On the occasion of the 20th Data Protection Day (28 January), the Hellenic Data Protection Authority (HDPA) held successfully an Information Day at the Athens Chamber of Commerce and Industry.
Opening the event, the Special Secretary for Artificial Intelligence and Data Governance of the Ministry of Digital Governance, Vasilis Karkatzounis, noted that “Artificial Intelligence is built on infrastructures, data, and algorithms—through a cloud-first strategy, DAEDALUS, and investment in human capital” and that “digital sovereignty means a stronger position, not isolation.” The Special Secretary emphasized: “Regulation and innovation go hand in hand. The GDPR and the AI Act are not obstacles but necessary conditions for trust, transparency, and the protection of fundamental rights in an era of increasing risks to privacy and democracy. A change in culture is needed to unlock the value of data. With realism, cooperation, and a human-centered approach, personal data protection can and must become a driving force for social and economic benefit.”
In his welcome address, the President of the Hellenic Data Protection Authority and Honorary Supreme Court Judge, Georgios Batzalexis, pointed out that “the AI Act complements and strengthens the existing regulatory framework without replacing the General Data Protection Regulation (GDPR). For Greece, the challenge is not only the formal transposition of the rules, but their effective implementation, through strengthening competent authorities, training public bodies, and cooperation with civil society and the market.” He noted also that “the Hellenic DPA has been designated as the Fundamental Rights Authority for AI, assuming a key role in protecting citizens’ rights in the new digital environment, and is expected to take on the role of Market Surveillance Authority for high-risk AI systems”. However, he stressed, that “the ΗDPA’s extremely small size is inversely proportional to the breadth of its responsibilities, the complexity of the interventions it is called upon to implement, and the expectations placed upon it by society. For this reason, the competent state bodies must ensure the necessary conditions and resources for its effective operation, as required by the GDPR”.
The first session, entitled “Developments and Current Issues in Data Protection,” opened with a presentation by Dr. Zoi Kardasiadou, European Commission, Directorate-General for Justice, Data Protection Unit, titled “The European Commission’s Proposal regarding the General Data Protection Regulation and Directive 2002/58/EC”. She analyzed the objectives of the Commission’s “Digital Omnibus” proposal, noting that “the proposed amendments aim at harmonizing, clarifying, and simplifying the GDPR, while maintaining a high level of protection in line with the EU acquis on personal data protection. The proposed amendments are limited and targeted.” The specific amendments to the GDPR and Directive 2002/58/EC on privacy and personal data protection in electronic communications were then presented.
Then, Georgia Panagopoulou, Head of the Hellenic DPA’s Audits and Security Department, delivered a presentation entitled “The Hellenic DPA under the A I Act”. She analyzed the role of the Hellenic DPA under the AI Act, describing AI as “a horizontal technology that decisively affects decision-making, everyday life, and fundamental rights.” Emphasis was placed on “the parallel and complementary application of the GDPR and the AI Act, the risk-management approach, and the need for human oversight, transparency, and accountability.” Particular focus was given to implementation challenges and the institutional preparation of the Hellenic DPA for its supervisory roles under the AI Act.
Dr. George Rousopoulos, Computer Engineer and Head of the HDPA’s Supervisory Activities Directorate, in his presentation “Cameras and… the elephant in the room: the gap between legislation and implementation”, acknowledged that “video surveillance systems remain among the personal data protection issues that are currently in the public spotlight, despite the existence of extensive guidance since the beginning of our century.” He noted that “modern camera technologies, sometimes incorporating AI, are used by both public and private entities. Across Europe, a paradox is observed: a large proportion of complaints concern cameras installed in private residences, often linked to neighbor disputes. This raises the question of whether regulating such private disputes through the GDPR can be effective, both for citizens and for supervisory authorities, suggesting that this aspect of ‘simplification’ of GDPR implementation should also be examined”.
Following, Kalli Karveli, Head of the HDPA’s Complaints Department, in her presentation “Legitimate Interest and the GDPR: Conditions, Criteria, and Cases of Application by Controllers and Third Parties” focused on the prerequisites for relying on legitimate interest under Article 6(1)(f) GDPR as a legal basis for processing personal data by data controllers, presenting and analyzing relevant application cases.
The first session concluded with a presentation by Fay Karvela, Special Scientist of the Hellenic DPA, titled “Handling Erasure Requests by Data Controllers – Coordinated Enforcement Action of the EDPB 2025”. She focused on the EDPB’s Coordinated Enforcement Framework (CEF) action for 2025 concerning the right to erasure by the data controllers, highlighting the contribution of the Greek Authority. She also noted that “31 supervisory authorities conducted coordinated investigations to map practices, identify challenges, and highlight good practices. The results will be used for enhanced guidance and more consistent GDPR enforcement at the European level. As shown by the coordinated action, handling erasure requests poses significant legal and technical challenges in practice, particularly regarding anonymization, backups, and the balancing of competing legitimate interests.”
The first session was moderated by Dr. Vasilis Zorkadis, former Head of the Hellenic DPA’s General Directorate.
