Contributed By Nikolinakos & Partners Law Firm
Despite the widespread use of cloud computing, there is no specific and uniform legislation set out to regulate it within Greece or the EU. Instead, certain European-level legislative acts partly fill this void by regulating aspects of cloud computing services, such as data protection and cybersecurity. The E-commerce Directive (Directive 2000/31/EC), which was transposed into Greek legislation by PD 131/2003, is applicable to cloud services. However, several problems remain with regard to dispute resolution and applicable law based on the geographical location of the entity.
Cloud and Personal Data
Ιn Greece, personal data protection in cloud services is regulated by the EU's General Data Protection Regulation 2016/679 (GDPR), along with the local implementation Law No 4624/2019, which introduces specific criminal penalties for illegal processing of personal data, in addition to the administrative penalties under the GDPR.
According to the GDPR, the parties involved in cloud services are obliged to provide transparency on the purposes of data processing, to ensure that data subjects can exercise their rights to information, correction and deletion and can clearly identify the roles of data controllers and data processors. The latter appears to be particularly challenging in the field of cloud computing, with great variations between B2B and B2C cases. In B2C cloud services, the cloud provider is usually the data controller collecting and processing personal data relating to end-customers; in B2B, with businesses involved as customers, they are considered as data controllers with the cloud providers acting as data processors, even though the business customers do not have full control of the infrastructure used for the processing.
In compliance with the GDPR, cloud providers are also required to use suitable technical solutions, to ensure the appropriate level of security depending on the nature of data processed, to have in place mechanisms for data breach notifications and not to transfer this data to third parties except if an adequate level of data protection is proven to be in place.
In Greece, the legal framework for cybersecurity applicable to cloud providers offering computing services is Law No 4577/2018, which transposes the Network and Information Security Directive 2016/1148/EU (NIS).
Law No 4577/2018 imposes certain obligations on businesses, such as the adoption of technical and organisational measures for the security of networks and information systems; for the prevention and minimisation of the impact of security-related incidents; the notification of the National Cybersecurity Authority and the Hellenic Data Protection Authority of incidents with a serious impact on business continuity and the co-operation with the competent authorities.
Finally, Act No 3674/2008 contains the obligations of network operators and electronic communication service providers in terms of network security, decryption, system and supervision.
Other provisions relevant to confidentiality of communications concern the criminalisation of the various acts of unlawful interception and further use of unlawfully acquired communications data (see Articles 370–370D of the Greek Criminal Code) and the prohibition of using such unlawfully acquired evidence in the criminal procedure (see Article 177 of the Greek Code of Criminal Procedure).
Use of the Cloud in Regulated Sectors
As far as the public administration sector is concerned, the General Secretariat of Public Administration Information Systems of Greece (GSIS) has created cloud (g-cloud – government cloud) infrastructures, which can be used by government agencies to host their information systems. Law No 4623/2019 and Law No 3979/2011 (the “e-governance” law) have been implemented to this end, requiring public administrations to acquire computer programs after conducting a particular market evaluation on cloud providers and other software solutions.
From a financial services point of view, sector-specific frameworks on the use of cloud services are included in Act No 2577/2006 and Act No 2597/2007 of the Governor of the Central Bank of Greece on internal control and privacy systems for the banking sector, as well as in Law No 3431/2006 and Law No 2472/1997, to the extent that they do not conflict with the GDPR.
There have been numerous initiatives on the EU level, aiming at promoting the use of blockchain technology for the purpose of achieving the goal of a "digital single market". At the national level, in 2018 Greece signed a joint declaration with six other EU member states (France, Spain, Italy, Cyprus, Portugal and Malta) concerning the promotion of blockchain technology.
Risk and Liability
Blockchain technology does not interfere in the process of concluding the agreement that had taken place prior to the use of the blockchain platform. Instead, it is for the purpose of fulfilling the mutual obligations under the agreement that the parties involved may choose to make use of blockchain technology. As a result, the use of blockchain technology relies upon the will of the parties, consisting of the means through which the objective of the contract will be met. A typical example could be a service/work delegation contract concerning the development of a secure pilot document registration and verification system on the basis of the blockchain methodology.
As a result, such a contract is subject to the rules governing agreements concluded under private law. Contractual clauses shall principally identify the type and extent of the risk and liability to be undertaken by the parties involved. Such a risk allocation may be freely chosen by the contracting parties among the options offered by the national commercial law on the grounds of freedom of contract; blockchain per se will be inevitably and profoundly governed by this determination that should further entail specific clauses targeting its operation in technical terms.
Intellectual property rights, in particular copyright, may be acquired for the creation of a work embodied in blockchain technology such as the source code, the preparatory design material and the database itself on the grounds of the original selection or arrangement of its content. In that case, a database may be qualified, under national copyright law, as the author’s own intellectual creation. However, the protection afforded does not extend to the contents of the database per se. In addition, patent rights may be also sought.
