GDPR and lawyers: 35 points of the Draft Code of Conduct
Originally published: www.taxheaven.gr (in Greek)
Date: 23/11/2020
Republished: www.analuseto.gr (in Greek)
Date: 23/11/2020
Aimilios Koronaios
Attorney at Law
LL.M. (Aberdeen), LL.M. (Athens)
On October 5, 2020, the Draft Code of Conduct for the processing of personal data by lawyers, law firms and bar associations (Draft Code) was put up for public consultation, following a decision of the Coordinating Committee of the Plenary Meeting of the Presidents of Greek Bar Associations. The purpose of the Draft Code is to adapt and specify the rules, principles and obligations of the General Data Protection Regulation (GDPR) and implementing Law 4624/2019 in the context of the exercise of the profession of the lawyer (article 1 par. 1). The consultation on the Draft Code was completed on October 31, 2020. The next steps are to take into account the comments of the consultation (33 comments) and forward it to the Greek Data Protection Authority (DPA) for approval, as provided for in Article 40 GDPR.
The Draft Code consists of 32 articles which are structured in 6 sections. Skipping reference to the provisions of the relevant legislation contained in its text, in particular the GDPR, as well as the section on the processing of personal data by bar associations (articles 23-28), we collect 35 points, in which a significant part of the goodwill of the Draft Code for lawyers and law firms is found. Short titles which are not part of the Draft Code are attributed to these points for easy reference.
It is noted that this article is for informational purposes only and does not assess the rules to be adopted.
A. General Provisions (articles 1-3)
Point 1: Lawyers / law firms as controllers
The Draft Code applies to lawyers and law firms that are controllers (article 3 par. 1-2). Lawyers who, while employed in law firms, undertake mandates and manage cases independently, are controllers in respect of these cases (article 3 par. 3). Lawyers who are employed under a paid mandate scheme according to article 42 of the Lawyers’ Code are not responsible for the processing of personal data in the context and for the purposes of the execution of the paid mandate (article 3 par. 4).
Point 2: Data processing related to the profession of the lawyer
Processing of personal data means in particular any processing relating to the profession of the lawyer, as this is described in article 36 of the Lawyers’ Code. Indicatively, it includes the representation and defense of the principal before any court, authority or service or extrajudicial institution, the provision of legal advice and opinions and the participation in Greek or international bodies (article 3 par.6).
Point 3: Processing of data of specific persons
The Draft Code governs the processing of personal data concerning persons associated with the provision of the respective legal services, such as principals, parties, witnesses, experts, technical advisers, lawyers of opponents, judiciaries, prosecutors and clerks, bailiffs, notaries, land registrars (article 3 par. 7). The Draft Code does not apply in relation to the processing of personal data of persons engaged by a lawyer / law firm under an employment or work contract (article 3 par. 9).
B. General principles of personal data protection (articles 4-9)
Point 4: The performance of a contract as a legal basis and information
In respect of the legal basis of the performance of a contract, it is explicitly provided that the mandate contract includes the conditions under which the processing is carried out and the necessary information of the data subjects in accordance with the provisions of the GDPR (article 4 par. 2).
Point 5: Compliance with a legal obligation as a legal basis
In respect of the legal basis of compliance with the obligations imposed by the respective legislation, indicatively, the tax legislation, the legislation regulating the exercise of the profession of the lawyer and the legislation for the fight against money laundering are mentioned (article 4 par. 3).
Point 6: The overriding legitimate interests
In respect of the legal basis of the overriding legitimate interest, indicatively, the recognition, exercise and defense of a right, especially before a court, arbitral tribunal, disciplinary body and mediation mechanism are mentioned as legitimate interests (Article 4 par. 6).
Point 7: Consent as a legal basis
In respect of the legal basis of consent, consent is recommended to be provided, in principle, in writing or by electronic means, in so far as the identification of the person who consents and the authenticity / integrity of the electronic document / declaration is ensured (article 5 par. 3). For the purposes of proving the consent, a record of consent statements is provided in such a way that the identity of the person who consented, the existence of information before the consent, the manner of obtaining the consent and the time of its provision are unequivocally and clearly stated (Article 5 par. 4).
Point 8: Purpose of processing personal data
The processing of personal data by lawyers and law firms aims to support the provision of services / work undertaken by lawyers / law firms in the context of the mandate assigned to them and in general the exercise of the profession of the lawyer (Article 6 par. 2).
