Data Protection & Privacy 2020

Last Updated March 09, 2020


Law and Practice


Zepos & Yannopoulos is a leading Greek law firm renowned for its long heritage, legal acumen and integrity and strong international orientation. The long-established data protection & cybersecurity practice helps companies navigate the complex data protection and cybersecurity landscape, manage data, mitigate risks and effectively develop cutting-edge technologies. Clients include high-tech market leaders, pharmaceutical and insurance companies, commercial retailers and non-profit organisations. The team is involved with state-of-the-art projects, including products with AI capabilities, innovative applications for medical and insurance services and monitoring systems in the workplace. Regular work includes the design and implementation of privacy compliance projects, the performance of audits and the conduct of due diligence exercises in the context of M&A transactions. On an advisory level, the team consults in areas such as marketing campaigns, behavioural advertising and the operation of online shops, as well as on employment-related issues, such as whistle-blowing schemes and internal investigations.

The Greek Constitution provides the right to respect for private and family life; the right to be protected from the collection, processing and use of personal data; and that freedom of correspondence and secrecy of communications are fundamental human rights.

Also, Greece is a party to a number of international conventions and other similar instruments on privacy and data protection, most importantly including:

  • the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which is widely known as Convention 108+;
  • the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR); and
  • the Charter of Fundamental Rights of the European Union.

The main pieces of legislation governing the processing of personal data are the EU General Data Protection Regulation 2016/679 (the GDPR), which entered into force on 25 May 2018 and is automatically applicable in Greece, and Law 4624/2019 (the Data Protection Law), which entered into force on 29 August 2019 and whose purpose is to establish derogations and specify the provisions of the GDPR. It is worth noting that the Data Protection Law, apart from framing the GDPR, transposes the EU Police Directive 2016/680 into Greek legislation regarding personal data processing by public authorities in the context of prevention, investigation and detection of criminal offences.

Apart from the above, there are additional laws and regulatory decisions that apply to specific categories of personal data. Most importantly, Law 3471/2006 (the ePrivacy Law), which has transposed the EU ePrivacy Directive 2002/58/EC into Greek law, includes specific provisions on the processing of personal data in the electronic communications sector that deals, among other things, with marketing activities through electronic means and the use of cookies. Also, Directive 1/2011 of the Hellenic Data Protection Authority (HDPA) regulates the use of video surveillance systems.

The competent authority for monitoring compliance with the GDPR, the Data Protection Law and any other legislation relating to the processing of personal data is the HDPA, which is an independent public authority that existed long before the introduction of the GDPR. The HDPA has the power to conduct investigations, which can be initiated both ex officio and following a complaint.

In addition, the Hellenic Authority for Communication Security and Privacy (ADAE), another independent public authority, is responsible for monitoring the implementation of all legislation relevant to the lawful interception of communications. The task of this authority is to ensure the confidentiality of correspondence and communications; its competence includes, inter alia, issuing regulations and conducting audits on communications network service providers.

The triggering event for the HDPA to conduct an investigation and to impose sanctions is usually a complaint filed by an individual. The HDPA has published, on its official website, four different templates for the submission of complaints: (i) violations of the data subjects’ rights; (ii) marketing calls; (iii) unsolicited and spam emails and SMSs; and (iv) all other types of violation.

Before filing a complaint with the HDPA, the complainant should raise the matter with the controller; otherwise the HDPA may not review the complaint. Vague, unfounded or abusive complaints are not eligible for review. After a complaint is filed, or on an ex officio basis, the HDPA may initiate an on-site audit at the premises of the controller, which is conducted by the HDPA’s officers who are granted with extensive investigative powers.

While conducting an audit, the HDPA has the right to obtain access to all personal data processed and perform checks on the IT infrastructure. This right is not subject to objections of confidentiality or secrecy, except for national security purposes or for the investigation of serious criminal offences. Also, in the context of these audits, the HDPA has the right to issue warnings to the controllers or processors of data, to command and impose temporary or definitive restrictions on the processing of personal data and to seize documents, data, and filing systems.

If a violation is found, the HDPA may impose the administrative sanctions set out in the GDPR, namely corrective actions and fines. As regards fines to public bodies, the Data Protection Law sets a maximum threshold of EUR10 million. The HDPA’s decisions are subject to an application for revocation (annulment) before the Council of State.