In terms of copyright, the most crucial aspect is the determination, through explicit contractual clauses, of the issues of ownership, transfer and license of the economic rights over a work, and foremost of the right to use the work at issue and proceed to acts of economic exploitation. Where such an agreement is not expressly stated, the presumptions provided under the Greek Copyright Act are applicable; for instance, the economic right in a computer program created by an employee in the execution of the employment contract or in accordance with the instructions of the employer, shall be ipso jure transferred to the latter unless otherwise provided by the contract.
Moreover, blockchain may significantly contribute to the achievement of a high level of protection. Blockchain is an effective medium through which proof of authorship may be achieved or, at least, be significantly facilitated through the provision of a certain date. Blockchain technology, in conjunction with "smart contracts", may prove valuable in copyright management, further entailing the control over unauthorised uses of copyright-protected content, as well as ensuring the effectiveness of the authors’ reward through innovative, transparent and accurate methods.
Blockchain has also been considered a tool for the digital exhaustion of rights. It is true that the clearance of rights and the identification of the holder of rights over a work remains, in many cases, a difficult task (due to the absence of relevant records and/or databases). In addition, collecting societies are bound by strict obligations that refer not only to the distribution of the amounts due to right-holders but also to their obligation to achieve and retain a high standard of governance, transparency, accountability, reporting and financial management. In this regard, blockchain could benefit both copyright and related rights-holders (by means of a complete and accurate database through which distribution could take place even in real time and in differentiated levels) and users (facilitating the payment of the compensation due for the use of protected content, while also providing for legal certainty and transparency).
The question on whether distributed ledgers are capable of being squared with the GDPR has emerged during the past few years. Conflicts arise due to the decentralised nature of the data entered into blockchain – contrary to the GDPR’s underlying presumption of a data controller as at least one natural or legal person – and to the unchanged character of such a chain, ensuring data integrity and increasing trust in the network, but contrary to the GDPR’s presumption of data modification and erasure where it is deemed necessary. A number of policy options have been proposed by the European Parliament in order to explore the opportunities offered by new technologies. Moreover, the data that may be entered into blockchain concerns, on one hand, the identification of participants and secondary users, and, on the other hand, the complementary data registered within a given transactional framework.
The case-by-case analysis suggested shall consider a number of crucial issues, such as the choice of jurisdiction and special conditions introduced by Law No 4624/2019 concerning, indicatively, minor consent, the lawfulness of employees’ consent, and the interrelation of personal data processing with freedom of expression and information.
The general rules applicable to other technology-related services and transactions apply mutatis mutandis to this field. Such service level agreements shall incorporate terms on the subject matter of the service provided, on the users’ rights (such as the extent of access), duties (ie, confidentiality) and liability in the case of a breach of the contract, on those applying and determining the role of service providers, as well as of any other person participating in the transaction at issue on the basis of the need to determine in advance and in a clear and unambiguous manner, the consent of the parties involved as regard to risk allocation and liability. Other issues to be covered are those of technical support, of the interrelation between the agreement concerning the use of blockchain technology per se and other contracts (to which blockchain is attached), as well as of the application of the general service commitment to blockchain especially in the case of the latter’s unavailability, suspension or termination.
The mandatory rules applying under differentiated national regimes should be taken under consideration, further complemented by regional law – for example, Regulation (EC) No 593/2008 on the law applicable to contractual obligations (Rome I). Moreover, parties are encouraged to adopt a specific clause on alternative dispute resolution. In any case, procedural law is also relevant, concerning the issue of evidence, since blockchain may have specific implications on the relevant taking of evidence as being related to the proof of titles of ownership, transactions, of the certain date on which factual circumstances had taken place, etc.
Businesses planning to run big data projects processing personal data in Greece need to consider the GDPR and Law No 4624/2019 and are required to ensure a high standard of personal data protection, while also using fully anonymised data sets, which do not fall within the scope of the GDPR.
As regard to the use of non-personal data, businesses should take note of Regulation 2018/1807 on the free movement of non-personal data which entered into force on 28 May 2019. It introduces the principle of the free flow of non-personal data across borders and prevents countries from setting barriers (eg, data localisation restrictions) that unjustifiably force data to be held exclusively within national territory.
Developments are expected in Greece concerning open data and public sector information. The Greek Code on Access to Public Documents and Data implements EU legislation on the re-use of public sector information, establishing the principle of availability of public administration information, in accordance with which citizens have the right to immediately access and reuse public information. An amendment to national legislation is imminent, as a new Directive governing the topics of open data and the re-use of public sector information (Directive (EU) 2019/1024) is to be transposed into national legislation by 17 July 2021.
Artificial Intelligence (AI) and Machine Learning (ML)
Since AI systems analyse vast amounts of data in order to function and improve their performance, whenever personal data forms part of the large pools of data used in an AI system’s algorithmic decision-making process, this activity must be in compliance with Law No 4624/2019 and the GDPR.
Data subjects have the right to object to decision-making based solely on automated processing, including profiling. Where such decision-making exists, meaningful information about the logic involved in the process, as well as its significance and its envisaged consequences, ought to be provided to the data subjects.
The Greek Civil Code sets out five conditions that need to be fulfilled in order for tortious liability to be attributable to a party:
It is apparent that where a system operating in the spectrum of autonomy causes damage, a number of these conditions are challenging to substantiate, particularly determining a party’s fault and the causal link between the human behaviour and the damage that occurred.
