Data Protection & Privacy 2024 Comparisons

The fundamental provisions for privacy and data protection in Greece are the following in order of priority:

1. The Treaty on the Functioning of the EU (TFEU) and Regulation (EU) 2016/679

Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) is the main legislation for the protection of personal data. The GDPR is directly applicable in Greece and supersedes any provision of national law, including the Constitution. The GDPR provides for the imposition of penalties (Article 83), as well as the obligation to compensate for damages incurred (Article 82), in case of violation of its provisions.

2. Constitution

The basic principles for the privacy of communications and the protection of personal data are set out in the Greek Constitution. The respective articles are included in the chapter regarding fundamental individual rights. More specifically:

• Article 9A of the Constitution establishes protection from the processing, collection and use of personal data and provides for the establishment of an independent authority that will safeguard such rights. In 1997, the Hellenic Data Protection Authority (HDPA) was established according to Law 2472/1997.
• Article 19 of the Constitution establishes the privacy of correspondence (namely post/mail, which is the oldest form) and the freedom of communications in general, and provides for the establishment of an independent authority that will safeguard such rights. In 2003, the Hellenic Authority for Communication Security and Privacywas established according to Law 3115/2003.

3. Civil Code

Articles 57-59 of the Greek Civil Code include fundamental provisions for the protection of the personality of the individual. The offence of insulting an individual’s personality may substantiate civil claims for injunction, compensation and moral damages.

4. Laws

• Law 4624/2019 provides the necessary measures for the implementation of the GDPR and adopted the provisions of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Moreover, Law 4624/2019 includes provisions for the operation of the HDPA.
• Law 2472/1997 implementing Directive 95/46/EC on the protection of individuals with regard to the processing of personal data applies to the extent that a few of its articles still remain in force.
• Law 3471/2006 provides for the protection of privacy and personal data in electronic communications.
• Law 3674/2008 provides for the necessary measures that the providers of electronic communications networks and services must apply to safeguard the safety and privacy of communications.
• Law 3917/2011 adopted the provisions of Directive (EU) 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
• Law 5002/2022 on the privacy of communications and cybersecurity aims to protect the confidentiality of communications from surveillance and monitoring.

In general, enforcement measures include the imposition of administrative penalties, as well as criminal charges and fines. At the same time, civil claims for injunction, compensation and moral damages may be substantiated by injured parties.

5. Regulatory acts and guidelines issued by the competent authorities

Lastly, the competent independent authorities, such as the HDPA and the Hellenic Authority for Communication Security and Privacy, issue regulatory acts and guidelines.

The Hellenic Data Protection Authority

Area of jurisdiction – powers

As stated in 1.1 Laws, the HDPA is a constitutionally provided independent authority whose main purpose is to supervise and monitor the implementation of the GDPR, Law 4624/2019 and any other legislation concerning the protection of the data subject from the processing of his/her personal data. The powers of the HDPA are listed in Articles 51 et seq of the GDPR and Law 4624/2019 and include, among others: (a) the power to supervise the application of the GDPR and the law for the protection of the individual from personal data processing; (b) the power to advise the government and other institutions on new legal provisions regarding personal data processing; (c) the power to conduct audits and investigations to ensure the application of the legislation; (d) the power to handle complaints; (e) the power to co-operate with other supervisory authorities to ensure the uniform application of the legislation; and (f) the power to impose penalties upon violation of the legislation.

Audits and investigations

The investigative and remedy powers of the HDPA are very important and are provided by Article 58 of the GDPR and Article 15 of Law 4624/2019. Audits are initiated by the HDPA itself (ex officio), or following the filing of a complaint, or following information provided by another state authority. During such audits, the HDPA has the power to acquire, from either the data controller or the data processor, access to all the personal data and information required for the purposes of the audit and the performance of its tasks. No right of privacy may be opposed to the HDPA. The audits are performed by members of the HDPA who are special investigating officers and have all the respective investigation powers provided by the Code of Criminal Procedure. During the audits and for the purposes of such audits, the HDPA can:

• address notices to the data controller or processor that certain data processing acts may be breaching the provisions of the law;
• order the data controller or processor to comply in a defined manner and within a defined deadline with the provisions of the law, ie, to correct or delete personal data, to interrupt the processing of personal data, to return or lock personal data, and/or to destroy the filing system or personal data.
• order the temporary or permanent limitation or prohibition of personal data processing;
• order the delivery of documents, data filing systems, equipment or means of processing and their contents to the HDPA; and
• confiscate documents, information, data filing systems, equipment and means of processing and their contents that may be breaching the provisions of the law.

The Hellenic Authority for Communication Security and Privacy

Area of jurisdiction – powers

As stated in 1.1 Laws, the Hellenic Authority for Communication Security and Privacy is a constitutionally provided independent authority whose main purpose is the protection of the privacy of post/mail, the freedom of communication in any other manner and the security of networks and information. In order to achieve its purpose, the Authority has, in accordance with Article 6 of Law 3115/2003, the following powers: (a) to conduct audits of public entities, as well as private entities; (b) to hold hearings, investigate complaints and impose penalties; and (c) to issue regulations regarding the assurance of the confidentiality of communications.

Audits and investigations

The Authority is competent to conduct audits on facilities, technical equipment, archives, databases and documents belonging to state authorities or private entities active in the domain of post, telecommunications or other services related to communications. Audits are initiated either by the Authority itself (ex officio) or following the filing of a complaint. The Authority collects information and has the power to confiscate any means that violate the privacy of communications and summon to a hearing any person pertaining to its mission. The Authority may decide to impose administrative penalties following a hearing and invitation of the parties involved to provide justifications.

