Submission of a data breach notification to the HDPA

To notify a data breach to the HDPA you must first log in to the HDPA online portal by filling in and submitting the relevant electronic form provided. To log in to the online portal you must use the taxisnet credentials available to controllers established in Greece. Relevant information on how to submit a notification in Greek is available here.

The HDPA allows the submission of data breach notifications in English either in cases of breach in the context of cross-border processing or when Article 3 (2) or (3) GDPR applies. In case the controllers are not established in Greece, and therefore they cannot log in to the online portal by using the taxisnet credentials, the relevant notification can be submitted via email.

In this case, follow the steps below:

  1. Please download the appropriate type of the data breach form. The form is provided in two versions. The first one uses macros in order to guide you through the process of filling in. The second one is a simple (MS excel format) file, without macros. You may choose either the first or the second:

    Form with macros

    Please remember to activate macros!

    Form_with macros.xlsm

    Form simple

    Form_simple.xls
  2. Fill in the required fields of the form and save it. To fill in each line of the form, please see the detailed guidelines at the end of each line.
  3. Encrypt the form as illustrated below by using the HDPA’s public key (optional, but recommended for reasons of secrecy).
  4. Attach the encrypted form to an email. In your email please describe the reasons that have led you to submit the data breach form in this way and not via the HDPA online portal.
  5. Send the email to databreach@dpa.gr.

Warning, the above email address concerns only notifications of personal data breaches submitted by controllers. To lodge a complaint, please see here.

Emails sent to the above address which do not concern data breaches will not be considered.

 

For security reasons, we suggest that you send the form encrypted in such a way that it can be read (decrypted) only by the HDPA.

To achieve that, you should use the GnuPG (GPG) software, which is a free distribution of the OpenPGP standard.

You must first encrypt the file (i.e. the filled in form) on your computer, regardless of the software/e-mail service you use and then attach the encrypted file to an e-mail message.

The HDPA’s public GPG key, which must be used to encrypt the completed form before attaching it to the e-mail message* to be sent to the HDPA, is available here (Key ID:445EA68B, Key Fingerprint: AD28 60E4 2CBA CA97 A2AD A5F1 75BD F233 445E A68B). Any accompanying document may be encrypted in the same way.

(*) Warning: Please do not encrypt the whole e-mail message (e.g. by using an appropriate plugin), because there are known security issues in this approach (see here).