In addition, all AI technologies in Greece ought to meet the essential health and safety requirements laid down in the EU safety legislation, as it has been transposed into Greek law, such as Directive (EC) 2006/42 on machinery (the safety legislation applicable to robots), Directive 2014/53/EU on radio equipment (which applies to all products that use the radio frequency spectrum, including embedded software), and Directive 2001/95/EC on general product safety (which aims to ensure that only safe consumer products are placed on the market).
The EU product liability regime is complementary to that of product safety. It was introduced by the Product Liability Directive (D 85/374/EEC) and was implemented by amendments of the Greek Consumer Protection Law No 2251/1994. The existing framework regulates is also applicable to new digital technologies. The Greek Consumer Protection Law establishes a strict liability regime under which producers of defective products are held liable when such products cause damage to natural persons or their property, while the injured consumers are not required to prove the fault of the producer.
So far, the current legal framework of extra-contractual liability can be applied to damages caused by robots or AI. However, as the new generation of AI edges closer to operational autonomy and behavioural unpredictability through their capacity to analyse and learn from their environments, the legal responsibility arising through their harmful actions is bound to present a point of contention across most jurisdictions, as the natural person at fault for damage caused by an AI system will become increasingly more difficult to be identified.
In the absence of a specific tortious liability regime covering advanced AI, it is recommended that businesses and organisations that aim to operate in the nascent AI scene in Greece act in a proactive manner through contractually regulating liability for such systems and investing in insurance coverage.
Greek Copyright Law (Law No 2121/1993) is human-centric, as it is traversed by the “principle of truth” according to which only a natural person shall be considered as the author of a work.
As regard to computer programs, their copyrightability depends on whether they can be considered as the “author’s own intellectual creation”. This prerequisite is fulfilled where the author made “free and creative choices” while creating the work. Therefore, it is evident that devices cannot be recognised as “authors”, and subsequently any work they produce cannot qualify as copyright-protected content. Computer-generated and AI works may only be protected if the prerequisite of “human intervention” is fulfilled (ie, through the selection of the data to be entered into a machine or of the parameters determining the objective of the machine’s activity); inversely, works autonomously and exclusively produced by information technology systems are not copyrightable. Accordingly, non-humans are excluded from the relevant rationae personae.
There are two cases where the national legislator recognises legal persons as potential copyright holders over a work: the first concerns computer programs and the second refers to databases where it is clearly provided that the maker of a database enjoying the sui generis right over its content is either the natural or the legal person taking the initiative and bearing the risk of the “substantial investment”.
Moreover, computer programs are also excluded from patentability according to Law No 1733/1987. The legal definition of the invention for which patent protection may be sought (including inventions embodied in software), requires novelty, inventive activity and susceptibility of industrial application.
Finally, a copyright reform was established at EU level under Directive 2019/790/EU, providing the new exceptions concerning text and data mining, which has not yet been transposed into Greek legislation.
For all these reasons, and on the basis of the absence of a tailor-made legal framework, it is highly recommended that the issues of ownership and transfer of rights in such work, as being specifically related to their further use and economic exploitation, are regulated by contract law by the means of appropriate and detailed contractual clauses.
The Internet of Things (IoT) has been considered as the new digital revolution. The main areas of the IoT’s applicability relate to the notions of the "smart home", "smart cities" and "smart industry"; in all cases, the IoT entails two key actors, technology providers and end-users.
The two main areas in relation to which the establishment of high technical standards is considered necessary are the protection of personal data and security. The first area of interest derives from the large amount of data generated, collected and combined by the IoT, while the second is related to applications that may be subject to severely damaging security threats.
In regard to the sale of IoT devices and in the absence of a tailor-made regime, the traditional national rules on the seller’s liability, guarantees, etc, are applicable. In Greece, end-users as consumers are protected under the consumer protection law. Of further relevance are the legal provisions concerning the import and distribution of products (covering, for instance, the interference of a commercial agent or the conclusion of an exclusive distribution contract).
The main objective pursued under the IoT technology is to offer end-users an enhanced control over differentiated devices by means of a connectivity network. As a result, the providers of connectivity services (primarily, wireless networks) must comply with numerous rules provided by the EU and national law. In particular, electronic communications, networks and devices are covered by the European Electronic Communications Code (EECC) (implemented in Greece by Law No 4727/2020), the roam-like-at-home rules established in 2017 under the respective regulation, and the 2002 e-Privacy Directive (implemented in Greece by Law No 3471/2006) that introduced new rules for privacy in the digital age.
Data Privacy and Cybersecurity
With regard to IoT technologies, the principle of data protection by design and by default is crucial. Moreover, the techniques promoted by the GDPR on data anonymisation, pseudonymisation and encryption are considered to encourage the use of IoT in conjunction with the use of other complementary tools such as data protection certifications and data protection impact assessments.
The greatest challenge the IoT faces is its full compliance and compatibility with security, liability, privacy and data protection law, the objective of which lies in the enhancement of transparency, in the verification (and liability) of the data controller, in the restriction of indiscriminate collection, processing and overall use of personal data, in the rights afforded to data subjects, as well as in the periodical inspection of all the relevant procedures.