Lastly, it should be noted that for the time being there is no regulator for artificial intelligence (AI) in Greece and AI is not included in the areas of jurisdiction of the existing regulators.

The administrative process before the HDPA is governed by the provisions of Law 3051/2002 and the Code of Administrative Procedure.

Decision 9/2022 of the HDPA, as amended, includes the Rules of Operation of the HDPA and provides that every case must follow the basic procedural steps:

• case file preparation before the hearing;
• a hearing before the HDPA, which is not open to the public; and
• in the event of reprimand or imposition of penalties, the HDPA issues its decision only after having heard the parties involved, who may file submissions before the hearing, attend the hearing in person or with an attorney, provide clarifications upon request during the hearing and file closing submissions.

The HDPA may issue decisions in the form of provisional measures applicable until the issuance of its definitive decision on the merits of the case.

The HDPA’s decisions are binding on its addressees, while its enforceable acts are subject to appeal before the Administrative Courts and annulment by the Council of State.

Greece is an EU member state. The GDPR is directly applicable in Greece and supersedes any provision of national law. Furthermore, Law 4624/2019 provides the necessary measures for the implementation of the GDPR and the operation of the HDPA. All relevant decisions taken at EU level apply directly in Greece, including issues concerning data privacy rules with any non-EU state.

During the last five years, non-governmental organisations have been established in Greece aiming: (i) to protect the privacy and personal data of individuals; (ii) to raise awareness among individuals on the protection of privacy and personal data; (iii) to educate individuals about their rights to privacy and personal data; (iv) to identify new risks regarding the protection of privacy and personal data deriving from developing technologies; and (v) to participate in the development of the legal environment regarding the protection of privacy and personal data.

It is worth pointing out that in 2022 the HDPA imposed the largest fine ever imposed on a company, namely EUR20 million, for violation of a data subject’s right of access to personal data, pursuant to a complaint filed by an active NGO on behalf of the data subject (decision 35/2022).

Greek law follows the EU model, and the HDPA is well organised, quite active and relatively aggressive in the imposition of the law.

During the years 2020-2023, the HDPA focused on digital transformation projects, including the initial upgrade of the HDPA’s web portal and integrated information systems, as well as the byDesign project, which developed a GDPR compliance web application for use by all interested parties and educational materials and programmes on the subject of “data protection by design and by definition” addressed to IT and communications professionals. Moreover, the recent developments of the HDPA’s integrated information system pertain, among other things, to the management of data breach incidents, the self-assessment of controllers as to the level of data security and protection, the assistance of data subjects in exercising their rights, and the submission of complaints, data breach incidents, etc through the HDPA’s digital portal.

As far as enforcement is concerned, the HDPA during 2023 issued 30 decisions finding infringements of the law and imposing penalties in most cases. Such decisions include findings of infringements regarding the processing of data from major banks, telecommunications services providers, electric power providers and even the Independent Authority for Public Revenue. The HDPA has also opined in regard to legislation proposed by the Government concerning the introduction of a system of a single ID for all natural persons and issued a Regulation concerning data processing for political campaigns.

Recently, hot topics have revolved around AI and include the following:

• compliance with security and privacy requirements of AI systems;
• the contents of the new EU AI Act and its requirements regarding cybersecurity and how it will supplement the GDPR; and
• appropriate technical and organisational measures in AI environments.

Another hot topic is the EU proposal for a Regulation on Child Sexual Abuse Material providing rules to prevent and combat child sexual abuse. Concerns have been expressed with regard to the effectiveness of the proposed rules, which could lead to an overall deterioration of cryptography and security of communications for all users, including children.

Another hot topic is the EU proposal for a Regulation on the co-operation of the Supervisory Authorities of the member states in cross-border cases of strategic importance. The Regulation is positively awaited and expected to provide greater legal certainty.

Data Protection Officer

The Data Protection Officer (DPO) is responsible for the compliance of the data controller or processor with the GDPR and the applicable legislation, and is the person who communicates with the HDPA or the data subjects. The DPO’s role is advisory and not decisive, and confers no personal responsibility on the person of the DPO in the event that the data controller or processor does not comply with the law. Articles 6-8 of Law 4624/2019 regulate the duties of the DPO in the public sector. The function of the DPO is crucial, and the HDPA pays special attention to the appropriate enforcement of the law (eg, decision 2/2024 imposing a fine of EUR25,000 upon the Ministry of Rural Development and Food for not having appointed a DPO for a long time).

The appointment of a DPO is mandatory in the following cases:

• when the processing is carried out by entities of the public sector. Courts are excluded, provided they are acting in their judicial capacity;
• when large-scale data processing of data subjects takes place (eg, banks, insurance companies and telecommunications providers); or
• when special categories of data are processed on a large scale and specifically in the context of providing health services in hospitals;

Criteria Necessary to Authorise Collection, Use or Other Processing of Personal Data

For the processing of an individual’s personal data to be lawful, at least one of the following conditions must apply:

• the data subject has given his/her consent to the processing of his/her personal data for one or more specific purposes. The consent must be express and written, and the data controller must be able to demonstrate that the data subject has given his/her consent;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the data controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
• processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This does not apply to processing carried out by public authorities in the performance of their tasks.

Privacy by Design and by Default

The principle of privacy by design and by default is a basic condition of compliance according to Article 25 of the GDPR. It is a fact that the risk of personal data breaches increases with the development of technology and communications, and creates the need to protect data by design and by default. Security systems of data controllers and processors should be designed in a “preventive” way, to avoid future breaches. Furthermore, the protection of privacy by design and by default creates the need to implement technical and organisational measures that will ensure that the processing is carried out only for the fulfilment of the intended purpose.