Point 9: Data processing in another trial
Lawyers / law firms may not process personal data collected, processed or held in the context of and for the purposes of a mandate and / or legal service, for non-related purposes, in particular in the context of another trial, unless it concerns the same principal and he/she has been informed and given his/her consent or the same opponent in a related case against the same principal or in a non-related dispute between the same parties, where the use of the data may have legal effects in favor of the principal (article 6 par. 3 ind. 5).
Point 10: Professional promotion and principals’ data
It is not allowed to refer to personal data of data subjects, especially principals (clients) for the purpose of the professional promotion of lawyers / law firms, in accordance with the provisions of article 40 of the Lawyers’ Code, unless the persons concerned have provided their explicit consent, having previously been informed (article 6 par. 5).
Point 11: Research or writing activity and principal’s data
It is not permitted to refer to personal data of data subjects, such as principals or other actors in the proceedings, including data enabling the identification of such persons, within the framework of the lawyers’ research or writing activities, unless the data subjects have provided their explicit consent, after being previously informed (article 6 par. 6).
Point 12: Use of data from another case file
Lawyers / law firms undertake not to use personal data contained in documents, evidence, etc. which is part of another case, without the prior information and consent of the data subjects (article 7 par. 6).
Point 13: Ensuring the accuracy of the data
In order to ensure the accuracy of the data, in the case of personal data concerning the principals of the lawyers / law firms or furnished by the principals, the provision of a relevant assurance by the principals in respect of their accuracy is foreseen as a mandatory procedure (article 8 par. 3).
Point 14: Data retention time
Lawyers / law firms may retain personal data beyond the time required to fulfill the original processing purpose for the purposes of establishing, exercising and upholding legal claims. In any case, the retention period will not exceed twenty (20) years from the time at which the lawyers / law firms would have to delete the data due to the fulfillment of the original purpose (article 9 par. 3).
C. Rights of data subjects (articles 10-16)
Point 15: Informing the opponent of the principal
In the case of personal data concerning the opponent of the principal, no obligation to inform the data subject exists for the lawyer / law firm, the lawyer’s obligation of fidelity to his/her principal prevailing, subject to the application of the relevant procedural rules (article 10 par. 8 ind. b).
Point 16: Right of access of the principal’s opponent
In the case of personal data relating to the opponent of the lawyer’s / law firm’s principal, the data subject’s right of access may not be satisfied, the lawyer’s obligation of fidelity to his/her principal prevailing, subject to the application of the relevant procedural rules (article 11 par. 9 ind. 2).
D. Obligations of lawyers / law firms (articles 17-22)
Point 17: Carrying-out of a data protection impact assessment
The lawyer / law firm is not required to carry out a data protection impact assessment of the processing of personal data (article 18 par. 1).
Point 18: Carrying-out of a data protection impact assessment and opinion of data subjects
If a data protection impact assessment is deemed necessary due to the nature of the lawyer profession, the commitments to which lawyers / law firms are subject and the different categories of data subjects whose data are processed by lawyers / law firms, the latter are not are obliged to request the opinion of the data subjects for the planned processing (article 18 par. 3).
Point 19: Appointment of Data Protection Officer
The lawyer / law firm appoints a Data Protection Officer, if the formers’ main activities consist of large-scale processing of special categories of personal data and data related to criminal convictions and offenses. To determine the large-scale processing, the following must be taken into account: a) the number of subjects involved, either as a specific number or as a percentage of the population, b) the volume and breadth of the data, c) the duration or permanent nature of the processing and d) the geographical extent of the processing (article 19 par. 1).
Point 20: Duties of Data Protection Officer
The Data Protection Officer has, inter alia, the following duties: a) propose to the lawyer / law firm personal data protection measures and policies, b) cooperates with the lawyer / law firm regarding the distribution of work to the personnel, within the framework and to the extent that they concern the processing of personal data, as well as the education and training of the personnel involved in the processing of personal data, c) carry out checks regarding the compliance of the lawyer / law firm, their personnel, their associates as well as any processors with the GDPR, national legislation and the Draft Code, d) undertake the coordination and management of responses to security incidents related to personal data (e.g. unauthorized access or disclosure), e) be informed of the requests of the data subjects regarding the exercise of their rights and undertake the management of the response to them (article 19 par. 2).
Point 21: Access of Data Protection Officer
The Data Protection Officer has access to all files, electronic and manuscript and to all systems, if and to the extent they are related to the exercise of his/her duties, in terms of the protection of personal data in the context and for the purposes of practicing law and related activities (article 19 par. 3).