With respect to cybersecurity, the Ministerial Decision harmonising the Greek regulatory framework with the NIS Directive was issued in October 2019, in execution of Law No 4577/2018 (implementing the NIS Directive into national law). According to these instruments, new system security measures are required from industries operating in e-commerce and information society services, providing also for a number of sanctions in case of non-compliance.
Moreover, in terms of the relevant standards and guidelines, ETSI, the European Telecommunications Standards Institute, has released a cybersecurity standard for consumer IoT security.
According to the European Commission, the provision of data through an IoT system is considered as a service. Therefore, the standard rules governing product safety and liability in cases of infringement are not applicable. On the other hand, the rules governing the information service providers liability may be applicable, especially with regard to electronic communications, protection of personal data and the confidentiality of information (also covering copyright infringement cases), as well as the traditional contract regime.
In Greece, IT service agreements are mainly ruled by the Civil and the Commercial Code, while, as an EU member state, Greece also adheres to EU legislation.
Scope of the agreement
Although most IT service agreements take the form of software licences, some are much more complex. In many cases, the organisation procuring the IT services provides a solution including multiple components. This is important to bear in mind when drafting an IT service agreement so as to avoid any ambiguity, to explicitly describe the parties’ obligations, to include charges covering all the components and to foresee all possible risks that may lead to a breach of contract or exposure to liabilities.
Some companies prefer a customised IT solution not through a licensing model, but through a software development agreement. Other companies prefer the licensing agreement with the customisation it offers; this customisation, alongside the integration that may be required, creates a new set of provisions that need to be included in the agreement, especially referring to timelines, failures, rectifications and quality controls.
Recipient of the IT service (B2B and B2C)
A significant factor to consider is whether an IT solution will be ultimately addressed to other businesses (B2B) or to consumers and individuals (B2C). In the first case, contracts between professionals are generally ruled by the parties’ freedom of contract. In the second case, however, apart from the Greek applicable law, an elaborate body of consumer laws is in place, primarily driven by EU initiatives and instruments, prohibiting unfair terms, abusive clauses and under-negotiated clauses.
Service Level Agreements (SLAs) must be carefully drafted to include such items as the availability uptime, back-ups, disaster recovery, schedules of maintenance, and support means and response times, while taking into account the continuity of the business and the possibility of termination of the agreement.
Dispute resolution mechanism
In Greece, alternative dispute resolution mechanisms have not hitherto been dominant, but they now appear to be gaining ground.
IPR warranty and indemnities
One of the clauses that has been traditionally included in almost all software and IT-related agreements, on the IPR warranty and the provision of indemnity from the original provider, remains a necessity today, even in cloud computing agreements. The risk of a third party claiming ownership of software licensed to the organisation and thus prohibiting use of the licensed software and interrupting the business continuity is still present and should be taken into account for indemnity provisions.
All software and IT services or IT-related agreements include clauses that limit the liability of the provider. Drafting an IT service agreement must therefore include back-to-back provisions, which fully cover intermediary parties (in cases of B2B) and end-customers (in cases of B2C) against the original provider of the IT service. A clause of major importance is the one setting a liability cap for the provider – this cap is usually a multiple of the contract value.
From a judicial point of view, in B2C agreements, clauses that extensively limit the liability of the professional against the consumer – especially if they have not been negotiated – are usually considered as abusive and, thus, null and void. On the other hand, in B2B agreements, whereby the parties usually demonstrate similar bargaining powers, the freedom of the parties supersedes, unless one party has acted maliciously or in a grossly negligent manner, or has acted without previous experience and knowledge in this type of agreements, thus demonstrating a disadvantage in bargaining.
The Greek Data Protection Regime
In Greece, the data protection regime is primarily set out in the General Data Protection Regulation 2016/679 (EU) (GDPR) and Law No 4624/2019. Moreover, while the e-Privacy Law (Law No 3471/2006) applies mainly to the electronic communications sector, certain provisions are not sector-specific, such as the provisions on unsolicited communications.
Application and Scope
The provisions of Law No 4624/2019 apply to the automated processing of personal data, in whole or in part, as well as to the automated processing of such data, which is or will be included in a filing system by: (i) public bodies or (ii) private bodies, unless the processing is carried out by a natural person in the context of a solely personal or domestic activity.
The provisions of Law No 4624/2019 apply to public bodies and to private entities provided that:
Distinction between public and private
Law No 4624/2019, as opposed to GDPR, makes a distinction between public bodies and private entities. The majority of its GDPR-implementation provisions refer to public entities.
Principles of Data Processing
Processing of personal data must meet the following fundamental data protection principles.
The legal basis for the legitimate processing of personal data, according to the GDPR, might be consent, performance of a contract with the data subject, compliance with a legal obligation, protection of the individual’s vital interests, performance of a task carried out in the public interest or protection of the controller’s or a third party’s legitimate interest. For special categories of data (eg, data related to health, race, political or religious beliefs) processing is prohibited, unless one of the conditions defined in Article 9 paragraph 2 of the GDPR apply (eg, explicit consent, processing necessary for preventive or occupational medicine, etc).