Data Protection Impact Analysis (DPIA)

Article 35 of the GDPR provides for the obligation to carry out an impact assessment for the protection of personal data in specific cases, when data processing is carried out with advanced technological means, such as AI, and may entail a high risk to the rights and freedoms of the data subject.

The impact assessment is carried out in five stages, namely:

• the initial study, which specifies the processing operations carried out which are likely to cause a high risk to the rights of the data subject;
• the recording of the data collected (simple data and data of special categories, etc) and the type of processing they undergo;
• any shortcomings and sources of risk for personal data;
• categorisation and recording of adverse effects of personal data; and
• detailed description of the risks and threats identified in an organisation or business.

The impact assessment is necessary especially when the processing of personal data is based on automated means, when it comes to large-scale data processing (big data) and in the case of systematic monitoring of public space on a large scale. The HDPA has issued decision 65/2018, which groups the processing operations that require a DPIA into three categories depending on:

• the types and purposes of processing (eg, customer credit check by a bank, anti-money laundering);
• the types of data and categories of data subjects (eg, location data, social welfare data, data collected from smart devices);
• additional features and processing means (eg, AI and new technologies).

Data Subject Access Rights

A basic condition for compliance with the GDPR is the satisfaction of data subjects’ requests regarding the exercise of their rights. The data controller or processor must prove that he/she applies the appropriate measures and the required procedures, as well as that he/she respects the rights of the data subjects. The rights are detailed in Articles 12-22 of the GDPR and include:

• the right of access, which means that the data subject has the right to be informed by the data controller or processor whether his/her personal data are being processed and, if this is the case, to have access to them, including a copy thereof;
• the right to rectification, which means that the data subject has the right to request the correction of inaccurate and the completion of missing personal data;
• 3. the right to deletion, which means that the data subject has the right to request the deletion of his/her personal data;
• the right to restriction of processing, which means that the data subject has the right to request the restriction of the processing;
• the right to portability, which means that the data subject has the right to request and receive his/her personal data in a structured, commonly used and machine-readable format, as well as the right to transmit the personal data to other data controllers;
• the right to object, which means that the data subject has the right to object to the processing of his/her personal data; and
• the right to file a complaint, which means that the data subject has the right to file a complaint with the HDPA in the event of breach of the law.

Profiling and Automated Decision-Making

Profiling and automated decision-making present risks to the rights and freedoms of data subjects, in perpetuating stereotypes and creating discrimination against individuals. The GDPR grants to the individual the right to object when he/she is subject to a decision based solely on automated processing, except: (a) if such decision is necessary for entering into or performing a contract between the data subject and the data controller; (b) the data subject has granted his/her consent; or (c) if authorised by a provision of Greek law or EU law, which simultaneously defines suitable measures to safeguard the rights of the individual.

Moreover, Law 4624/2019 prohibits profiling and automated decision-making in the processing of personal data by public authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences, execution of criminal penalties and the safeguarding of and prevention of threats to national security, unless expressly provided for by a provision of Greek law or EU law, which simultaneously define adequate guarantees for the freedoms and the rights of the individual. The Article 29 Data Protection Working Party has issued guidelines on automated decision-making and profiling for the purposes of the GDPR (WP251 rev.01).

Compensation Claim

Article 40 of Law 4624/2019 provides for the judicial protection of the data subject against the data controller or processor for violations of the GDPR. More specifically, it provides that the data subject may file a lawsuit before the court of the district where the data controller or processor has its establishment or where the data subject has his/her residence. However, when the data subject files a lawsuit against a public authority acting in its capacity as a “sovereign”, the lawsuit must be filed before the court of the district where the public authority has its seat.

Similarly, Article 80 of Law 4624/2019 establishes the civil liability of public authorities for unlawfully causing damage to the data subject, which may result in payment of compensation and/or moral damages. Further information on civil liability may be found in 2.5 Enforcement and Litigation (Civil liability – class action section).

“Sensitive” Personal Data or Personal Data Belonging to “Special Categories”

Definition

These personal data are those which by their nature are particularly “sensitive” in relation to the fundamental rights and freedoms of the data subject. Such data are characterised as “data of special categories” in the GDPR and Greek law, and include personal data revealing racial or national origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data, health data and data revealing sex life or sexual orientation.

General prohibition of processing

The general rule is that the processing of such “sensitive” personal data is prohibited.

Exceptions

Exceptionally, the processing of such “sensitive” personal data is allowed in the following situations:

• the data subject has given explicit consent;
• the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller or the data subject in the field of employment and social security and social protection law;
• the processing is necessary to protect the vital interests of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent;
• the processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association or any other non-profit entity with political, philosophical, religious or trade union purpose and provided the processing relates solely to its members, former members or persons with whom it has regular contact;
• the processing relates to personal data that have manifestly been made public by the data subject;
• the processing is necessary for the establishment, exercise or defence of legal claims or whenever the courts are acting in their judicial capacity;
• the processing is necessary for reasons of substantial public interest;
• the processing is necessary for the purposes of preventive or occupational medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services;
• the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and medicinal products or medical devices; or
• the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes which are proportionate to the purpose pursued, while respecting the essence of the right to data protection and providing for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Rules of processing

All appropriate and special measures for the protection of the interests of the data subjects must be implemented, taking into account the level of technology, the implementation cost, the purposes of processing, and the risks and their significance for the rights and freedoms of the data subjects. Such measures may include, among others:

• technical and organisational measures ensuring that the processing is in compliance with the GDPR;
• measures ensuring that it is possible to verify in retrospect the identity of the person who has introduced, modified or deleted the personal data;
• measures supporting the awareness of the employees dealing with the processing;
• access limitation for data controllers and processors;
• anonymisation of personal data;
• encryption of personal data;
• measures safeguarding the confidentiality, capacity, integrity, availability and strength of the systems and services of processing, including immediate restoration of access and availability in case of incident;
• procedures for regular testing and assessment of the effectiveness of the measures implemented to safeguard the protection of the processing; and
• the appointment of a DPO.       