Point 22: Appointment of Data Protection Officer
The appointment of the Data Protection Officer is made in writing, via conclusion of the relevant contract or internal decision. The relevant act of appointment specifies the position, the duties and the way they are exercised by the Data Protection Officer. The appointment is made for a fixed period of time and can be renewed (article 19 par. 5).
Point 23: Accountability of the Data Protection Officer
The Data Protection Officer is accountable directly to the lawyer / managing partners of the law firm (article 19 par. 6).
Point 24: Data Protection Officer and obligation of confidentiality
The Data Protection Officer is bound by an obligation of confidentiality, taking into account the obligations of legal professional privilege, in so far that the Data Protection Officer is a lawyer. He must not communicate or disclose to any third-party facts or information which came to his/her knowledge during the performance of his/her duties or on the occasion of them, as well as generally maintain absolute confidentiality regarding the performance of his/her duties, in accordance with the applicable legislation. These obligations also exist after the end of his/her appointment as data protection officer. Any special confidentiality obligations of the data protection officer are imposed / provided in the act of his/her appointment (article 19 par. 7).
Point 25: Trainee lawyers and compliance with security measures
Trainee lawyers are obliged to comply with security measures, especially with regard to the confidentiality and integrity of personal data (article 20 par. 3).
Point 26: Associates and confidentiality clauses
Without prejudice to the legal professional privilege / commitments from the legal professional privilege, the lawyer / law firm binds his / her associates, especially those who are not lawyers, with confidentiality / secrecy / privacy clauses (article 20 par. 4).
Point 27: Taking physical, organizational and technical safety measures
The lawyer / law firm shall take physical, organizational and technical security measures, in particular to classify and control access to processing procedures and files (archiving systems) containing personal data, the safe keeping and deletion / destruction of personal data and the mediums in which they are kept / stored and their safe transmission (article 20 par. 5).
Point 28: Response plan to breach incidents
The lawyer / law firm shall adopt all measures to enable the timely diagnosis / detection of any personal data breach. The lawyer / law firm shall prepare a response plan in cases of personal data breach (article 20 par. 6).
Point 29: Breach incident and risk
In respect of a breach incident and the obligation to notify it, in order to assess the likelihood of occurrence of the risk and the severity of such risk of the breach, the following shall be taken into account, inter alia: a) the nature, volume and category of personal data; b) the possibility of identifying the data subjects affected by the breach; c) the seriousness of the effects / consequences of the breach on the data subjects; d) the qualities and special characteristics of these subjects (e.g. accused, witnesses, minors) and their number (article 21 par. 3). Risk to the rights and freedoms of data subjects is presumed to be caused in cases where the personal data breach may cause any physical, material or moral damage to natural persons, such as in the following cases: risk of disclosure of data, risk to the life and integrity of data subjects, identity theft, insult to the honor and personality, serious financial harm or harm to the legal interests of the data subject, loss of confidentiality of personal data protected by professional secrecy or other secrecy which is provided for in the legislation (article 21 par. 4).
Point 30: Data breach attempt
In case of a personal data breach attempt, there is no risk to the rights and freedoms of the data subjects and, therefore, the notification of the breach to the Greek DPA is not required (article 21, par. 5).
Point 31: Notification of breach and compliance with forms
For the purposes of notifying the breach of personal data to the Greek DPA, the lawyer / law firm must comply with the standards / forms / guidelines adopted by the Greek DPA (article 21 par. 7).
Ε. Implementation of the Draft Code (article 29-32)
Point 32: Code of Conduct Implementation Committee
The Bar Association, by a decision of the Plenary Meeting adopted after a proposal of the President, appoints a Code of Conduct Implementation Committee for the protection of personal data. The task of this Committee is, inter alia, to monitor the implementation of the Draft Code and to receive complaints, reports and accusations regarding the non-compliance of lawyers / law firms. With regard to complaints, the Committee forwards them to the competent disciplinary body and issues an opinion, if requested (article 29 par.2).
Point 33: Violation of the provisions constitutes disciplinary misconduct
Violation of the provisions of the Draft Code constitute a disciplinary misconduct (article 30 par. 1).
Point 34: Out-of-court settlement of relevant disputes
The bodies that fall under the scope of the Draft Code shall seek the out-of-court settlement of disputes between controllers and data subjects regarding the processing of personal data by resorting to the flexible dispute settlement / mediation process of Law 4512/2018 (article 31 par. 1).
Point 35: Entry into force
The Code of Conduct will enter into force from its publication on the official website of the Greek DPA and from that date its provisions will be binding on the persons falling under its scope (article 32 par. 1).