurations and the regular backup of files on an external storage medium (USB or external hard drive) could contribute to cybersecurity preparedness.

In addition, cybersecurity training programmes, focused in particular on how users can interact with their devices and the network in a secure manner, the awareness and detection of social engineering attacks, the recognition of the signs of system breaches and insider threats, are among the best practices applied.

Lastly, to improve cybersecurity preparedness, companies deploy information security and privacy management systems combined with technical security hardening measures.

Management systems usually refer to ISO 27001 and provide: (i) comprehensive protection of all identified information assets including trade secrets, confidential information, operational data and equipment as far as integrity, confidentiality and availability is concerned; (ii) a risk-based approach to reduce security management costs; (iii) policies and procedures to facilitate implementation; (iv) a continuous improvement approach; and (v) continuous training and awareness.

Further, they usually refer to: (i) installation of firewalls; (ii) installation of end point security for malware detection and removal; (iii) email protection by using software as a service platforms to filter incoming emails and quarantine suspected ones, (iv) AI-based user behaviour analysis systems; and (v) data backup and restore procedures and equipment. Technical measures management systems are listed as commonly used.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

The rapid adoption of technologies in the past couple of years, and their continuous development, has made business environments particularly prone to serious cyberthreats. Now more than ever, it is imperative for businesses to become more agile through the implementation of security policies and protocols, to achieve regulatory compliance and more importantly to improve their cybersecurity preparedness, in order to safeguard their data flows.

However, the question they need to pose is how could legal expertise facilitate their demands for security and provide them with the highest level of protection. In essence, the transfer of data outside of the organisation opens up the latter’s environment for attack. Our experience has shown that aside from the vast benefits of this approach, which include its cost-effectiveness, its functional facilitation of resource management and its provision of critical threat intelligence, the inevitable fragility of data transfers requires the combined effort of security policies and legal support. To resolve this vulnerability, businesses have turned to the cloud hosting environment. From the onset, the use of cloud networks worldwide has contributed to the decrease in security breaches of least 60 per cent in the public and private sectors compared to traditional data centres. Per contra, in Greece this approach is still less popular according to a recent survey of Eurostat.

Bearung all the above in mind, from a legal standpoint it is imperative for companies to ensure their regulatory conformity with the applicable regulatory regime.

In particular, article 28 of the GDPR sets out rules on the conditions for outsourcing data processing to data processors. In this respect, companies under their authority as data controllers that use cloud computing to transfer or store personal data are required to conclude a data processing agreement (DPA) with the cloud provider, acting as a data processor, governing their internal relationship.

With regard to personal data that are being transferred to a cloud provider established outside the European Economic Area (EEA), GDPR restrictions on cross-border data transfers become applicable. Companies that transfer personal data outside the EU could rely on the new set of standard contractual clauses (ie, the company as a data controller and the cloud service provider usually as a data processor).

Beyond the aforementioned, companies should also be aware of the following considerations. To begin with, companies should be aware of the regulatory limitations on data storage outside their territory (if any).

In addition, companies should ensure that all their security policies are updated with the contribution of expert support so as to manage risks effectively. Secure remote access is another concern for which companies need to raise their awareness, in which case the implementation of cloud security features on the employees’ devices working remotely could definitely ensure the security on a large scale, of not only their personal data, but also sensitive information of the companies’ clients.

Based on our expertise, the optimal strategy that any company could implement concerning the protection of data flows outside the organisation is the adoption of a minimum encryption level by default, according to which personal data will be temporarily stored on a queuing server, considering that the cloud-based solution is the data destination.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

In light of the increase of cybersecurity threats and criminal activity over past years, the Greek government has recognised the urgency of strengthening its information security policies alongside its communication systems and networks with the purpose of protecting citizens’ privacy and personal data. According to a survey by Check Point Software Technologies, cyberattacks in Greece have increased by 52 per cent since May 2020, mostly in the healthcare sector, while the Global Information Security Survey by EΥ stresses that during the pandemic there have been serious cyberattacks targeting not only Greece’s critical infrastructure, but also intercepting important information.

First and foremost, the NCA is entrusted with, inter alia, the implementation of the appropriate organisational, technical and operational measures, (for instance, the development of security policies and procedures for the prevention of future security incidents, management of the institutional framework, crisis management and activation of the National Emergency Plan) and the coordination of other institutions that combat cybercrime. Greece has officially published its own National Cybersecurity Strategy 2020–2025 , introducing its strategic goals, highlighting the importance of collective effort and partnership between all institutions, sharing its vision to build a modern digital environment, a culture of safe use pertaining to advanced technologies in the digital era (5G networks, AI, IoT) and aiming to increase trust towards digital governance. In the context of evaluating its strategic plan, it underlined that its strategic interest was extended in six dimensions: (i) emergency planning; (ii) incident reporting; (iii) security and privacy protection; (iv) research and development; (v) partnerships between the public and the private sectors; and (vi) investments in security measures.