Financial data

Financial data are personal data but not “sensitive” data, as they do not fall within the above-stated “special categories”. The main processors of financial data are banking and credit institutions, which have a statutory confidentiality obligation towards their customers and their financial data.

Health data

Health data are in their vast majority “sensitive” data and include medical examinations, diseases, disabilities, medical history, risk of developing diseases, psychological state, etc. In Greece, a system for electronic prescription of medicines, electronic patient medical records and telemonitoring has been implemented (eHealth). The HDPA has issued a decision regarding eHealth (decision 138/2013); a directive regarding processing in the context of the COVID pandemic (directive 1/2020); opinions regarding the Health Cards of Athletes (limiting the types of personal data processed and the processing thereof); a directive regarding data processing concerning expenditures of public hospitals (directive 3/2015); a directive regarding data processing concerning promotional activities in the pharma sector (directive 5/2016); a directive regarding data processing concerning the surgery lists of public hospitals (directive 8/2016); and decisions upon complaints concerning processing of health data from insurance companies or the Public Social Security Fund (decision 5/2021).

Minors’ data

Greek law sets the limit at the age of 15 for the receipt of information society services, so minors who have reached the age of 15 can validly give their consent to the processing of their personal data. On the contrary, the consent for minors under 15 years of age must be given by their legal representative (ie, parents or persons with custody, guardianship, etc). Otherwise, the consent is null and void (Article 21 of Law 4624/2019).

Genetic data

Greek law prohibits the processing of genetic data for health and life insurance purposes (Article 23 of Law 4624/2019).

Employment data

This issue is analysed in 2.4 Workplace Privacy.

Internet, Streaming and Video Issues

Cookies

Law 3471/2006 provides that the storage of information or the acquisition of access to already stored information in the terminal equipment of a subscriber or user is only permitted if the specific subscriber or user has given his/her consent and if he/she has been expressly informed (“opt-in”). In addition, the HDPA has issued recommendation 1/2020 with the aim of providing clear instructions to data processors of electronic communications regarding the management of cookies. The HDPA points out that for the placement of a tracker on the user’s terminal equipment to be legal, he/she must have given his/her consent following his/her extensive information. The user’s consent is especially necessary when cookies are installed for the purpose of online advertising or the use of third-party trackers, such as the Google Analytics service for the purpose of statistical analysis. The user’s consent is not required when cookies are installed on the terminal equipment and are technically necessary for the operation of the website or the provision of the internet services requested by the user.

Location data

Law 3471/2006 includes provisions for the processing of “location data”, which are data processed in an electronic communications network or by an electronic communications service that reveal the geographic location of the user’s terminal equipment. The law provides that the processing of location data must be necessary for the fulfilment of the intended purpose (principle of “purpose limitation” provided also in the GDPR). To this purpose, the processing is permitted only for the performance of the contract to which the subscriber or user is a contracting party or for the implementation of measures during the pre-contractual stage, upon the subscriber’s request (decision 4/2022 of the HDPA).

Behavioural or targeting advertising

The issue is analysed in 2.3 Online Marketing.

Electronic communications

Law 3471/2006 on the protection of privacy and personal data in electronic communications establishes obligations for providers of publicly available electronic communications services, such as obligations for the processing of traffic and location data and the satisfaction of the special rights of users and subscribers. In addition, the law provides rules applicable to controllers for the recording of calls, the conditions of access to information stored in user terminal equipment (cookies) and the legality of promoting goods and services by telephone, email and SMS. The provisions of the above law apply in addition to the GDPR.

Other Issues

Data subject rights

This issue is analysed in 2.1 Omnibus Law and General Requirements.

Unsolicited Commercial or Marketing Communications Through Electronic Means

This category includes various electronic communications or communications through automated means, such as:

• emails;
• messages through mobiles (SMS, MMS);
• faxes;
• instant messaging;
• electronic messaging services, such as through social networking sites; and
• calls without human intervention such as through an automated call system.

Such unsolicited commercial or marketing communications, without human intervention, are permitted only if the data subject has granted his/her prior consent by “opt-in”. Otherwise, such communications are considered unwanted (ie, “spam”) (Article 11 of Law 3471/2006).

Unsolicited commercial or marketing communications with human intervention, such as telephone calls, are permitted, unless the data subject has informed the service provider that he/she does not want to receive such calls by “opt-out”. Service providers must keep a record of those subscribers who have stated their objection to receiving such telephone calls (Article 11 of Law 3471/2006, as amended by Article 16 of Law 3917/2011).

Exceptionally, Unsolicited Commercial or Marketing Communications Through Emails

Email contact data that have been acquired legally in the context of the sale of goods or supply of services or other transactions may be used for the direct marketing and promotion of similar goods or services, even if the recipient has not granted his/her prior consent. However, the recipient must be granted in a clear and precise manner the option to object easily and without cost to the collection and use of his/her electronic data at the time of collection of the data, as well as in every email message (Article 11 § 3 of Law 3471/2006).

Rules for Unsolicited Commercial or Marketing Communications

In any case, unsolicited commercial or marketing messages should refer clearly and precisely to the identity of the sender and the address where the recipient can request the interruption of any further communications.

Unsolicited commercial or marketing messages should clearly state their “commercial” nature in the subject matter of the message.

The HDPA has issued Guideline 2/2011 with examples and best practices to obtain electronically the consent of the data subject.

