The document discusses the implementation of GDPR in Greece, with a case study on its implementation in the Municipality of Iraklio Attikis. It provides background on GDPR and how different countries have implemented it into their own laws. It then discusses some of the challenges of implementing GDPR in Greece due to the lack of a national implementing law. The case study details the methodology used by the municipality to implement GDPR, which included assessing their existing status, developing an information security system and compliance plan. It concludes with an overview of the data policy adopted by the municipality to help ensure proper handling of data in accordance with GDPR.

1. The Implementation of GDPR in Greece – A Case Study
Page 1 / 18
The implementation of GDPR in Greece - A Case Study
Fotis Zygoulis
DPO [ Municipality of Iraklio Attikis Greece ]
fotiszygoulis@gmail.com
fotiszygoulis@iraklio.gr

2. The Implementation of GDPR in Greece – A Case Study
Page 2 / 18
Table of Contents
Introduction..................................................................................................................... 3
Terminology and Theoretical Basis..................................................................................... 4
Legal bases............................................................................................................... 4
The rights for individuals........................................................................................... 4
Case Law in Greece........................................................................................................... 7
Implementation Methodology........................................................................................... 8
Case Study: the implementation of GDPR in the Municipality of Iraklio Attikis in Greece....... 9
References..................................................................................................................... 18

3. The Implementation of GDPR in Greece – A Case Study
Page 3 / 18
Introduction
The implementation of the GDPR Law in Greece has allowed the emergence of specific
problems related to the levels of all Administrative Structures. In this draft we examine a
case – study concerning the implementation of GDPR Law in the Municipality of Iraklio
Attikis in Greece.

4. The Implementation of GDPR in Greece – A Case Study
Page 4 / 18
Terminology and Theoretical Basis
The Directive’sfull name is ‘Directive (EU) 2016/680 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing
of personal databycompetentauthoritiesforthe purposesof the prevention,investigation,
detectionorprosecutionof criminal offencesorthe execution of criminal penalties, and on
the free movementof suchdata,and repealingCouncil Framework Decision 2008/977/JHA’.
It is more widely known as the Law Enforcement Data Directive and it focuses on the
protectionof natural personswhentheirdataisprocessedforpreventing, investigating and
prosecutingcriminal offences, governing law enforcement agencies and how they process
data in performing their tasks.
Legal bases
The six legal bases for processing data, as defined under Article 6 of GDPR, are:
 Performance of a contract
 Legal obligation
 Performance of a task in the public interest
 Consent from the individual
 Legitimate interest
 Protect the vital interests of an individual
The rights for individuals
The rights forindividualsare establishedthroughoutthe whole of ChapterIIIof GDPR,where
they are specified with stipulations regarding how and when organisations must honour
those rights, and some limitations to those rights.
GDPR establishes the right:
 of access to personal data or data about processing of personal data
 to portability (i.e. copies of personal data for the individual’s own use)
 to object to processing
 to restrict processing
 to erasure (you may have heard this called 'the right to be forgotten')
 to rectification (the correction of erroneous data)
 and the right to human-made decisions*
GDPR does not make specific law around cyber security, but it does require that data be
handledsecurelyand givessome broadrequirementsonwhatthatmeans.In recognition of
this,a reformof EU lawsfor ePrivacyisalsounderway.Inline withthe evolution of GDPR as
a regulation, an existing ePrivacy Directive is also being replaced by a new Regulation.
Known as the ePrivacy Regulation, this focus is on trust - by assuring the security and
confidentialityof dataandmeta-dataas it iscommunicated.The new regulation will look to