Αccording to Article 21 of Law No 4624/2019, minors over 15 years old can provide consent for the processing of their data, whereas processing of data of minors under 15 years old requires consent of the legal representative, most commonly a parent.
In its recent Decision No 26/2019, the Hellenic Data Protection Authority (HDPA) imposed a fine on a controller for invoking consent as the legal basis for processing personal data of employees, thus giving them a false impression that processing of their data depends on their consent.
Transparency and fairness
Processing of personal data must be carried out in a fair and transparent manner. Controllers must provide data subjects with clear information concerning the processing of their data. This information must be provided in a brief, easily accessible, comprehensible, clear and simple manner.
Collection and processing of personal data by controllers must be based on specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with them. Further processing for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes is not considered incompatible.
Article 24 of Law No 4624/2019 provides that the authorities may process personal data for different purposes when that is necessary for them to exercise their duties. Private entities may process of data for different purposes following a request from the authorities for reasons of national and public security, if it is necessary for the prosecution of criminal offences, or for the establishment, exercise or defence of legal claims, which are not overridden by the interests of data subjects (Article 25 of Law No 4624/2019).
The data processed should be adequate, relevant and limited to what is necessary for the purposes of processing. Indicatively, the HDPA has issued Opinion 4/2013 and relevant official decisions restricting the processing of criminal records and providing that, if not required by law, these should be replaced by solemn declarations of employees which would only refer to convictions for specific crimes related to the main activity of the controller.
Personal data must be accurate and kept up-to-date. In this context, an immediate erasure or rectification of inaccurate data is mandatory for controllers.
Personal data should be retained for no longer than is necessary for the purposes for which it is processed. It may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, for scientific or historical research or statistical purposes subject to implementation of the appropriate technical and organisational measures.
The HDPA has defined specific retention periods (eg, Opinion 1/2011 on CCTV defining a retention period of 15 working days, without prejudice to sector-specific provisions) in certain cases where no statutory retention period is defined.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
According to the principle of accountability, controllers and processors must design their processes and technical and organisational systems so as to be able to prove before the supervisory authorities or courts that they are fully compliant with the applicable framework for personal data protection. The introduction of the principle of accountability shifts the "burden of proof" of compliance from the data protection authorities to controllers and processors. The GDPR provides controllers and processors with a range of regulatory methods and tools for this purpose, such as keeping records of processing activities, implementing security measures, conducting data protection impact assessments, etc.
International Data Transfers
The framework for the protection of personal data imposes restrictions on the transfer of personal data outside the European Economic Area (EEA), to third countries or international organisations. Personal data may be transferred outside the EEA, where the recipient of the data has provided adequate safeguards (eg, model clauses and/or binding corporate rules) or if the Commission has made an “adequacy decision” – in other words, if it has decided the country has an adequate level of protection. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
In addition, according to Article 75 and Law No 4624/2019, if the requirements are met then data transfers to countries outside the EEA authorities or to international organisations are also allowed in the context of prosecution of criminal offences.
The HDPA has issued several decisions related to employee monitoring, involving surveillance cameras, monitoring phone calls, installing GPS systems on vehicles or portable corporate devices and on monitoring employee use of computer resources – for example, by gaining access to their documents, emails or browsing history.
The core of the assessment rests in the balance between the right of economic and business freedom (Article 5 paragraph 1 of the Greek Constitution) and the employer’s managerial right and the right of individuals to the protection of their personal data (Article 9A of the Greek Constitution) their private life and correspondence in general (Article 8 of the European Convention on Human Rights).
The GDPR defines the main provisions on processing of personal data, which also apply to employment relationships, while Law No 4624/2019 includes specific provisions on the processing of personal data by employers. In particular, Article 27 paragraph 1 provides that employee data may be processed where that is necessary for deciding on an employment contract or for its execution. As per paragraph 5, the employer takes the appropriate measures in order to make sure that the data processing is undertaken in light of the principles of Article 5 of the GDPR.
Employee consent should not be used as a legal basis for monitoring computer resources, considering that such consent can be revoked at any time and is highly unlikely to be valid and meet the criteria of being freely given, due to the unequal nature of the employment relationship. This was emphasised in the 115/2001 HDPA Guidelines, regarding processing of employee data, and has also been confirmed in decision 26/2019, which imposed a fine of EUR150,000 to an employer for requesting employees’ consent to this end, whereas it had been made clear that the consent of employees would not be freely given, but also taking into account that monitoring or review of employees’ use of computer resources would have occurred even if employees had not given their consent.
In order for employers to lawfully monitor their employers’ use of computer resources, they need to demonstrate that this is necessary and proportionate to pursue their legitimate interests. HDPA decisions 43/2019 and 44/2019 analyse the conditions for legitimate processing, both concerning targeted investigations of employees’ computer resources triggered by suspicions of illegal conduct. However, in the first case the HDPA found that processing of personal data was lawful, whereas in the second case it was not. One of the key factors that differentiated the outcome was the fact that, in the first case, clear policies were in place informing employees that private use of corporate computer resources was prohibited and that the contents of their communication and other records could be accessed by the employer; also, actions were taken by the employer to minimise the data processed. In the second case, no such policies and privacy notices were in place.