Besides the administrative process set forth above, a claimant has the option to initiate criminal (following a criminal complaint) and civil (following the filing of a lawsuit against a data controller and/or processor) proceedings. In civil proceedings the usual requests are the cessation of the unlawful data processing and the adjudication of compensation for damages and moral distress.

Other than the GDPR, various EU Directives on privacy, personal data in electronic communications and the neighbouring area of cybersecurity have been transposed into Greek law, including the Police Directive 2016/680, the ePrivacy Directive 2002/58/EC, the PNR Directive 2016/681 and the NIS Directive 2016/1148.

There are only a few recently founded NGOs in Greece which are actively involved in fostering privacy. The most active NGOs in this area are the Hellenic Association of Data Protection and Privacy, also known as HADPP (, founded in 2017 mostly by academics and privacy professionals, and Homo Digitalis ( founded in 2018 by young privacy professionals.

HADPP aims to raise public awareness of potential risks, acknowledge data-protection vulnerabilities and help improve the business response to (and standards of) data protection. Homo Digitalis mainly focuses on the protection of internet users and aims to ensure the protection of fundamental rights and freedoms in the digital world.

To the best of our knowledge, there are no self-regulatory organisations operating in Greece.

The GDPR is globally recognised as the “gold standard” on data protection, setting increased obligations on entities processing personal data and recognising extended data protection rights of individuals. Additionally, the Data Protection Law includes additional restrictions and limitations on the processing of certain categories of personal data.

The HDPA has traditionally been considered one of the most rigid supervising authorities within the EU, not on the basis of the size of the sanctions imposed, but due to its consistent and rigorous approach relating to the lawfulness of different types of processing activities (eg, employees’ data, whistle-blowing schemes, biometric databases, geolocation systems, CCTV and marketing calls). The enforcement actions of the HDPA have become significantly stricter as of the entry into force of the GDPR.

Taken together, the application of the GDPR and the Data Protection Law, which create a robust legal framework, along with the increased enforcement activities of the HDPA, could classify the Greek legal and regulatory data protection framework as a rigorous regime on a global scale.

The most significant development during the last 12 months was the enactment of the long-awaited Data Protection Law, which introduced further derogations and specified some of the provisions of the GDPR.

On 24 January 2020 the HDPA issued its Opinion 1/2020, in which it expressed serious reservations on the compatibility of certain provisions of the Data Protection Law with the GDPR and the ECHR, including more importantly the additional bases allowing for the further processing of personal data, the restrictions on the rights of data subjects and the extensive exemptions from the provisions of the GDPR in cases of data processing in the context of the freedom of expression, including for journalistic purposes. 

Also, the HDPA has issued some useful guidelines and tools, which can be found on its official website, in order to facilitate the application of the GDPR, including an indicative list of the processing activities which require a Data Protection Impact Assessment (DPIA), template registries of processing activities, standardised notification forms for data breaches, template complaint forms and standardised applications for prior consultation with the HDPA.

In terms of audits and sanctions, the HDPA has recently issued a number of decisions and has imposed significant fines, mainly for violations relating to the processing of employees’ personal data, lack of appropriate technical and organisational measures, violation of the principles of privacy-by-design and privacy-by-default, refusal to satisfy the right of access and unlawful operation of a CCTV system.

At the EU level, the European Data Protection Board (EDPB) has published, during the last year, a significant number of guidelines on codes of conduct, processing of personal data through video devices, the principles of privacy-by-design and privacy-by-default and the right to be forgotten by search engines.

At EU level, there are still pending discussions on the enactment of the ePrivacy Regulation.

Moreover, significant guidance is expected from the EDPB; this, according to its strategic Work Program 2019/2020, will focus on specific issues and technologies, including connected vehicles, blockchain and new technology projects, such as AI and connected assistants, as well as the targeting of social media users and children’s data. The EDPB also plans to update the existing guidelines of its predecessor, namely the Article 29 Working Party (WP), on the concepts of controller and processor and the notion of legitimate interests of the controller.

Within the first quarter of 2020, we are also expecting the final judgment of the CJEU in the Schrems II case on the validity of the EU Standard Contractual Clauses as a mechanism to transfer personal data outside the EU/EEA.

Another hot issue is the impact of a possible Brexit on the transfer of personal data to and from the UK. In particular, regulatory guidance is expected as regards data transfers to and from the UK that will be effected after the end of 2020; since, based on a recent statement of the ICO, no additional requirements will need to be met for such data transfers during the transition period. Although an adequacy decision is most likely to be adopted by the EU Commission, until this happens, controllers who are established in the EU/EEA and who transfer personal data to the UK should rely on other appropriate safeguards, including the execution of the standard contractual clauses.