The second session, entitled “The Crucial Role of DPOs: Strategies and Challenges”, began with Athanasios Kosmopoulos, President of the Public Sector Data Protection Officers Committee and DPO of the Ministry of Digital Governance, who pointed out that “the role of the DPO in Public Administration has evolved from formal to strategic, particularly after the implementation of the GDPR, as the DPO acts as a guarantor of legality in the management of large volumes of citizens’ personal data.” He emphasized “the DPO’s role in privacy by design and by default, advising management on digital transformation, managing risks through DPIAs and breach prevention, and fostering a culture of data protection, transparency, citizen trust, and quality public services”.
George Perisynakis, Police Lieutenant and Data Protection Officer of the Hellenic Police, then presented four key challenges, particularly in the law-enforcement sector, including the correct identification and application of the appropriate national and EU legal frameworks, implementation in large-scale EU interoperability IT systems, challenges related to the AI Act—especially for high-risk systems—and the recent establishment of the Personal Data Protection Office following the restructuring of the Hellenic Police under Law 5187/2025.
In his presentation “The Loneliness of the DPO (???)”, Dr. Dimitris Zografopoulos, Data Protection Officer of the Ministry of Health, stated, among other things, that “in an era of generalized deregulation of law, the GDPR remains one of the key instruments for safeguarding the protection of individual rights. Its regulatory framework aims, in particular, to ensure that any processing of personal data is meant to serve human beings, and that the DPO must provide meaningful support in this direction. The DPO must, above all, be guided by the understanding that they constitute the ‘primary tool’ of accountability for the data controller and, with a firm commitment to legality, act as a ‘forward outpost’ of the Hellenic DPA. They should participate in the strategic planning of processing activities, ensuring the application of the principle of ‘Privacy by design/Privacy by default,’ defend their independence with determination and conviction (but not rigidity), maintain consistency in their views while also acknowledging possible mistakes, and demonstrate availability and responsiveness: ‘five-minute readiness.’”
Subsequently, Eleni Balasopoulou, Data Protection Officer of the National Transparency Authority, highlighted the multidimensional role of the Data Protection Officer, with responsibilities grouped into three pillars: Prevention, Awareness, and Detection. Furthermore, she emphasized that “the process of compliance with the requirements of personal data protection legislation is dynamic,” and proposed, as a strategic approach, the adoption of the Deming Cycle, developed by the father of Total Quality Management. She continued by presenting the challenges faced by a public-sector DPO in the constantly evolving technological environment of digital transformation and AI. She outlined “tools” that a DPO may utilize, placing particular emphasis on the need for cooperation and the exchange of expertise. Finally, she concluded her presentation by stressing the need for institutional strengthening and an upgrade of the DPO’s role.
Dr. Vasilis Vasilopoulos, Data Protection Officer of Hellenic Broadcasting Corporation (ERT), referred to the process of balancing freedom of expression with the protection of privacy, noting that “complaints against journalists are substantiated on the basis of the GDPR and the rights of data subjects.” With particular regard to offences against honor, he emphasized the negative development resulting from the repeal of Article 367 of the Penal Code, especially the provisions on “legitimate interest,” which, as he stated, “deprives journalism of a critical tool for excluding unlawfulness, thereby creating legal uncertainty.” He noted that “despite the protective supra-legislative provisions of the Constitution and the ECHR, the pre-trial examination is affected,” and added that “while the ECHR protects sharp criticism as a value judgment, Greek case law often confines itself to ‘journalistic style,’ leading to ‘a peculiar form of censorship.’” Finally, on the occasion of the transposition of the Anti-SLAPP Directive into national law, he proposed “the reinstatement of the concept of ‘legitimate interest,’ based on the status of the public figure, the issue being one of public interest, the journalist’s good faith, and the nature of the statement as a protected opinion”.
With a special contribution, Dr. Athena Bourka, Data Protection Officer of ENISA, explained the institutional framework for data protection within the European institutions and referred to the usefulness of the EU institutions’ DPO Network. She analyzed the importance of the role of DPOs in ensuring compliance and trust, presenting the DPO role as both an opportunity and a challenge. She referred to limited resources and reduced staffing, which “create difficulties for the strategic role of the DPO.” A “second challenge,” according to Dr. Bourka, is “having the role of the DPO accepted,” noting that “despite the challenges, the role is an opportunity provided that it succeeds in gaining the trust of management and staff.” She characteristically stated that the “proper role” of the DPO is “the one who tries to find a solution, not the one who says no to everything”. She also referred to the power of cooperation, noting that “enabling DPOs to work more systematically with the supervisory authority is something that can benefit both sides”.
The second session was moderated by Dr. Elias Athanasiadis, Head of the Hellenic DPA’s Department of Communications and Public Relations.
It is noteworthy that at the end of each thematic session, speakers provided useful answers to questions raised by participants.
The event was livestreamed via the internet and the DIAVLOS service of the National Infrastructures for Research and Technology Network and was followed by a large audience (more than 800 unique users).
Independent Department of Communication & Public Relations