Objection to Any Unsolicited Communications

Individuals have the right to declare to the HDPA that they do not want their personal data to be subject to any processing for the purposes of marketing and promotion of sales of goods and services from a distance. The HDPA keeps records of the identity of the above individuals, the so-called “List of Article 13” (according to Article 13 of Law 2472/1997).

Provisions applicable to the processing of personal data of employees are included in both the GDPR and Law 4624/2019. More specifically:

• Legal basis for processing of personal data of employees: The legal basis for processing the personal data of employees is the performance of the employment contract. The legal basis for processing the “sensitive” personal data of employees is the exercise of rights or the performance of legal obligations deriving from employment law, social security law and social protection law.
• Prohibition of monitoring of employees by way of CCTV: The processing of personal data by means of closed-circuit visual recording systems (CCTV) within workplaces, whether publicly accessible or not, is permitted only if it is necessary for the protection of persons and property. Data collected through CCTV may not be used to assess employee efficiency and performance. Employees must be informed in writing of the installation and operation of any CCTV system within the workplace.

The HDPA has issued various guidelines and decisions on the processing of personal data at work, including Guideline 115/2001 on the protection of personal data of employees and Guidelines 1/2021 and 2/2020 on the protection of personal data through telework.

Enforcement Penalties

Administrative fines for private entities and individuals

According to Article 83 of the GDPR, administrative fines imposed by the HDPA may amount to EUR10 million or, in case of an undertaking, up to 4% of the total worldwide annual turnover.

Administrative fines for public entities

According to Article 39 of Law 4624/2019, administrative fines imposed by the HDPA upon public entities are limited to the amount of EUR10 million.

Criminal penalties (Article 38 of Law 4624/2019)

Unauthorised access to databases and personal data, or copying, deleting, amending, harming, collecting, recording, organising, structuring, storing, adjusting, changing, recovering, searching, comparing, combining, limiting or destroying data, is punishable with imprisonment up to one year.

Further use, transmission, transfer, conveyance, notification or granting of access to personal data acquired according to 2.1 Omnibus Law and General Requirements is punishable with imprisonment up to five years. If special categories of data are involved, the punishment is imprisonment for up to one year and a monetary penalty up to EUR100,000.

If, in addition to the above, there is also an intention to acquire illegal profit or cause damage exceeding the amount of EUR120,000, the punishment is imprisonment for up to ten years.

If, in addition to the above, there is a risk to the free operation of democracy or national security, the punishment is imprisonment for up to ten years and a monetary penalty up to EUR300,000.

Civil liability – class action

According to the provisions of the Civil Code, any person or entity that violates the law and wrongfully damages another is liable in tort to compensate for any immediate effect on the property of another and reasonable expected damages (ie, loss of profit); moral damages may be also requested. Greek law does not provide for legal actions that can be taken by entities that cannot demonstrate an interest in taking the action. An action can have many plaintiffs or many defendants, but the decision will only bind the litigants and not third parties.

Legal Standards That Regulators Must Establish to Allege Violations of Privacy/Data Protection Laws

The regulators must establish full proof of any violations. The legal standards for such proof do not differ from the legal standards applied by the courts.

Leading Enforcement Cases in Greece

According to information provided by the HDPA, during the first five years of the GDPR, the HDPA has issued approximately 100 decisions imposing fines and penalties in a total amount of approximately EUR30 million. The majority of the decisions were issued against private entities, although there were some against public authorities as well. Indicatively:

• The HDPA (decision 35/2022) imposed a fine of EUR20 million upon a US company for the violation of a data subject’s right of access to personal data that had been processed by the company;
• The HDPA (decision 25/2023) imposed a fine of EUR210,000 upon a Greek bank for lack of appropriate organisational and technical means as automated processing in effect could lead to illegal transfer of personal data and failure to reply appropriately to a data subject request;
• The HDPA (decision 35/2023) imposed a fine of EUR50,000 upon a Greek bank for failure to notify a data breach;
• The HDPA has occasionally imposed smaller fines amounting to approximately EUR10,000 per incident upon Greek banks for failing to satisfy data subject rights; and
• The HDPA (decision 4/2022) imposed fines of EUR6 million and EUR3,250,000 upon major telecommunications providers for failure to implement appropriate organisational and technical means and for leakage of subscribers’ personal data.

Personal Data

Law 4624/2019 (Articles 43-86) adopted Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. The above law provides in summary the following:

• Personal data processing for law enforcement purposes is subject to the same general principles of transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality as those established by Article 5 of the GDPR.
• The competent state authorities, ie, Police, Coast Guard Police, Customs Police, courts, judicial and prosecuting authorities, and prisons, operate as data controllers.
• The only legal basis for processing is the law. This is in line with the fundamental principle of criminal law that no crime exists and no penalty is imposed without the existence of a law.
• The processing of “special categories” of personal data (as described in 2.2 Sectoral and Special Issues) is permitted only if absolutely necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and provided: (a) it is expressly required by national or EU law; (b) it is imposed for the protection of vital interests of the data subject or another person; or (c) it relates to data that have been obviously made public by the data subject.
• The processing of “special categories” of personal data requires the implementation of appropriate safeguards, such as: (a) special specifications for safety and audit of processing; (b) specific and restricted deadlines for the processing; (c) measures to strengthen awareness of the employees who participate in the processing; (d) limitation of access to such data within the competent authority; (e) maintenance and processing of such data separately from other data processing; (f) anonymisation of such data, if permitted by the purpose of processing; and (g) encryption of such data and other special procedural rules that safeguard the legality of the processing and the protection of the data subject.
• All the persons involved in personal data processing must receive a respective licence from the competent authority and are bound by confidentiality obligations, which survive the termination of the employment relation.
• Upon order of the competent Attorney General (Prosecutor), the Police authorities may make public for a time period not exceeding six months the picture, ID and criminal charges of a person accused or convicted for crimes against sexual freedom and any crimes punished with imprisonment of at least two years for the purposes of investigation, detection, prosecution, arrest or conviction.
• The rights of the data subject to access, correction, deletion or limitation of processing are limited as necessary to prevent the obstruction of legal investigations or of the detection, prosecution, arrest and conviction of serious crimes. Such limitations are justified by the protection of public safety, national security and the rights and freedoms of third parties.

