Answer given by Mr Reynders on behalf of the European Commission

Transparency and accountability are key principles under the General Data Protection Regulation (GDPR)[1] and have to be ensured for all processing of personal data. Controllers, i.e. organisations determining the purposes and means of processing operations, have to be transparent about their processing activities (Articles 12 to 14 GDPR).

Controllers may rely on external parties acting as processors (Article 28 GDPR). In that case, they must bind the processor with a contract or other legal act meeting the requirements of GDPR.

Supervising and enforcing compliance with GDPR falls within the competence of national authorities, in particular data protection authorities and courts, without prejudice to the European Commission’s competences as guardian of the Treaties.

Whether particular processing operations by or on behalf of the Greek authorities comply with the GDPR is therefore for the Greek data protection authority and the Greek courts to assess. The Commission understands that the Greek data protection authority has opened an own-volition inquiry into the use of Palantir on 18 December 2020.

On a more general level, the Commission adopted a recommendation[2] to support exit strategies through technology. The EU Toolbox[3] and the related Commission guidance[4] recommend fully privacy-compliant and interoperable contact tracing and warning apps.

Member States, supported by the Commission, have also focused on the interoperability of these apps, agreeing on guidelines and technical specifications for interoperability. At the invitation of EU Member States, the Commission has set up an EU-wide system to ensure interoperability of EU contact tracing apps based on decentralised systems[5].

• [1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
• [2] C (2020) 2296 final. Recommendation on a common Union toolbox for the use of technology and data to combat and exit from the COVID-19 crisis: https://ec.europa.eu/info/sites/info/files/recommendation_on_apps_for_contact_tracing_4.pdf
• [3] EU toolbox on mobile applications to support contact tracing in the EU's fight against COVID-19: https://ec.europa.eu/health/sites/health/files/ehealth/docs/covid-19_apps_en.pdf
• [4] Communication from the Commission Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection of 16.04.2020, available at: https://ec.europa.eu/info/sites/info/files/5_en_act_part1_v3.pdf
• [5] https://ec.europa.eu/health/ehealth/covid-19_en