Following the European Cybersecurity Guidelines, the NCA developed five strategic goals for implementation. These include: (i) the existence of a functioning system of governance, aiming to optimise the organisational framework and effective risk and emergency management; (ii) safeguarding the infrastructure, security and the newly implemented technologies, not only by deeply understanding their evolution and influence, but also through enhancing their security requirements; (iii) the improvement of the how incidents are being managed with reference to cybercrime and privacy protection, such as strengthening the deterrence mechanisms and boosting business cooperation; (iv) the creation of a modern environment emphasising promotion of research and development, where the public and private sectors will be closely cooperating; and (v) capacity building and improvement of skills through appropriate organisation exercises, while utilising modern training tools and education methods and, of course, constant updates for institutions and citizens on cybercrime threats and issues.

Except for the NCA, there are other essential stakeholders contributing to cybercrime mitigation. In principle, the National Community Emergency Response Team (in Greek, EYP) is the institution that deals with the evaluation of classified information and the assessment and certification of cryptosystems supporting military forces in cryptosecurity matters, including but not limited to prevention and warning of cyberattacks. On top of that, the EYP oversees the Computer Security Incident Response Team (the National CSIRT), having as its mission to reduce the risk of national challenges in the field of cybersecurity and communications in the event of cyberattacks on public bodies.

Furthermore, with the Presidential Decree No. 178/2014 the Cybercrime Division was established as an independent central service that reports directly to the chief of the Hellenic Police. Its mission focuses on the prevention, investigation and suppression of crime and antisocial behaviour committed through the internet or other means of electronic communication. The Division consists of five departments, complementing in this way the whole range of user protection and security of cyberspace: (i) the Administrative Support and Information Management Unit; (ii) the Innovative Actions and Strategy Unit; (iii) the Electronic and Telephone Communication Security and Protection of Software and Intellectual Property Rights Unit; (iv) the Minors Internet Protection and Digital Investigation Unit; and (v) the Special Cases and Internet Economic Crimes Prosecution Unit.

The efforts of all the above-mentioned institutions are supplemented by the Hellenic Data Protection Authority (HDPA) and the Hellenic Authority for Communication Security and Privacy, authorised with, respectively, the supervision of compliance with the General Data Protection Regulation, Greek Law 4624/2019 and Greek Law 3471/2006, governing personal data protection and privacy in the electronic communications sector.

Of equal importance is the Hellenic Telecommunication and Post Commission’s (EEET) work in battling cybersecurity threats and criminal activity by regulating and supervising the electronic and wireless communications’ market.

Lastly, the establishment of Government SOC (Security Operations Center) also plays a pivotal role given that includes engineers who monitor, respond and conduct threat hunting to detect and respond to arisen threats or targets and the appropriate technology, for instance, security information and event management (SIEM) platforms for correlating and analysing the complicated data points across the IT environment also contribute to the combat against serious cybersecurity threats and criminal activity.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

Companies’ compliance with the data protection regulatory framework has a significant impact on M&A deals. In particular, the due diligence process of a target company is subject to strict requirements and standards from the data protection perspective. This is due to the buyer company facing significant risks as a result of violations of data protection legislation by the target company, which may lead to the buyer being exposed to administrative fines, civil claims and reputational damage.

In light of this, a thorough and detailed due diligence procedure should be carried out by the buyer to assess the level of compliance of the target company with the data protection framework, as well as to indicate potential red flag issues before closing, which might affect the drafting of the transaction documents. This includes a proper assessment of all documentation provided by the target company, such as relevant data protection documents (eg, register of processing activities, privacy policies, privacy notices and consent forms), data processing agreements concluded with third parties, any DPIAs concluded, information on data transfers outside the EU/EEA and information regarding any data breaches, fines and any complaints to the competent supervisory authority. Further, it is imperative that due diligence is thoroughly performed to assess whether the target company uses secure ΙΤ systems and has adopted effective measures to protect personal data processed.

Following the assessment of the data protection compliance risks, any identified vulnerabilities should ideally be rectified by the completion of the M&A deal (formulated as a closing condition). If the aforementioned risks cannot be eliminated in time, the M&A deal should contain appropriate representations and warranties with respect to the data protection legislation (as post-closing covenants) so that the buyer could claim specific compensation if data protection liabilities arise.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

To ensure the appropriate level of security, companies should address their requests to lawyers who have extensive experience in advising on data protection and cybersecurity issues, having in-depth knowledge of both the current legislative framework and the latest developments on cybersecurity and privacy, as well as a practical understanding of IT issues.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

The ever-increasing number of cyberattack incidents in businesses, especially after the increase of teleworking and the enhanced use of technology, has created a need for many businesses to take appropriate security measures and adopt policies and procedures to protect their business-critical data, as well as the personal data of their employees, partners and customers involved. In addition, there is still a number of companies in Greece that have not yet achieved compliance with the data protection rules, or that need to clarify various issues that constantly arise.

How is the privacy landscape changing in your jurisdiction?

Law 4624/2019, enacted in August 2019, expresses the intention of the legislator to regulate certain fields that the GDPR reserves to each member state, such as data processing in the employment field. This Law also incorporates Directive 680/2016/EU (concerning processing of personal data for criminal investigations and penalties). The Hellenic Data Protection Authority demonstrates great sensitivity on data privacy issues, including cookies and the employees’ data during teleworking.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

The most common cyberattack identified for companies is ransomware, realised by means of blackmail. The orchestrators threaten to leak client’s sensitive data, business plans and patents, fake news or corporate espionage, thus destroying the companies’ goodwill. Around 80 per cent of attacks initially target the average user.