Such rights are addressed to the data controller and cannot be addressed to the data processor, eg, a laboratory performing DNA examinations on behalf of the prosecuting authorities cannot share the results of the DNA examinations to the suspect data subject.

Communications

Law 5002/2022 provides the conditions and procedures for the declassification of communications, the privacy of which is a fundamental individual freedom according to Article 19 of the Constitution (1.1 Laws). According to the above law:

• Only the National Intelligence Service (EYP) and the Police Department for Special Violent Crimes may request the declassification of communications for reasons of national security or for particularly serious crimes, respectively. Such crimes are expressly provided in the law and include crimes against sexual freedom, bodily integrity or the state, homicide committed with intent, money laundering from criminal activities, etc.
• The request for declassification of communications is subject to approval by the Attorney General and a second approval by the Attorney General appointed by the Supreme Court.
• In the event that “political persons” are involved, ie, members of the Government or Parliament, the prior approval of the Chair of the Parliament is required.
• The law provides for specific procedures regarding the management and destruction of declassified material.

Law 4624/2019, which adopted Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, applies also to safeguarding against and the prevention of threats to national security (Article 43). Therefore, the analysis in 3.1 Laws and Standards for Access to Data for Serious Crimes applies here as well.

Greece is a signatory to the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities dated 14 December 2022.

General Principles for Transfers of Personal Data

According to Article 75 of Law 4624/2019, the transfer of personal data from the Greek state authorities to the authorities of non-EU countries or international organisations is permitted, provided the other provisions of Law 4624/2019 are met as stated in 3.1 Laws and Standards for Access to Data for Serious Crimes (Personal Data section), and provided:

• the authority or international organisation is competent for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
• the European Commission has adopted an adequacy decision, meaning that the non-EU country in question provides adequate protection for personal data, or in the absence of an adequacy decision, appropriate safeguards have been provided, or in the absence of such appropriate safeguards, one of the following specific derogations applies:
1. The transfer is necessary in order to protect the vital interests of the data subject or another person;
2. The transfer is necessary in order to safeguard legitimate interests of the data subject;
3. The transfer is necessary for the prevention of an immediate and serious threat to public safety; or
4. The transfer is necessary in certain individual cases.

The transfer of personal data is not permitted, despite the existence of an adequacy decision and the need to safeguard the public interest, if the protection of the fundamental rights and interests of the data subject cannot be ensured in the specific case. The data controller assesses the level that would ensure protection of the above rights of the data subject based on the guarantees for the protection of the personal data offered by the recipient of the personal data in the non-EU country.

The transfer of personal data from another EU member state requires prior authorisation by the competent data protection authority of such member state. Such prior authorisation is not required if the transfer of the personal data is necessary for the prevention of an immediate and serious threat against public safety of a member state or of a non-EU country and the prior authorisation cannot be obtained in a timely manner.

Transfers of Personal Data to Recipients in Non-EU Countries

In individual and specific cases, the Greek state authorities may transfer personal data to recipients of non-EU countries that are not competent for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, provided the other provisions of Law 4624/2019 are met as stated in 3.1 Laws and Standards for Access to Data for Serious Crimes (Personal Data section), and provided:

• no fundamental rights and freedoms of the data subject concerned override the public interest necessitating the transfer in the case at hand;
• the transfer to the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties is ineffective or inappropriate, in particular because the transfer cannot be achieved in a timely manner; and
• the transferring competent authority (data controller) informs the recipient of the specified purpose(s) and gives accurate guidelines with regard to the processing of the personal data to the extent only that this is necessary for such purpose(s).

When personal data are transferred to non-EU countries, at least the same level of protection as the GDPR must be ensured. It is worth mentioning that the GDPR (Article 48) does not affect international agreements concluded between the EU and non-EU countries which govern the transfer of personal data and provide appropriate guarantees for data subjects.

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was adopted by the Congress of the United States of America on 23 March 2018 with the aim of improving procedures for both the US and foreign authorities in obtaining access to data held by service providers in the context of criminal investigations. The CLOUD Act may endanger any protection provided by the GDPR, because it would extend its scope beyond the borders of the USA to EU member states where the GDPR applies. The competent bodies of the EU have evaluated the US legislation and have decided that the conditions of Article 48 of the GDPR are not met because sufficient protection guarantees for the security of the personal data of citizens of the EU are not ensured in the territory of the USA. The EU has expressed its concern about the possibility of individual member states entering into bilateral ClLOUD Act implementing agreements with the USA and are calling on the Commission for an EU-wide harmonised policy on the issue. Greece has not signed an international agreement with the USA.

Much public debate revolves around the issue of whether the individual whose communications were declassified should be informed or not and when about such declassification.

Law 5002/2022 regulates the declassification of communications for reasons of national security and particularly serious crimes:

• In case of declassification of communications for reasons of national security, the person whose communications were declassified may be informed three years after the end of the imposition of the declassification measures, provided that the purpose for which the measures were ordered is not at risk and the special three-member committee issues its approval.
• In case of declassification of communications for reasons of particularly serious crimes, the person whose communications were declassified is informed anytime after the end of the imposition of the declassification measures upon request by the Hellenic Authority for Communication Security and Privacy with the consent of the Attorney General of the Supreme Court and provided that the purpose for which the measures were ordered is not at risk.

