Skip to main content

Draft Code of Conduct of lawyers, law firms and lawyers’ unions on the processing of personal data issued in Greece


Under the GDPR, Codes of Conduct (CoC) constitute an effective accountability tool for achieving self-regulation and transparency of processing activities of a business industry or sector. The main goal of such non-binding texts is to create a uniform and harmonised approach towards data protection compliance among the relevant professionals by taking into consideration the specific characteristics of processing and the special needs of each sector. Various trade associations and professional representative bodies across the EU have submitted CoC for approval to their competent supervisory authorities since the entry into force of the GDPR.

On 6 October 2020, the General Assembly of the Greek Bar Associations published a draft CoC on the processing of personal data by lawyers, law firms and lawyers’ unions, which was open to public consultation until 31 October 2020. The submission of this CoC is a novel development in Greece, being only the second draft CoC to be submitted for approval before the Hellenic Data Protection Authority.

The initiative of the Greek Bar Associations to draft a CoC definitely moves in a positive direction, because it is likely to provide a helpful resource for individual lawyers and small-sized law firms towards their data protection compliance and to help increase the trust and confidence of clients and third parties transacting with them. Having said so, the current draft lacks a more-detailed and sector-specific guidance on important issues, such as the requirements for performing a Data Protection Impact Assessment, exemptions on the appointment of a Data Protection Officer and templates of Records of Processing Activities and privacy notices, which could be tailored-made to the needs of the legal sector.

One of the more interesting features of the CoC is that it seems to adopt the view that lawyers and law firms qualify as controllers as regards the processing of personal data during the performance of their duties. While it is true that a legal professional will be operating as a data controller in most of its undertakings, we consider that such absolute position contradicts the spirit of the GDPR and the stance of the EDPB and various European supervisory authorities that have expressed the view that the role of the controller or processor should always be determined on an ad hoc basis depending on the actual activities in a specific situation, rather than upon the formal designation of an actor being either a controller or processor.

The CoC identifies a monitoring body, which is tasked with ensuring compliance with the CoC and is elected by each Lawyers’ Union for a 3-year term. Although the CoC provides for disciplinary actions and promotes the out-of-court settlement of disputes, it does not contain sufficient mechanisms that would enable the monitoring body to carry out its duties in an effective manner, such as regular audits and reporting requirements and a transparent complaint handling process.

As to next steps, it is expected that the CoC will be revised in order to take into consideration the comments submitted during the public consultation process and its final text shall be submitted to the Hellenic Data Protection Authority for approval.


Article provided by: Mary Deligianni (Zepos & Yannopoulos, Greece)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.