As pointed out in HDPA Decision 34/2018 and in the ECHR case Bărbulescu v Romania, the difference between constant monitoring of employees and general control over their personal data, in contrast to a specific and targeted investigation due to suspicion of illegal conduct, is critical when evaluating the legitimacy of employers’ monitoring actions. The use of the employer’s computer resources is not by itself adequate to justify the right of the employer to access or monitor the use of such resources by the employee. A clear policy is required, informing employees on whether use of computer resources for personal reasons is permitted and also clarifying if any monitoring takes place, its purposes or access by the employer and the relevant processes followed to ensure compliance with the data processing principles.
However, even when the employee has been informed that personal use is not allowed, this is not in itself a legitimate reason to justify constant monitoring, without reasonable suspicions for misconduct. Knowledge of the employee is required, as was held by the ECHR in Bărbulescu where the ECHR opined that the employee has to be informed in advance “of the extent and nature of his employer’s monitoring activities, or of the possibility that the employer might have access to the actual contents of his communications”. The legal context differs when there are reasonable suspicions for an illegal conduct by the employee. In such case, monitoring is not general and constant. Instead, it comes as a result of the reasonable suspicions of illegal actions by the employee.
Regarding the surveillance of an employee's computer use, the HDPA has stated that the employer's interest is best served by preventing the misuse of the internet rather than detecting it. The employer shall inform the employee of the presence, use and purpose of any misuse detected, except in the rare case that there are important reasons that justify the continuation of secret surveillance. Instant notification to inform the employee can be easily achieved using software, such as warning windows that alert the employee that the system has detected unauthorised use of the network and/or has taken steps to prevent it. The HDPA is more reluctant with regard to monitoring employees' email. Continuous monitoring is considered necessary only in exceptional cases, as opposed to targeted investigations.
It is assumed that employees have a legitimate expectation of some degree of privacy in the workplace, regardless of whether they use equipment and resources owned by the employer. However, it is important that the balance between the employer’s right to operate his and her business effectively and the employee’s right of privacy is established.
Technology-neutrality is one of the key principles of the EU framework for electronic communications which is fully implemented in Greece. Regulatory principles apply regardless of the technology used. Regulations may impose a given technological solution only as a means to limit harmful externalities, such as radio interferences and, as a result, legal requirements in relation to network/services, devices/equipment depend on the nature of the activities undertaken and not the technology used.
Regardless of the specific technologies used to provide a network or a service, the applicability of regulatory framework for electronic communications depends on whether it falls within the scope of electronic communication networks (ECN) and/or electronic communication services (ECS). ECNs encompass all transmission systems, whether or not they are based on a permanent infrastructure or a centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, used to convey signals, operated for public or private use, including wireless networks (eg, mobile, WiFi), cable (eg, IP broadband network) and electricity cable systems, to the extent that they are used for transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed.
ECS encompass any service normally provided for remuneration via ECNs, which include, with the exception of services providing or exercising editorial control over content transmitted using ECNs and ECSs, the following types of services:
In Law No 4727/2020, (i) the definition of “electronic communications service” was expanded to include any interpersonal communications services provided over the internet, including VoIP services, messaging apps and email services that do not use telephone numbers, and (ii) number-based interpersonal communications services (interpersonal communications services which connect with publicly assigned numbering resources, namely a number or numbers in national or international numbering plans, or which enable communication with a number or numbers in national or international numbering plans) are subject to a general authorisation.
Product/Service Prior Requirements
All electronic communication services/network providers must obtain a general authorisation for their services in the form of a declaration statement to the EETT. Electronic communications activities may commence immediately upon filing a complete registration declaration and paying the applicable administrative fees.
Radio equipment is regulated in Greece by Presidential Decree 98/2017, transposing Directive 2014/53/EC RED. Radio equipment includes all electrical or electronic product which deliberately broadcasts and/or receives radio waves for radio-communication and/or radio-tracking purposes or the electrical or electronic product that has to be completed with a component (ie, an antenna) so as to broadcast and/or receive radio waves for radio-communication and/or radio-tracking purposes.
According to Law No 4070/2012, as amended, and Law No 4727/2020, the EETT is the competent authority for issues concerning conditions of use and placing on the market of terminal and radio equipment. The provisions of PD 98/2017 are not applicable to radio equipment used exclusively for activities related to public security, defence, and state security.
Radio equipment has to be labelled according to PD 98/2017 – RED 2014/53/EE and must be constructed to meet the following essential requirements:
Restrictions on putting into service and authorisation of use requirements must be presented according to EU Regulation (EU) 2017/1354. No regulatory fees apply to this procedure.
Network and Service Provider Obligations
All electronic communication services/networks
The main legal framework setting the obligations of ECN/ECS providers consists of Law No 4070/2012 and secondary regulatory decisions issued by EETT, decisions of the Hellenic Authority for Communication Security and Privacy (ADAE), Law No 3471/2006 on data processing and privacy in the electronic communications sector and decisions of the HDPA, as well as Law 4002/2011 on games of chance.