Transfers of Personal Data Within the EU

According to the GDPR (Article 44), the transfer of personal data from an EU member state to another EU member state may take place freely, provided the other provisions of the GDPR are met.

Transfers of Personal Data to a Non-EU Country orInternational Organisation

According to the GDPR (Article 45), the transfer of personal data from an EU member state to a non-EU country or international organisation may take place freely, without any specific authorisation, if the European Commission has decided that such non-EU country or international organisation ensures an adequate level of protection for personal data.

The European Commission has so far recognised that the following non-EU countries and dependencies provide adequate protection: Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the UK, Uruguay and the USA (commercial organisations participating in the EU-US Data Privacy Framework).

With the exception of the UK, the above-mentioned adequacy decisions do not cover data exchanges in the law enforcement sector, which are governed by Law Enforcement Directive (EU) 2016/680 and analysed in 3.3 Invoking Foreign Government Obligations.

In the absence of an adequacy decision by the European Commission as described in 4.1 Restrictions on International Data Issues, transfers of personal data to third countries or international organisations may take place without any specific authorisation, if the data controller or data processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies are available, such as:

• a legally binding and enforceable instrument between public authorities or bodies;
• binding corporate rules;
• standard data protection clauses adopted by the European Commission;
• an approved code of conduct; or
• an approved certification mechanism.

In the absence of any of the above appropriate safeguards, transfers of personal data to a third country or international organisation may take place only on one of the following conditions:

• the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject’s request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or
• the transfer is made from a register which according to EU or member state law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU or member state law for consultation are fulfilled in the particular case.

Transfers of personal data to an EU member state, a third country or an international organisation are not notified, nor do they require prior approval. However, the data controller or processor must enter the transfers in the records of processing activities (Article 30 of the GDPR), stating at least the recipient and the documentation proving the existence of appropriate safeguards. Such records, including records of transfers, should be made available to the HDPA upon request.

According to the GDPR (Articles 13 and 14), the data controller must upon collection of personal data provide the data subject with specific information such as the controller’s identity and contact details, the purposes of the processing, the recipients or categories of recipients of the personal data, etc. Among such information, the data controller must inform the data subject if he/she intends to transfer the personal data to a non-EU country or international organisation and the existence or absence of an adequacy decision, appropriate safeguards or other mechanisms discussed in 4.2 Mechanisms or Derogations That Apply to International Data Transfers.

In view of the above, if the information notice provided does not include the fact that the data controller intends to transfer the personal data to a non-EU country or international organisation, the controller must inform the data subject anew about such intended transfer prior to the transfer of personal data. However, the data controller is not obliged to inform the data subject about the transfer of the personal data within the EU. In any case, the recipients or categories of recipients of the personal data stated in the information notice should include the foreign recipient of the personal data to be transferred.

Of course, the other terms of the GDPR must be met, such as, for example, the following:

• if the legal basis for the processing is consent, the data processor must obtain the data subject’s consent prior to the transfer of the personal data abroad;
• if the legal basis for the processing is the performance of a contract, the transfer of the personal data abroad should be justified in terms of the performance of such contract; and
• if the legal basis for the processing is compliance with a legal obligation, the transfer of the personal data abroad should be justified in terms of such compliance, etc.

Under Greek law there is no specific obligation to share software code, algorithms or similar technical details with the HDPA. However, all technical and organisational measures should be made available to the HDPA upon request in the context of a regular audit or investigation.

Transfers Not Authorised by EU Law

According to the GDPR (Article 48), any judgment of a court and any decision of an administrative authority of a third country requiring a Greek private data controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the EU or Greece.

Transfers Permitted by Greek Law

The transfer of personal data from the Greek state authorities to the authorities of non-EU countries or international organisations is permitted, provided the other provisions of Law 4624/2019 are met, which adopted Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, the safeguarding against and the prevention of threats to national security and on the free movement of such data. Please see 3. Law Enforcement and National Security Access and Surveillance.

There are no “blocking” statutes, meaning that there are no Greek laws or statutes which prohibit compliance with EU regulations. As already stated in 1.1 Laws, EU Regulations are directly applicable in Greece and supersede any provision of national law, including the Constitution.

Big Data

Big data refers to a large amount of personal data that is generated very quickly from various sources such as social media, the internet, GPS applications, digital systems or humans. There are no specific laws for big data.

Automated Decision-Making; Profiling

This issue is analysed in 2.1 Omnibus Laws and General Requirements (Profiling and Automated Decision-Making section).

AI

The European Commission addresses the multiple challenges raised by AI in the Proposal for a Regulation (AI Act), with the aim of establishing harmonised rules on AI. In Greece, Law 4961/2022 defines specific obligations for AI service providers in the public and private sectors, such as the obligation to comply with the GDPR when processing personal data, the obligation to perform an algorithmic impact assessment prior to the implementation of an AI system, and transparency obligations.

Internet of Things (IoT)

The Internet of Things (IoT) describes any technology which: (a) enables devices or a group of interconnected or related devices to perform automatic processing of digital data, including technology related to the interconnection of devices, vehicles and buildings, with electronic components, software, sensors, actuators, radio links and network connections; (b) enables the collection and exchange of digital data in order to offer a variety of services to users, with or without human involvement. IoT is used in homes such as “smart home” products, health, vehicles, industry and security systems to create a “smart net” that transfers information in real time, creating benefits such as saving money and time. Law 4961/2022 includes provisions for the use and application of IoT and imposes specific obligations on importers, distributors and providers of IoT devices in order to protect privacy and personal data. In the event of a violation, a fine ranging from EUR15,000 to EUR100,000 is imposed.