5. The Implementation of GDPR in Greece – A Case Study
Page 5 / 18
specify clearer rules to protect this data, conferring power for their enforcement on the
supervisory authorities.
GDPR is a good example of where a regulation allows a Member state to handle certain
aspects as part of their local statute, including drafting laws that defines a supervisory
authority and setting the age at which parentalconsent is not needed for children (though
no younger than 13, as we discussed earlier this week). The intention is for GDPR to work
with limited friction with existing laws and how Member States prefer to handle specific
affairs, where the Regulation allows this.
Case studies
Austria.Directive 95/46/ECwas implementedinAustria by the Austrian Data Protection Act
2000. The new EU 2016 Regulation was due to take effect from May, 2018 and applies to
boththe Controllersof Dataandthe Processors of data. While the Austrian Data Protection
Act continues,manyof itsprovisionsweremodifiedtosuitthe new regulations.The Act was
well thought out and implemented and addressed all aspects of the new regulations -
sometimes even exceeding its requirements.
Spain. EU Data Protection Directive (95/46/EC) was transposed through the Organic Law of
Data Protection on December 1999. It comes into force in January 2000. The Organic Law
was developed through the Royal Decree-Law 1720/2007.
Data Protection Spanish Agency was established in 1994.
GDPR replaced these previous regulations.
Poland.GDPRreplacedthe previousactonpersonal dataprotectionof 1997 whichhad been
implemented based on the 1995 directive. The EU regulations are binding directly with no
needto"implement" them to the legislation of said member country and so it functions in
Poland- GDPR is applieddirectlywithoutanyinternal act that incorporates GDPR in parts or
infull.We have an act onpersonal dataprotection which replaced the previous act of 1997,
but itonly contains the stipulations of organisational nature (like the status of supervisory
authority) or other left for the competence of member state jurisdiction.
Italy.It hasimplemented Directive 95/46/EC on data protection through Legislative Decree
No. 196/2003, the Italian Data Protection Code.
On the 8th of August 2018 has been approved the Italian privacy law integrating the GDPR.
The legislative decree integrating the GDPR has been published on the Official Gazette on
19/09/2018 and has beenbindingwitheffectfromthe 19th of September 2018. Rather than
removingthe existing Italian Privacy Code, the government decided to amend the existing
ItalianPrivacyCode toalignitto the GDPR and replacingwhole sections bymeansof across-
reference to the GDPR.
France.It joined11 EU countriesinadoptingnational legislationnecessarytoimplementand
supplement the EU's General Data Protection Regulation (GDPR) and Law Enforcement
Directive,whichsetsrulesonthe processing of personal data by law enforcement agencies
and intelligence services. Several aspects of the new laws take provisions of the GDPR into

6. The Implementation of GDPR in Greece – A Case Study
Page 6 / 18
account. This includes by reconstituting the role of France's data protection authority, the
CommissionNationalede l’informationetdes Liberties (CNIL). According to the new laws, a
child can give their consent to the processing of personal data with regard to the direct
provision of information society services from the age of 15. Where the child is under 15
yearsof age,processingshall be lawfulonly if consent is given jointly by the child and their
parent or guardian. Information society service providers must draft in clear and simple
terms,easilyunderstandable bythe child, information relating to the processing operation
concerning him or her.
Denmark. The Danish Parliament approved the Data Protection Act on May 23, 2018. The
lawbringsthe country's data protectionregime in line with the EU General Data Protection
Regulation. The age limit for consent from children in order to use information society
services (social media, apps, etc.) was lowered to 13 years.
Most importantderogation(partial appeal) from the GDPR is that the act allows processing
of normal and sensitive data in connection with personnel administration on the basis of
legitimate intereststhatarisesfromlegislationorcollective agreements.This also applies to
public authorities which cannot normally rely on legitimate interest. About 80 data breach
notifications are received each week — making Denmark number one in the EU on the
number of reported breaches when the size of the population is taken into account.
Netherlands, the Dutch Data Protection Act (Wet beschermingpersoonsgegevens) was
enteredinto on 1 September 2001. The WBP implemented Directive 95/46/EU and was the
basis for secondary legislation, such as the Exemption Decree Data Protection Act
(VrijstellingsbesluitWbp) whichexemptedprocessingof data categories from the obligation
of advance notification(basedon article 29 Dutch Data Protection Act) and the Law on Data
Breach Notifications (Wet
MeldplichtdatalekkenenuitbreidingbestuurlijkeboetebevoegdheidCbp) (based on article 43a
Dutch Data Protection Act). The GDPR Execution Act
(UitvoeringswetAlgemeneVerordeningGegegevensbescherming) became effective on 22
May 2018; the UAVG implementsthe GDPRand repeals the Dutch Data Protection Act . The
GDPR AdaptationBill andGDPRImplementationBillwere still beingfinalisedat the time the
UAVG was implemented.
Germany. The first country in the world to introduce law on Data protection
Datenschutzgesetzgebung (BDSG) in 1970. Germany has some of the strictest Data
protectionlaws in the world, but amendments to BDSG to take into account the provisions
of the EU Data Protection Directive October 1995 were not implemented into national law
until 2001.
With the introduction of GDRP, Germany has introduced the new German Privacy Act
(BDSG-new) which complements GDPR.
Who is affected?
Pretty much any EU citizen about whom personal data is captured, stored and used in any
way, as well as the people who are handling that data and the organisations they are
workingfor.Remember,thisrelatestocustomers,staff andlegal entities and GDPR is extra-
territorial;in otherwords,itrelatestodata about EU citizenswherever it may be processed

7. The Implementation of GDPR in Greece – A Case Study
Page 7 / 18
inthe world.There are special provisionsforchildren,towhichwe will referyou throughout
the course.
Responsibility tends to be spread across people who take on specific roles as defined by
GDPR, suchas the datacontroller,but there are contractual responsibilitiesthat will be held
by the people and organisations handling the data on behalf of the datasubject, as well as
any other people they subcontract to, referred to in GDPR as the data processor.
Ethics and confidentialityforinstance are enshrined in other laws across Europe, usually as
a matter of Member State law and / or international principles and conventions.
The intention is that GDPR will work seamlessly with these existing laws, but when
understanding GDPR and its scope, it is important to make sure that you do not confuse
other laws and good practice with GDPR provisions – these are all intended to work
together.
The same istrue for whatMemberState lawspermitintermsof surveillance andmonitoring
of individuals.Whatisspecifiedinotherlaws regarding surveillance must be balanced with
the requirementsof GDPR,butrememberthatone of the legal bases for processing relates
to legal obligation– where processingmayproceedinline with other laws. Arguably, GDPR
provides a basis for Member States to better balance individual rights against other
surveillance laws where there are grey areas.
To illustrate what is meant by seamlessness in this context, alongside GDPR, the EU also
passed into law a new Directive that was designed to modernise data handling for judicial
and police servicesaround Europe with direct reference to the principles and provisions in
GDPR.
Case Law in Greece
The GDPR repeals Directive 95/46 / EC, which was incorporated by the EU Member States,
inGreece by the Law 2472/1997. Under the draft law on the Greek Data Protection Act, Law
2472/1997 will also be abolished in its entirety.
In Greece, GDPR has not yet implemented by a law on the basis of law enforcement.
Unfortunately, Greece is among the last three EU countries that have not yet voted on a
GDPR implementinglaw.The LegislativeCommittee had delivered the relevant draft law to
the Minister a year ago. After the completion of the relative consultation, a reformulated
versionof the draft will be submitted on the basis of the comments that emerged from the
consultation.
Nevertheless,there has beennonewsconcerningthe fate of the necessary bill until the end
of lastNovember2018, whenthe Legislative Committeewasreassembledatthe initiative of
the newMinisterof Justice withthe addition of new members. At the beginning of January
2019, Mrs. Mitrou submitted her resignation and the new committee, chaired by Mr

8. The Implementation of GDPR in Greece – A Case Study
Page 8 / 18
Philipoulos hasadeadline todeliveranew draft on the implementation of the GDPR Law by
the end of February 2019.
Moreover, the absence of relative national implementing legislation creates a legal
uncertainty over the scope of the Greek Law 2472/97, the national data protection law,
since most of its arrangements have been replaced by those of the GDPR Regulation but
have not, of course, been abolished yet and some of its arrangements still applies on the
GreekNational Law System. It is obvious that individuals, businesses and the public sector
need clarity and certainty. To be more specific, in the absence of national legislation, no
'compliance' of GDPR is meant to be comprehensive at all.
Implementation Methodology
In all Greek PublicOrganizationsandparticularly inthe Greek Municipalities, an attempt has
beenmade tointegrate the GDPR witha specificmethodologythatinvolvesthe recruitment
of outsourced specialized consultants on this issue.
The methodology followed:
Deliverable 1:
Existing Status Assessment through: Mapping - Gap Analysis - Risk Analysis:
It concernsthe evaluationof the CurrentSituationbymappingit(Data Mapping) in relation
to the Municipality's readiness to apply the new General Regulation for the Protection of
Personal Databy applying,investigatingthe deviationsof the operationfromthe Regulation
- Gap Analysis.
More specifically, identifying the personal data managed by the Municipality, identifying
those categories and the categories of those subjects related to personal data, and then
analyzingall the processesrelatedtothem, using a flow chart / study of data and processes
to represent them in the framework of this correlation.
Next,andon the basisof this analysis, a comparison will be made in relation to the articles
of the Regulation and its paragraphs in order to succeed the needed compliance with the
Regulation and in the framework of drawing up a list of deficiencies, risks and compliance
requirements - Risk Analysis,
Finally, we follow the Data Protection Impact Assessment assessing the data protection
implications for identifying the most important risks.
Deliverable I(P-I):(I.1.):DataMapping/ Gap AnalysisReport,(I.2.) RiskAnalysis Report,(I.3.)
Impact Assessment Report

9. The Implementation of GDPR in Greece – A Case Study
Page 9 / 18
Deliverable II(P-II):Design,DevelopmentandAdoptionof the InformationSecurity System -
GDPR Compliance Plan Compliance Plan - GDPR (Compliance Plan)
Duringthisstage,an InformationSecuritySystemwillbe developed and adopted, as well as
the GDPR Compliance Plan (GDPR Compliance Plan).
The latest Action Plan to be complied with will be an integrated methodology of action,
detailed at each step, which, if executed as a whole, will result in the Municipality’s
compliance withthe Regulation.The GDPRCompliance Planincludes, among other things: -
the development of a manual of policy - staff training – development an ISO 27001
information security management system.
Deliverable II (II-II):
(II.1.) Data Security Management Framework, Information Security System
(II.2.) Compliance Plan in GDPR Compliance Plan
Case Study: the implementation of GDPR in the Municipality of Iraklio
Attikis in Greece
In the Municipality of Iraklion Attikis, an attempt has been made to incorporate the GDPR
by adopting a full implementation of the legislation and the appointment of a DPO.
Particularly, the following policy has been adopted:
1. Data Policyof the Local GovernmentOrganization of the Municipality of Iraklion Attikis,
Greece
The data (inphysical anddigital form) are critical data forthe Municipalityof IraklionAttikis,
and theirproperhandlingisnecessaryfortheiruse,processing, storage, deletion processes
and the procedurestakentoidentifynew collections of data and justify the continuation of
existing ones.
The Data Policyof the Municipalityof IraklionAttikis includes the collection and processing
of personal, financial information if one or more of the following conditions are met:
• Data collection contains sensitive information.
• The Municipality of Iraklion Attikis has a strategic need for information and data.
• Data collection is used in a service provision.
• Requirements for legislative requirements, obligations and regulations.

10. The Implementation of GDPR in Greece – A Case Study
Page 10 / 18
The data must be collectedinsucha way thatthe rightsand privacyof the subject are taken
intoaccount, inaccordance withthe GDPR regulations.Whenthirdparties,collectorscollect
data for the Municipality of Iraklion Attikis, or acquire data, an agreement must be
developedbetween the Municipality of Iraklion Attikis, and the external partner, ensuring
the confidentiality and the security of the data. To that end, the DPO of the Municipality
should be informed in any case of the drawing up and monitoring of this contract.
A contract must include the following:
• Ownership of the data
• Types and categories of personal data - Object, nature and purpose of the whole
processing
• Obligations and rights
• Data storage and security
• Retention of data
• Organization Audit Requirements
• Destruction of data after termination of the contract
Dependingonthe levelof confidentialityandcriticality,datacan classifiedintothe following
categories:
Public use: fewer security controls, unrestricted
Internal use: internal needs, third party access
Confidential use: legislative acts, regulations, contracts
Particular use: special safe handling is required
The categorization of data in the Municipality of Iraklion Attikis is a result of collaboration
between the Directorates and the DPO in the context of the implementation of the GDPR
legislation.Confidential,personaldataisthe mostimportantlevel of datacategorizationand
requires more attention in the process of processing. This kind of data must be processed
only by qualified personnel. The retention period of these data should be as small as
possible to minimize the risk of leakage and disclosure.
All personal data must have a data Keeper - holder. It is forbidden to print documents that
are classifiedasconfidential,unless itisnecessary.Whentheyare destinedtobe destroyed,
theymustnot be able to be recovered(physical form)ordeletedin a secure manner (digital
form).

11. The Implementation of GDPR in Greece – A Case Study
Page 11 / 18
Where required by a law or a contract, the Municipality of Iraklion Attikis, should provide
informationtointerestedparties for the purposes of the processing of their personal data.
The notification to the data subject must be no later than:
• The moment of the first communication.
• One calendar month from the first collection of personal data.
• Atthe time of disclosure,unless alegal notice alreadyexistsora legal exemption isinforce
for the disclosure requirements
The Municipalityof IraklionAttikisshouldreceive personal databylegal and fair means and,
where appropriate, with the knowledge and consent of the data subject. Consent must be
documented.Itmustbe given for each specific function and purpose of the processing and
the data subjectmustbe able to withdraw the consentaseasily as they gave it. When there
is a need to request and obtain the consent of a person prior to the collection, use or
disclosure of their personal data, the Municipality of Iraklion Attikis, should seek to obtain
such consent.
The Municipality of Iraklion Attikis must be able to prove that the data subject:
• Has explicitly given its consent to the processing of their personal data
• Has consented to the processing of their personal data for one or more specific reasons.
• The consentform is understandable,easilyaccessible and easily distinguishable from any
other subject related to the data subject.
• The data subject has been informed of the right to withdraw their consent at any time.
The City of IraklionAttikis mustbe able to prove that the data subject has the right
to withdraw their consent at any time (In this case, the data subject must request the
withdrawal of consent).While processingof datahasmultiple purposes, the Municipality of
Iraklion Attikis, must be able to demonstrate that the withdrawal of consent is valid for all
the specific purposes. For the access procedure, the data subject must provide the
appropriate evidence, identity card, valid passport or driving license. The date, the
identificationchecksandthe type of data requestedshouldbe recorded.The Municipalityof
Iraklion Attikis, Attica, has a month from the date of the application to provide the
requested information. The request for access shall be forwarded to the Data Protection
Officer, who shall ensure that the requested data is collected within the time frame.
The Municipality of Iraklion Attikis uses personal data for specific purposes in order to
provide and / or manage functions and services. Every department of the Municipality of
Iraklion Attikis, will process the personal data in accordance with all applicable laws,
obligations,contractsandregulations.Processing involves the execution of any act in data,

12. The Implementation of GDPR in Greece – A Case Study
Page 12 / 18
in particular: collecting, storing, organizing, changing, acquiring, recording, maintaining,
correcting, organizing, retrieving, using, disclosing, transferring, disposal, erasure, or
destruction. Data protection must be ensured during the processing activities through the
applicationof "appropriate technical andorganizational measures". These safeguards must
be applied while determining the processing method and the actual time of the data
treatment.Technical andorganizational securitymeasuresare encryption,confidentiality of
the pseudonymization system, integrity and durability, and regular testing.
The data subject has the right of access to know the purposes of the data processing, the
categoriesof processedpersonaldata,the recipientsorthe categoriesof recipientswhowill
disclose the data, how long the data will be stored and their right to correction or delete.
Personal datawill notbe processed unless one of the following conditions is met: The data
subjecthasgiven their consent to the processing for one and / or more specific purposes. -
Processingisnecessary forthe executionof acontract where the subjectispartor will be on
completion of relevantactions - Processingisnecessaryforthe exerciseof public authority -
Processing is necessary, through a legal obligation.
The Municipality of Iraklion Attikis, will inform individuals about the collection and use of
their personal data, including the purposes and legal basis of processing, transport and
retentionperiods.The Municipalityof IraklionAttikisshould provide access to the data. The
subject'saccessrequestsmustbe recordedand an appropriate action must be taken within
specific time limits. Data subjects have the right to receive confirmation regarding the
processingandcopyingof theirpersonal data.The data subjectmayapplyfor a correction in
case of inaccurate,incompleteornew personal data.The answershouldbe givenwithinone
month to any reasonable request for correction. The data subject has the right to request
that the processingof hisor herpersonal databe restricted.Once the rightisexercised,only
data storage isallowed.The datasubjecthasthe right to oppose the processingof his or her
personal data.The response will be immediatelyapplicable and the Municipality of Iraklion
Attikis will nolongerprocesspersonal data,unlesslegitimatereasonsprevail,overridingthe
interests and rights of the subject. The subject of the data should be informed by the
Municipality when its data are subject to automated processing, decision making
(automated means: without human intervention) and profile preparation (automated
processing).Datasubjects have the right to require the deletion of their personal data and
their deletion from the processing process under certain circumstances.
Children's personal data should have additional technical safeguards when services are
offereddirectlytochildren.(Especially in cases handled by the Social Policy Department of
the Municipality).
2. Compliance Measures taken by the Municipality of Iraklion Attikis
The Municipality of Iraklion Attikis will adopt the procedures to ensure the exercise of the
data subjects' rights. In particular, Article 12 of the GDPR provides arrangements for the
fundamental rightsof the datasubjects,namelythe righttoinformation, access, correction,
as well as the right to oblige, limitation of processing and opposition. In this regard, the

13. The Implementation of GDPR in Greece – A Case Study
Page 13 / 18
Municipalityof Iraklion Attikis will adopt these measures in order to be able to respond to
the requests of the data subjects.
An archive of processing activities will be set up in the Municipality of Iraklion Attikis,
because the organizationemploysatleast250 people,aswell as process thatinclude special
categoriesof data(Article 9 of the GDPR).Moreover,thisdutyof the specialized controlleris
expressly reflected in Article 30 of the Personal Data Protection Regulation. This "File" is a
documentlistof all the servicesof the Municipality with a reference to data for each "filing
system"andfor each"automatedprocessing"of personal dataitcarriesout. Failure to keep
a record of processing activities by the Municipality of Iraklion Attikis , Attica, risks being
unable todemonstrate itscompliance withthe GDPRif requested (Article 5 (2) "principle of
accountability").Anarchive systemis defined as any structured set of personal data that is
accessible according to specific criteria, whether it is centralized, decentralized or
distributedonanoperational or geographic basis (Article 4, Art. 6 of the GDPR). This record
will be preparedbythe DPO [ Mr. Fotis Zygoulis ]in cooperation with all the Directorates of
the Municipality of Iraklion Attikis.
In accordance with Article 26 of the GDPR, all stakeholders that will jointly define the
purposes and the means of processing will also be treated as joint data controllers.
Furthermore, in this respect, joint data controllers shall clearly define their respective
responsibilitiesforcompliance withobligations under the GDPR Regulation, in particular as
regardsthe exercise of the rightsof the data subjectand their respective duties. Therefore,
the data subject can exercise his or her rights against and against each of the controllers.
Therefore, the Municipality of Iraklion Attikis, as a data processor when signing contracts
with third parties must indicate its obligations under Article 26 of the GDPR. Another
example of joint data controllers in cases where the City processes personal data through
platforms of Ministries is the KEP Directorate (e.g. HERMES platform).
Particularlyspeakingforthe processingof dataof sensitive social groups in the Municipality
of Iraklion Attikis handled by the Social Policy Department, it is necessary to adopt a strict
framework for the processing of sensitive personal data, since they reveal racial or ethnic
origin, political opinions, religious or philosophical beliefs or trade union membership, as
well asgeneticandbiometricinformation,aswell asinformationonhealth,sexual individual
vivo or sexual orientation.
At thispoint,special mentionshouldbe made in cases where the complaints are submitted
to the municipalitythroughthe telephone number of the latter for the citizens (case of the
gov.e-irakleio.grplatform).The Municipalityof IraklionAttikis , Attica, before collecting the
personal dataof the individual subjects, will inform them about the purpose of processing
theirdata.This suggestionis not limited to the telephone complaints of the subjects but is
applicable and in any case the Municipality processes the personal data of the subjects by
telephone.

14. The Implementation of GDPR in Greece – A Case Study
Page 14 / 18
3. Role of the DPO in the Municipality of Iraklion Attikis,
The DPO playsa keyrole in developing a culture of data protection within the Municipality
of IraklionAttikis,andcontributestothe implementationof essentialelementsof the GDPR,
such as the principlesof dataprocessing,the rightsof datasubjects,data protection already
in design and by definition, records of processing activities, security of personal data and
disclosure and communication of data breaches (Articles 25, 30, 32, 33, 34).
Pursuant to Article 38 of the CPC, the data processor and the data controller shall ensure
that the DPO isdulyand timelyinvolvedinall mattersrelating to the protection of personal
data.
Article 38 (3) refers asfollows:"The DPOdoesnotreceive instructionstocarry outhis/her ...
duties." Furthermore, it states that the DPOs "whether or not they are employees of the
Municipality, they must be able to carry out their duties and tasks in an independent
manner. "
The opinion of the DPO is requested in the following cases:
Performing an impact assessment on data protection
Choice of methodology for impact assessment on data protection
Selectionof organizational safeguards and techniques to mitigate risks to the rights of data
subjects
Under Article 39 (2), the DPO 'shall take account of the risk associated with the processing
operations,takinginto account the nature, scope, purpose and purpose of the processing'.
The DPO of the Municipality of Iraklion Attikis is not personally liable for non-compliance
with data protection requirements. Compliance with the protection rules is the
responsibility of the data controller or the data processor inside the Municipality of Iraklio
Attikis in Greece.
Templates of incorporation of the Legislation in the documents of the
Municipality of Iraklion Attikis,
Standard in general
The purpose for which the subject's data will be used should be entered in the
"import target" field.
Example:

15. The Implementation of GDPR in Greece – A Case Study
Page 15 / 18
In the application form for the "Renewal and Examination of the Trade and
Commerce Exercise License", the phrase concerning Law 4497/2017 will be added,
which will take the following final form:
"The municipality of Iraklion Attikis informs that, according to Article 6.1 (e) of
Regulation (EU) 2016/679 (General Data Protection Rule), the processing of the
personal data of that subject is necessary for the performance of a task which is
carried out in the public interest or in the exercise of the public authority assigned to
the controller, namely the Municipality of Iraklion Attikis , and in this case the
renewal / approval of a trade license, based on the Law 4497/2017 as in force. "
In this example, the scope: processing purpose is: and in this case the renewal /
approval of a permit for outdoor trade under the provisions of Law 4497/2017,
The above standard applies to all addresses of the Municipality of Iraklion Attikis
according to the purpose of the processing of its transactions with citizens and
institutions in which personal data is subject.
Statement of consent and compliance text
It is noted that it is not necessary for the moment to include a statement of consent
in the documents of the Municipality of Iraklion Attikis, regarding its transactions
with the citizens. On the contrary, the above-mentioned text of compliance-inclusion
in the official documents is considered necessary and obligatory for all the
Directorates of the Municipality of Iraklion Attikis.
At the same time it is necessary to place a legal disclaimer and mention the cookies
policy on the website of the Municipality of Iraklion Attikis, as well as the disclaimer
of personal data in the signing of the employees of the Municipality of Iraklion Attikis
, Attica, when using their official email. This model will be developed in cooperation
with the Head of the Department of Informatics in the Municipality of Iraklio Attikis.
This requires changes to the conditions of use of the media.

16. The Implementation of GDPR in Greece – A Case Study
Page 16 / 18
Compliance forms
Consent Receive Form
Consent Form
Consent Guaranty Form for a Child
Consignment Form for Guarding a Child
Vendor Processing Agreement
Application Form for Access to Personal Data
Steps of compliance
The steps taken in compliance with the Municipality of Iraklion Attikis are as follows:
Definition of Data Protection Officer
Data mapping, Data Flow,
Risk Assessment and Gap Analysis
Improvement of Data Protection Impact Assessment, if required
Revision of policies and procedures (Security Policy, Process Re-Engineering)
Exploitation of IT technology and tools (Firewalls / AVs, CRMs / Work Flow
Applications, Encryption, Cloud ...)
Developing Supervisory Authority Notification Procedures and Notification
Procedures
Test Systems and Procedures (GDPR Audit)
Continuous monitoring and updating of processes and systems (Monitoring, Review)
Employees training
Informing all the staff of the Municipality of Iraklion Attikis , Attica for the new
regulation

17. The Implementation of GDPR in Greece – A Case Study
Page 17 / 18
The CPC is not only archives, policies and procedures, but adopts a new
organizational culture in the Municipality of Iraklion Attikis , Attica.
Problems of GDPR implementation In the Municipality of Iraklion Attikis:
The problems are related to the general delay in the implementation of European
legislation in Greece. More specifically:
1. There is no culture of implementation of such legislation in the municipality of
Iraklion Attikis in Attica and it needs staff training
2. The DPO has no legal and administrative powers but he only has a consultative
role.
3. There is no conciliation between the services of the Municipality and executives of
the Greek Independent Authority for the Protection of Personal Data due to the
workload of the latter
4. There is no logistical infrastructure for an electronic platform infrastructure to
ensure the implementation of this legislation

18. The Implementation of GDPR in Greece – A Case Study
Page 18 / 18
References
1. GDPR LAW https://eur-lex.europa.eu/eli/reg/2016/679/oj
2. GDPR Compliance Texts of the Municipality of Iraklio Attikis in Greece
3. www.iraklio.gr