At national level, we expect additional guidance, more audits and enforcement actions by the HDPA, as well as the first court judgments on the interpretation of the Data Protection Law. Also, following the reservations expressed by the HDPA on the compatibility of many provisions of the Data Protection Law with the GDPR and the ECHR, there have been strong calls from within the privacy community in Greece requesting the amendment of the Data Protection Law, so legislative procedures may be initiated to this end.

The Greek data protection legislative framework is largely comprised of the GDPR and the Data Protection Law. The basic features of the Data Protection Law, which makes use of most of the derogations of the GDPR, are the following:

  • there is a more favourable treatment of public entities when acting as controllers (eg, further legitimate bases, additional exemptions on the exercise of the data subjects’ rights and a maximum threshold on administrative sanctions);
  • the further processing and disclosure of personal data is allowed in certain circumstances specified in the law;
  • significant limitations are introduced on the data subjects’ rights, especially for the purposes of freedom of expression and journalistic purposes;
  • limitations and further safeguards are provided on the processing of certain categories of personal data, including sensitive personal data, genetic data and employees’ personal data;
  • the minimum age for children’s consent in the context of information society services is lowered to 15 years of age; and
  • no provision exists authorising the processing of criminal data, which means that in principle the processing of such data is not allowed unless there is a sector-specific provision explicitly providing for its processing.

The requirement to appoint a Data Protection Officer (DPO) is not explicitly addressed in the Data Protection Law, but applies by virtue of the GDPR with the requirements set forth therein. The HDPA has published a template for the formal appointment of DPOs which requires the DPO to speak the Greek language, but practically this obstacle can be overcome in the case of group DPOs by appointing, in addition to the DPO, a local liaison.

The processing of ordinary personal data should be based on one of the legal bases provided in Article 6 of the GDPR, including consent, performance of a contract, compliance with a legal obligation and the existence of an overriding legitimate interest of the controller.

With respect to the legal bases for the processing of special categories of personal data ("sensitive data"), their processing is prohibited, unless the data subject has granted explicit consent or the processing relies on one of the limited lawful bases provided by the GDPR and the Data Protection Law. Apart from the obligatory legal bases stipulated in the GDPR, the Data Protection Law has made use of all available lawful bases for the processing of sensitive data, which are mainly included in Article 9, 85, 88 and 89 of the GDPR. Special reference should be made to the following provisions:

  • the lawful basis of “substantial public interest” applies only to public entities;
  • there are special provisions dealing with the further processing and the further disclosure of personal data, including sensitive data – these provisions set different requirements for this further processing and disclosure depending on whether the controller is a public or a private entity;
  • the processing of personal data, including sensitive data, in the context of freedom of expression, including for purposes of academic, journalistic, artistic or literary expression is extensively permitted, whereas many sections of the GDPR altogether do not apply when the processing is conducted for such purposes; and
  • the processing of genetic data is explicitly not permitted for life and health insurance purposes.

Specific legal bases are provided for the processing of employees’ personal data in the context of employment (see 2.4 Workplace Privacy).

In addition, the Data Protection Law provides that public bodies and private entities can lawfully process personal data for purposes other than the one for which they were initially collected and that public bodies can lawfully disclose personal data for different purposes in certain instances. As explained above, the HDPA has expressed reservations on the legality of these provisions.

Furthermore, processing for journalistic, academic, artistic and literature purposes is allowed when:

  • the data subject has provided his or her consent;
  • the personal data processed has been publicly disclosed by the data subject; and
  • the right to freedom of expression and information overrides the data subject’s right to the protection of his or her personal data, in particular for issues of general interest or when the personal data of public persons is concerned.

In all the above cases the processing is restricted to the minimum necessary amount, in particular when it comes to sensitive and criminal data.

Moreover, the Data Protection Law specifies the grounds on which sensitive data can be processed for archiving purposes in the public interest, for scientific or historical research purposes, and for statistical purposes. These grounds are discussed in 2.2 Sectoral and Special Issues.

The principles of “privacy by design” and “privacy by default” are both expressly provided for in Article 25 of the GDPR and stipulate that, already at the time of determination of the means of the processing, controllers should implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects (“privacy by design”), whereas the settings of the system processing the personal data should by default ensure that only the personal data necessary is collected and processed (“privacy by default”). The Data Protection Law does not include any additional provisions on these concepts. Having said this, the EDPB has issued its Guidelines 4/2019, which provide guidance on the application of these concepts. It is also worth noting that the HDPA recently imposed a high fine to a major telecoms operator in Greece for failure to comply with the above-mentioned principles.