All telecoms operators are obliged to obtain individual rights to use frequencies or numbers and the appropriate licences for every antenna they use. The relevant framework was reviewed with Law No 4635/2019 and EETT’s Regulation 919/26/2019.
With the exception of free spectrum bands for all wireless services, an individual right to use frequencies is required and is granted by the competent authorities upon a relevant request. In cases of limited number of rights of use of frequencies, the EETT usually awards them through auctions.
Spectrum licences and applicable secondary legislation specify the permitted use and the technical characteristics of equipment that may be used, taking into account the principle of proportionality and technological neutrality.
Licence fees: ECNS providers pay annual fees for general authorisations and for rights of use of spectrum and numbering resources.
ECNS providers are obliged to use radio equipment that allows efficient exploitation of the spectrum allocated in order to avoid harmful interference and to comply with the equipment standards established by the national and European authorities and ETSI.
Lawful interception: the right of communications privacy is established by Article 19 of the Greek Constitution. The lifting of privacy for specific crimes and subject to defined procedures and conditions is governed by Law No 2225/1994 (as amended by Law No 3115/2003 and in force) and by Presidential Decree 47/2005 which sets out procedures as well as technical and organisational safeguards. Special provisions on the lifting of privacy are also found in Law No 3471/2006 on Data Protection in the Electronic Communications Sector, Law No 3674/2008 on the enhancement of the framework on privacy of telephony services, Law No 3917/2011 on Data Retention and the Electronic Communications Law No 4070/2012, as well as the Regulation on General Authorisations. Operators are required to assist the Greek authorities to lawfully intercept telecommunications messages after the intervention of the public prosecutor by issuance of a written order, when a major crime is investigated and under the supervision of the ADAE.
Internet access providers
Internet access providers must also comply with Regulation (EU) 2015/2120, concerning open internet access and directly applicable Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the EU, as in force, and any relevant EETT delegated decision issued under this Regulation.
They have also certain obligations to set up named servers and, in particular, the "time to life" (TTL) parameter according to RFCs.
In case of non-compliance, administrative sanctions can be imposed with a reasoned decision of EETT, including fines up to EUR3 million and/or suspension or revocation of the authorisation or rights of use.
The provision of television and radio services via terrestrial digital technology requires a network provider of electronic communications and a content provider. The EETT awarded the first licence for a digital television network to Digital Provider Inc (Digea). The main activity of Digea is to serve all licensed programmes under the same conditions, providing networking and multiplexing, as well as network broadcasting for any legitimate TV station wishing to use its services. In essence, Digea creates the network and transfers the content of the channels, as delivered to its systems.
In order to obtain a licence for pay-TV via cable or satellite in Greece, the filing of a petition by any company in the EU having the form of a société anonyme is required. There is no limit on the number of licences granted and there is an obligatory period within which the licence must be either granted jointly by the National Broadcasting Council (ESR) and the relevant Minister or refused.
Licensing for terrestrial pay-TV and free-to-air TV takes place through a tender/auction. Law No 4339/2015 defines the process and key conditions for awarding licences to digital terrestrial TV content providers. It specifies the extent of the investment, financial reliability, experience and existing position in the market in order to avoid concentration, as well as the kind of programmes that will be transmitted.
According to the applicable legislation (Law No 3592/2007), controlling more than one licence holder in the television or radio sector is prohibited. Everyone is allowed to participate in the ownership structure of more than one licence holder to the extent that they do not control more than one; control over a licence holder is established when an entity can substantially influence the decision-making process or has the power to appoint at least one member of the board of directors or an administrator in another operator. Foreign investors can also participate in broadcasting activities in Greece.
The concentration of media is prohibited. Concentration in media is considered to occur if an undertaking acquires a dominant position that is defined in Law No 3592/2007, which provides also for complementary application of Competition Law No 3959/2011. The Hellenic Competition Commission is the competent authority to consider competition law issues in the media sector.
Nevertheless, Law No 4339/2015 (as amended by Law No 4487/2017) sets the following restrictions on shareholders holding more than 1%, board members and legal representatives of entities that participate in tenders for digital terrestrial TV content providers: (i) no convictions by irrevocable court decision for specific crimes; and (ii) no participation in any manner in companies conducting research in the radio or TV market and in advertising companies, as well as in companies conducting telemarketing. The law also refers to the general prohibition of participation in companies that execute public contracts and require licence applicants to submit evidence proving how the applicant acquired the financial means used or intended to be used for the operation of the content provider.
Regarding radio-free digital audio broadcasting (DAB), an auction was launched by EETT for the awarding of rights to use radio frequencies of terrestrial digital radio free broadcasting of national and regional coverage in 2018. No licence was awarded through this process, resulting in analogue radio FM stations in Greece still operating under a temporary licensing regime.
Radio and television content must adhere to the general principles of the Constitution and there are further obligations concerning minors, rating, advertising, pluralism and non-discrimination, etc. The Directives for Television without Frontiers were transposed into national legislation by PD109/2010.
