On October 9, 2024, the Office of the Commissioner for Personal Data Protection (the Commissioner) published an announcement regarding the submission of an external report to the competent authority by a whistleblower under Article 14 of the Law on the Protection of Persons Reporting Breaches of Union and National Law of 2022 (Law No. 6(I)/2022).

Competent authority

The Commissioner outlined that it is the competent authority for the examination of reports concerning infringements in accordance with the provisions of the General Data Protection Regulation (GDPR) and Article 107 of Law 112 (I)/2004, which transposed the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive).

Conditions for the protection of whistleblowers

The Commissioner confirmed that the whistleblowers are protected under Law No. 6(I)/2022 if the following conditions, among others, are fulfilled:

• the whistleblower falls under one of the categories of persons referred to under Articles 5 and 32 of Law No. 6(I)/2022;
• the information concerns violations of national or European legislation referred to in Articles 4 and 31 of Law 6(I)/2022;
• the whistleblower had reasonable grounds to believe that the information regarding violations they reported was true at the time of the report and that it falls within the scope of Law 6(I)/2022;
• the report was made internally through the internal reporting channels, externally to the competent authority, or made via a public disclosure; and
• the information must not have been given in violation of the rules for the protection of classified information, legal or medical confidentiality, the confidentiality of judicial meetings, and the rules of criminal procedure, or access to it and its disclosure does not constitute a criminal offense.

External reporting channel

The Commissioner provided contact details for external reporting:

• telephone: +357 22 818501;
• email: [email protected];
• postal address: Kypranoros 15, 1061 Nicosia or P.O. 23378, 1682 Nicosia - report to be marked 'confidential;' and
• arranging an in-person meeting.

Report handling process and type of monitoring

The Commissioner described the process of handling the report, starting with the receipt and confirmation of the receipt within seven days, followed by the follow-up of the report, a notification with the results of the investigation of the report, and finally the transmission of the report by the Commissioner to the competent authority.

Privacy policy and processing of personal data

The Commissioner outlined specific circumstances when the whistleblower's confidential information may be disclosed, including in the context of civil or criminal proceedings, necessary and proportionate disclosure imposed by EU or national law, and in the context of the right to be heard of the person referred to.

In particular, the Commissioner included information on its processing of personal data when handling the report and that the personal data collected in the context of reports are deleted within three months from the date of completion of the procedure.

Retaliation protection means and procedures

Finally, the Commissioner stated that the whistleblower is automatically protected from a series of actions that could be characterized as vindictive behavior or retaliation and enjoys protective measures such as:

• judicial measures to remove retaliatory behavior and claim compensation;
• protection from any civil liability;
• protection measures in case of testimony as a witness; and
• employer's obligation to remove and not repeat the retaliation, as well as to remove its consequences.

You can read the press release, only available in Greek, here.