GREECE Law and Practice Contributed by: Angela Livgieri, Danai Panopoulou and Iliana Andronou, ALG Manousakis Law Firm
A Data Protection Impact Assessment (DPIA) (GDPR art. 35) is mandatory if the processing of personal data is likely to result in a high risk to individuals’ rights. For example, this will be the case if: • there is large-scale processing of special categories of data; • there is involvement of high-risk data pro- cessing; or • there are systematic and extensive process- ing activities, including profiling. Adherence to data protection principles such as the data minimisation and purpose limitation principles is required, as the database should only contain the minimum amount of data nec- essary for the specific purposes for which it was created (Articles 5-11 GDPR). Appropriate security and access controls (eg, encryption & pseudonymisation, access restric- tions, data retention policies, and rules to pro- tect data from unauthorised access, breaches, or leaks) must be implemented. The appropriate legal basis must be assessed (as per Articles 6 & 9 of the GDPR for plain and special categories of personal data such as health-related). It is essential to provide relevant information to the individuals involved. This information should include the purposes for processing their data, the identity and contact details of the data con- troller, any recipients or categories of recipients who will receive the personal data, and the priva- cy-related rights of the individuals, among other necessary details. If third parties access the database, data pro- cessing agreements must be executed, along
with Standard Contractual Clauses (SCCs), as applicable for international transfers. In case the database involves automated pro- cessing of personal data, prior consultation with the Hellenic Data Protection Authority (HDPA) may be required. The HDPA may also review international data transfers or secondary uses of the data. 3. Marketing Authorisations for Pharmaceuticals or Medical Devices 3.1 Product Classification: Pharmaceuticals or Medical Devices The process for classifying a product as either a pharmaceutical or a medical device depends on its intended use, primary mode of action and composition. The primary distinction is their mode of action. Pharmaceuticals exert their effects through chemical or biological mecha- nisms, while medical devices operate primarily via physical or mechanical means. Pharmaceuticals Pharmaceuticals are governed by Directive and relevant national laws, such as Legisla- tive Decree 96/1973 and Law 1316/1983 in Greece. The approval process for pharmaceu- ticals involves submitting an application to the regulatory authority (EOF in Greece), including information about composition, manufacturing standards, and pharmacovigilance practices. Once approved, marketing authorisation holders (MAHs) must comply with stringent post-mar- keting obligations, including pharmacovigilance reporting.
126 CHAMBERS.COM
Powered by FlippingBook