Biometric Identification

Biometric identification is used by Police Authorities as it effectively contributes against criminal activities for the purposes of public safety. Biometric identification systems through AI are “high risk” systems and fall into two categories: (a) those that use “unique” physiology characteristics such as facial recognition, fingerprints or iris recognition, and (b) those related to psychological factors such as voice analysis, psychological state, etc. In order for the processing of data based on biometric identification to be lawful, the competent authorities must adhere to the specific requirements provided by Law 4961/2022 regarding transparency obligations and algorithmic impact assessment.

Law 4727/2020 concerns digital governance in the public sector. The aim is to digitalise the public sector and provide suitable conditions for people and businesses to communicate with the public sector, using IT and communication technologies. The law provides in detail for the adoption of all the necessary measures and implementation of structures that enhance the option of citizens to directly communicate with state agencies, cutting through public sector bureaucracy and allowing the swift digital satisfaction of their requests. The creation of a digital state facilitates the daily life of Greek people because their requests (eg, issuance of certificates of all types) are satisfied immediately without having to visit in person the respective public agency. Apart from the above, there are no organisations that establish protocols for digital governance, AI or fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies. Until now, Greece has followed digitally and applied all regulations and developments at EU level. Major agencies in the public and private sectors make their own assessment and implement measures to achieve the above.

Further to what was discussed in 2.5 Enforcement and Litigation (Leading Enforcement Cases in Greece section), the most important decisions of the HDPA during 2023 concern infringement of the law by Greek banks and telecommunications providers. The HDPA imposed a penalty of EUR10,000 upon a major Greek telecommunications services provider concerning the processing of the data of a subscriber who had not consented to the use thereof for marketing and profiling purposes (decision 5/2023). The HDPA had previously imposed a penalty of EUR60,000 upon the same company for wrongfully forwarding to the complaining subscriber the recorded discussion between the provider and another subscriber instead of the recorded discussion with the complaining subscriber as per the complaining subscriber’s request. The HDPA imposed a penalty of EUR60,000 upon another major Greek telecommunications services provider for unsolicited SMS (decision 10/2023). The HDPA imposed a fine of EUR30,000 upon a major Greek bank for forwarding to a third party details of the bank account of a customer (decision 4/2023). The HDPA imposed another penalty upon the same bank for forwarding customers’ data to a debt collection company (decision 25/2023). A penalty of EUR50,000 was imposed upon the Public Transport Company for customers’ data processing (decision 30/2023). Lastly, penalties of EUR60,000 and EUR10,000 were imposed upon another major Greek bank for forwarding a customer’s data and failure to satisfy the right of access to personal data collected through the CCTV system respectively (decisions 35/2023 and 36/2023).

It is up to the parties to a corporate transaction to arrange the manner and conditions for the processing of personal data in compliance with the provisions of the law. Entities that have a scope which includes the processing of personal data are obliged to have respective policies in effect, which are subject to due diligence. Furthermore, the parties undertake specific obligations towards each other as to the treatment and the allowed processing of personal data of all companies involved in the transaction. Lastly, there are rules set by the HDPA concerning the provision of credit rating services and information on the financial status or insolvency of traders, and the HDPA has dealt in several cases with complaints regarding the processing of personal data by credit rating service providers or the refusal thereof to allow access to information and personal data by third parties (decisions 135/2017, 9/2017 and 6/2006).

Greek law does not include for the time being provisions mandating disclosure of an organisation’s cyber risk profile or experience. Law 5086/2024 provides for the establishment of the National Cybersecurity Authority, whose purpose is the organisation, co-ordination, implementation and control of an integrated framework of strategies, measures and actions to achieve a high level of cybersecurity in Greece.

The digital market for products and services in the EU is developing rapidly, and it is expected that in the future the majority of transactions will take place online. The EU has so far regulated specific areas related to the digital transactions of goods and services, in particular:

• Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (P2B-Platform to Business): This Regulation sets out the rules to ensure that business users of online intermediation services and corporate website users in relation to online search engines are granted appropriate transparency, fairness and effective redress possibilities. The Regulation regulates the relations between commercial platforms and search engines on the one hand and business users on the other hand, who offer their goods or services to consumers.
• Directive (ΕU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market (DSM – Digital Single Market): This Directive establishes rules for the harmonisation of EU law on digital and related rights concerning digital and cross-border uses of protected content. Law 4996/2022 incorporated the Directive with the scope to maintain protection of intellectual property rights and related rights in works included in the transmission of television and radio programmes.
• Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services (Digital Services Act – DSA): This Regulation establishes rules on the provision of intermediary information society services to recipients who are established within the EU, regardless of the place of establishment of the providers. The EU Digital Services Act came into force on 17 February 2024 and applies to all online intermediaries in the EU.
• Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector (Digital Markets Regulation – Digital Markets Act – DMA): This Regulation sets out harmonised rules to ensure a fair digital environment in the EU, where access regulators exist. The Regulation applies to core platform services provided by access regulators to business users and end users located within the EU. The aim of the Regulation is to provide business platforms with the possibility to exploit their potential and to deal effectively with cases of unfair competition.
• Proposal for an e-Privacy Regulation: The revision of Directive 2002/58 EC concerning the protection of privacy in the field of electronic communications has been announced in order to provide a higher level of privacy to users of electronic services.

The possibility of using technology and the many modern ways of communication enhance the quality of people’s life but also endanger the protection of privacy and personal data. The Greek legislator has declared that the use of technology is linked to private life, as reflected in the Constitution. See further 1.1 Laws.