GREECE Law and Practice Contributed by: Semina Zavitsanou, Yannis Ragos, Maria Siraga and Panagiota Kelali, POTAMITISVEKRIS
• Vendor and Transfer Controls: If a third-party provider is engaged, it must be bound by the obligations of Article 28 GDPR. In addition, spe - cial clauses should be put into place to prevent the provider from using the employer’s inputs for model training, to map data flows, and to ensure that a lawful transfer mechanism and a transfer impact assessment are in place for any access to data outside the EEA. • Security and Confidentiality: Strict role-based access, encryption, and logging should be imple - mented. • Retention: Data retention must be limited and purpose-bound, with investigation data deleted or anonymised upon the closure of the matter. Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protec - tion of persons who report breaches of Union law has been incorporated into Greek legislation through law 4990/2022. Law 4990/2022 applies for the protection of persons who report or disclose: • breaches of Union law in the following areas: (a) public procurement; (b) financial services, products and markets, crypto-asset markets, as well as the prevention of money laundering and terrorist financing; (c) product safety and compliance; (d) transport safety; (e) environmental protection; (f) radiation protection and nuclear safety; (g) food and feed safety, and animal health and welfare; (h) public health; (i) consumer protection; and (j) protection of privacy and personal data, as well as the security of network and information systems; • breaches affecting the financial interests of the European Union within the meaning of Article 325 of the Treaty on the Functioning of the European Union (TFEU) and the specific Union measures adopted thereunder; 8. Special Cases 8.1 Whistle-Blowing
• breaches relating to the internal market, includ - ing infringements of EU competition and state aid rules; • breaches of domestic law concerning the offences of bribery and trading in influence; and • breaches of EU restrictive measures. Whistle-blowers are entitled to protection (i) provided that, at the time of the report, they had reasonable grounds to believe that the information concerning the reported violations was true, (ii) when they submit a report either internally or externally, or through pub - lic disclosure, as well as when they submit a report to the competent institutional and other bodies and organisations of the European Union and (iii) in the case of anonymous reporting, if they are subsequently identified. Private sector entities employing 50 or more employ - ees shall designate an IRO with respect to breaches falling within the scope of law 4990/2022, while those employing fewer than 50 employees may designate an IRO. Where no such officer is appointed, a report may be submitted to the National Transparency Authority. Private sector entities operating in the fields of finan - cial services, products and markets, transport and the environment, as well as entities operating under deci - sions approving environmental terms, or whose activi - ties by their nature may pose risks to the environment and public health, are required to designate an IRO, irrespective of the number of employees they employ (see also 1. Opening an HR Internal Investigation for further details). Reports may be made either internally to the IRO or externally to the National Transparency Authority. According to Article 18 Law 4990/2022, any form of retaliation against the reporters is prohibited, includ - ing threats and acts of reprisal. The following forms of retaliation are, in particular, prohibited: • suspension, dismissal, or any equivalent measure; • demotion, omission or withholding of promotion; • removal of duties, change of workplace, reduction in wages, change in working hours; • withholding of training;
187 CHAMBERS.COM
Powered by FlippingBook