3380
GOVERNMENT GAZETTE
Article 6
Designation of the data protection officer in public
bodies
1. Public bodies shall designate a data protection officer
(hereinafter: the DPO).
2. A single DPO may be appointed for several public
bodies, taking into account their organisational structure
and size.
3. The DPO shall be selected on the basis of professional
qualities and, in particular, expert knowledge of data
protection law and practices, and the ability to fulfil the
tasks referred to in Article 8.
4. The DPO may be an employee of the public body
in any capacity, or fulfil his or her tasks on the basis of a
service contract.
5. The public body shall publish the contact details of the
DPO and communicate them to the Authority, unless this
is not permitted for reasons of national security or for the
purposes of maintaining confidentiality, as provided for by
law.
Article 7
Position of the DPO in public bodies
1. The public body shall ensure that the DPO is involved,
properly and in a timely manner, in all issues relating to the
protection of personal data.
2. The public body shall support the DPO in performing
the tasks referred to in Article 8 by providing resources
necessary to carry out those tasks, ensuring access to
personal data, to processing operations, and to maintain
his or her expert knowledge.
3. The public body shall ensure that the DPO does not
receive any instructions regarding the exercise of his or her
tasks, reports directly to the highest management level of
the public body, and is not dismissed or penalised by the
controller for performing his or her tasks.
4. Termination of the employment contract of the DPO,
or revocation of the duties assigned to him or her, where
the DPO is also an employee of the public body, shall only
be allowed for good reason. After the expiry of his or her
employment contract as a DPO, he or she shall not be
dismissed for one (1) year, unless the public body has good
reason to terminate his or her contract.
5. The data subjects may consult the DPO on any matter
relating to the processing of personal data and the exercise
of their rights under the GDPR, this Law and any other
legislation on the protection of personal data. The DPO
shall be bound by secrecy or confidentiality concerning the
identity of data subjects and the circumstances in which
conclusions can be drawn as to the data subject, unless the
identity of the data subject is disclosed by the subject itself.
6. If the DPO, in performing his or her tasks, becomes
aware of personal data for which the head of the public
body has the right to refuse to give evidence as a witness
for professional reasons, that right shall also apply to the
DPO and his or her assistants.
A’ 137/29.08.2019
Article 8
Tasks of the DPO in public bodies
1. In addition to his or her tasks under the GDPR, the
DPO shall have at least the following tasks:
(a) to inform and advise the public body and the
employees, who carry out the processing, of their
obligations under the provisions of this Law and any other
legislation on the protection of personal data;
(b) to monitor compliance with the provisions of this Law
and any other legislation on the protection of personal data,
and with the personal data protection policies of the public
body, including accountability and the related audits;
(c) to provide advice as regards the data protection
impact assessment and monitor its implementation
pursuant to Article 65;
(d) to cooperate with the Authority;
(e) to act as the contact point with the Authority on issues
relating to processing, including the prior consultation
referred to in Article 67, and to consult the Authority, where
appropriate, with regard to any other matter.
2. The tasks of the DPO, who may be designated by
judicial and prosecutorial authorities, shall not concern
the processing operations carried out by judicial and
prosecutorial authorities acting in their judicial capacity.
3. The DPO may fulfil other tasks and duties. The
controller or processor shall ensure that the exercise of
any such tasks and duties does not result in a conflict of
interests.
4. The DPO shall, in the performance of his or her tasks,
have due regard to the risk associated with processing, the
nature, scope, context and purposes of processing.
CHAPTER B
SUPERVISORY AUTHORITY
Article 9
Hellenic Data Protection Authority
The Authority, which has been established by Law
2472/1997 (Government Gazette A’ 50), shall supervise
the application of the provisions of the GDPR, this Law
and other regulations relating to the protection of natural
persons with regard to the processing of their personal
data on the Greek territory. The Authority is an independent
public authority under Article 9a of the Constitution and has
its seat in Athens.
Article 10
Competence
1. The Authority shall cooperate with the supervisory
authorities of Member States of the European Union, and
the European Commission.
2. The Authority shall represent Greece in the European
Data Protection Board (hereinafter: the EDPB) and other
committees or bodies relating to the protection of personal
data which involve the participation of a national supervisory
authority.
3. The Authority shall cooperate with respective
supervisory authorities of third countries and international
organisations to meet the objectives specified in Article 50