On 6 October 2020, the General Assembly of the Greek Bar Associations published a draft CoC on the processing of personal data by lawyers, law firms and lawyers’ unions, which was open to public consultation until 31 October 2020. The submission of this CoC is a novel development in Greece, being only the second draft CoC to be submitted for approval before the Hellenic Data Protection Authority.
The initiative of the Greek Bar Associations to draft a CoC definitely moves in a positive direction, because it is likely to provide a helpful resource for individual lawyers and small-sized law firms towards their data protection compliance and to help increase the trust and confidence of clients and third parties transacting with them. Having said so, the current draft lacks a more-detailed and sector-specific guidance on important issues, such as the requirements for performing a Data Protection Impact Assessment, exemptions on the appointment of a Data Protection Officer and templates of Records of Processing Activities and privacy notices, which could be tailored-made to the needs of the legal sector.
One of the more interesting features of the CoC is that it seems to adopt the view that lawyers and law firms qualify as controllers as regards the processing of personal data during the performance of their duties. While it is true that a legal professional will be operating as a data controller in most of its undertakings, we consider that such absolute position contradicts the spirit of the GDPR and the stance of the EDPB and various European supervisory authorities that have expressed the view that the role of the controller or processor should always be determined on an ad hoc basis depending on the actual activities in a specific situation, rather than upon the formal designation of an actor being either a controller or processor.
The CoC identifies a monitoring body, which is tasked with ensuring compliance with the CoC and is elected by each Lawyers’ Union for a 3-year term. Although the CoC provides for disciplinary actions and promotes the out-of-court settlement of disputes, it does not contain sufficient mechanisms that would enable the monitoring body to carry out its duties in an effective manner, such as regular audits and reporting requirements and a transparent complaint handling process.
As to next steps, it is expected that the CoC will be revised in order to take into consideration the comments submitted during the public consultation process and its final text shall be submitted to the Hellenic Data Protection Authority for approval.
Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)