There are no regulations specifying a basic package of programmes that must be carried by broadcasting distribution networks, with the exception of the obligation to broadcast a certain amount of "social" content, on a daily basis and free of charge – for example, providing public health information, aiding people with disabilities and vulnerable population groups, information on equal treatment, eliminating gender stereotypes and discrimination, etc.
In the case of pay-TV, the agreements between programme administrators and licence-holders (the platform operator) must be approved by the National Broadcasting Council (ESR). Agreements on programmes already transmitted in public from a licensed free-to-air station in Greece or in another country are only notified and do not require approval.
Broadcast media advertising is regulated in accordance Presidential Decree No 109/2010 and the Open Frontiers Directives, fully implemented, which are not applicable to online advertising. The latter is regulated by general provisions in the legislation concerning e-commerce and consumer protection. Furthermore, the recently established Electronic Media Business Register aims towards the registration of all online media on the website of the Ministry of Digital Policy. Only online media providers that are registered are eligible to receive state advertising.
The EU's current Audiovisual Media Services Directive 2010/13/EU (AMS Directive), as transposed in Greece by PD 109/2010, governs EU-wide co-ordination of national legislation on all audio-visual media, both traditional TV broadcasts and on-demand services. The aforementioned framework has already been amended by the Audiovisual Media Services Directive (AVMSD) (EU) 2018/1808, in view of changing market realities.
The proposed draft law on the transposition into the Greek legal framework of the AVMSD Directive was made available to the public on opengov.gr and it was open to public consultation from 3 December 2020 until 10 December 2020. Τhe most important amendment of the legislative framework introduced with the proposed draft law is that, thereby, audio-visual content is regulated in all its forms of promotion and reproduction – ie, traditional television, custom-made audio-visual services and also for the first time, both video-sharing platforms and social media services exclusively with regard to their audio-visual content.
Encryption is deemed to be best way to protect data during transfer and is one way to secure stored personal data, reducing the risk of abuse within a company, as access is limited only to authorised people with the right key.
The GDPR does not mention explicit encryption methods, but definitions set out in information security standards such as ISO/IEC 27001 or other national IT-security guidelines are very useful in that respect. Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state-of-the-art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether (and what amount) a fine is imposed as per Article 83(2)(c) of the GDPR.
In Greece, encryption is required as a technical measure to enhance the protection of electronic communications operators against security incidents and violation of communications privacy (eg, PD 39/2011 transposing into Greek legislation Directive 2008/114/EC).
Law No 3674/2008 (on reinforcement of the institutional framework for the assurance of confidentiality in telephone communications and other provisions) foresees the possibility to impose on telephony service providers, the obligation to encrypt voice signals transmitted via physical means other than these within their surveillance, such as, in particular, fibre-optic, cable lines and links.
ADAE Decision 165/2011 sets out the purpose, scope and general requirements of encryption policy (EP).
There are also specific obligations of encryption applying to certain industries (eg, banking and insurance). When assessing a credit institution licence application submitted for authorisation to the European Central Bank, Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 is applied, governing also “fintech bank” licence applications. Regulation 575/2013 is directly applicable in all EU member states and fintech bank applicants are obliged to ensure that information is protected against disclosure to unauthorised users (data confidentiality), improper modification (data integrity) and accessibility when needed (data availability), as data risk may materialise in the event of the unauthorised alteration or loss of sensitive information or the disruption of services.
AADE has set encryption requirements for the file to be encrypted with a public key algorithm based on a PGP certificate, recommending also, when encrypting, to complete the data to facilitate the file transfer process, in specifications of the Greek Government Bond Interest Record and Interest of Foreign Securities.
The use of encryption does not exempt legal entities from applicable rules. It is specifically noted that the provider's compliance with the provisions of the preceding paragraphs may not impede the application of the existing legislation on confidentiality.
The Greek government has adopted several legal instruments of an emergency nature to address the COVID-19 pandemic. The following are core examples of such measures which are relevant to the TMT sector.
Until 28 February 2021, by way of derogation from all existing national provisions on public procurement, the Ministry of Digital Governance and the bodies supervised by the Ministry may directly award contracts for the supply of provisions and services relating to matters such as the maintenance of existing information systems of the public sector, the development of new means of ICT, the development and maintenance of websites, the provision of IT services, IT projects, as well as the supply of portable computers, related electronic devices and the necessary software to achieve and facilitate the provision of work remotely by employees.
Providers of content of free-to-air terrestrial digital television broadcasting of regional scope have the right to pay 50% of the monthly fee including the corresponding VAT due to the network provider Digea – Digital Services Provider SA for the provision of services for the delivery and distribution of regional content and additional services, as specified in the relevant signed contracts, for the months of October, November and December 2020, as well as for the months of January and February 2021. Digea is exempt from the obligation to pay certified tax debts of any kind to the Greek state of an amount equal to the monthly fee not paid by content providers of free-to-air terrestrial digital television broadcasting for the months of October to February.
The deadline for registering radio station antennas and licensed terrestrial digital television broadcasting network providers has been extended until 31 March 2021.
Remote working has been either promoted or imposed. The HDPA published guidelines for security measures on that subject, mentioning that companies should take the following measures, among others, in regard to the necessary technological means involved in remote working: