Initial conclusions from the Hellenic DPA’s “ex officio” GDPR compliance investigation

31 January 2019

The Hellenic DPA, in order to a) explore the level of compliance with the General Data Protection Regulation (GDPR) -six months after its entry into force- and the specific legislation on e-privacy, b) raise the awareness of data controllers and data subjects, and also c) exercise its envisaged powers, has carried out the following “ex officio” investigation, which was initiated in December 2018 and is ongoing:

More particularly, the Hellenic DPA carried out an investigation to 65 controllers operating online in the fields of financial services, insurance services, e-commerce, ticket services and public sector services, for exploring the way specific requirements are met in the areas of transparency, the use of cookies, the sending of online messages and the security of websites through indicative checkpoints, perceived to the citizen in their navigation and the use of internet services.

  1. The initial conclusions that were drawn as a result of this initiative highlight, in general, the lack of compliance with the legislation on cookies and relevant technologies in almost all the controllers.
  2. There was also a lack of information on the processing operations and the recipients of the data at around 40% of the controllers. It is worth noting that the public sector lags behind in compliance, mainly with regard to transparency, in almost all of the organizations that were investigated.
  3. On the contrary, at a high percentage of more than 80% of data controllers, a satisfactory level of security was observed.
  4. Furthermore, a sufficient degree, more than 70%, of Data Protection Officers’ designation was noted in the private sector.

On the basis of the final conclusions of this first large-scale investigation to check compliance, after the entry into force of the Regulation, the DPA will exercise its powers that are envisaged by the pertinent provisions.

The investigation was presented in the Authority’s recent Information Day on the occasion of the 13th European Data Protection Day on January 28th and is available in Greek at www.dpa.gr  (http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/EUROPEAN_DP_DAY_GENERAL/2019_DP_DAY/FILES%202018/PANAGOPOULOU_G.PDF).

For further questions, please contact the Hellenic Data Protection Authority: contact@dpa.gr

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.