In Greece, a DPIA is only required when the requirements of Article 35 of the GDPR apply. In an effort to interpret such provisions, the HDPA has issued a non-exhaustive list of processing activities that require the carrying out of a DPIA, which include the following activities:

  • customer screening by a financial institution on the basis of credit reference data or anti-money laundering or fraud data;
  • automatic refusal of insurance coverage;
  • customer screening against a credit reference database in order to decide whether to offer a loan or not;
  • profiling for marketing purposes when the data is combined with data collected from the third parties;
  • video surveillance systems over public areas or a private area accessible to an unlimited number of persons;
  • large scale systematic processing of data of high significance or of a highly personal nature (such as, data concerning unemployment, poverty, or electronic communications);
  • systematic processing of the position/location of employees;
  • metadata of employee communications;
  • data loss prevention systems; and
  • processing of biometric data for the purpose of uniquely identifying a person.

The obligation for controllers to implement internal policies setting forth guidelines on the processing of personal data, although not expressly stipulated in the GDPR, derives from the principle of accountability, pursuant to which a controller shall be responsible for, and able to demonstrate, compliance with the data protection principles.

Furthermore, controllers are required to provide, to the individuals whose personal data is processed, privacy notices informing them how their personal data will be processed. Such privacy notices shall as a minimum include the information stipulated in Articles 13 and 14 of the GDPR. The Data Protection Law provides a number of exemptions on the obligation for controllers to provide privacy notices to data subjects, which are different depending on whether the controller is a public or a private entity.

Although the GDPR provides extended rights to individuals (the rights of access, rectification, erasure, restriction of processing, data portability and objection), the Data Protection Law introduces significant limitations. The HDPA has criticised the extensive size of these exemptions and it remains to be seen how it will interpret these exemptions in its future decisions.

There is a blanket provision stipulating that the data subject’s rights do not apply when the processing is conducted in the context of freedom of expression. Also, the right of access cannot be exercised, and the right to erasure is replaced with the right of restriction, on a number of occasions. Additionally, the right to object does not apply against a public entity when the processing is carried out for the purposes of an overriding, compelling public interest or when legal provisions necessitate the data processing. Other exemptions also apply to the rights of access, rectification, restriction and objection when the processing takes place for archival purposes in the public interest or relates to scientific, historical and statistical purposes.

Anonymised data is not covered by the ambit of the GDPR and the Data Protection Law. On the other hand, the processing of pseudonymised data, and arguably also of de-identified data, should be conducted in compliance with such laws.

The anonymisation, de-identification and pseudonymisation techniques are technical measures used for data security and their importance is highlighted both in the GDPR and in the Data Protection Law. By way of example, pseudonymisation is expressly listed in the GDPR as one of the security measures that should be used by controllers and processors. The Data Protection Law identifies pseudonymisation as one of the required measures when processing sensitive data, whereas its anonymisation is required, when the data is no longer necessary for the scientific or statistical purposes for which it was processed.

Aside from the provisions of the GDPR, automated decision making and profiling are not dealt with in the Data Protection Law. In short, the GDPR provides that data subjects have the right not be subject to a decision based solely on automated processing, including profiling, unless this is based on the consent of the data subject, it is necessary for entering into a contract or it is authorised by EU, or EU member state, law. Moreover, the GDPR provides for increased measures for safeguarding the data subject’s rights and legitimate interests in cases of automated decision making. Profiling activities will in most cases also require the conduct of a DPIA.

With respect to AI, there are no specific provisions; however, both the GDPR and the Data Protection Law apply, as both pieces of legislation are drafted in a technologically neutral manner.

The Data Protection Law does not include specific provisions on the concept of “injury” or “harm”. In civil proceedings requesting the award of damages, the plaintiff should claim, and be able to prove, that he or she has suffered harm due to the unlawful behaviour of the defendant. Harm, which is interpreted in the light of the relevant provisions of the Greek Civil Code, includes any pecuniary damage in the form of positive damages or loss of profits, as well as moral distress, including damage to reputation. It is also worth noting that according to the WP Guidelines on notification of personal-data breaches, significant adverse effect on an individual that can result in physical, material or non–material damage, may include damage to reputation, identity theft or fraud, financial loss or any other significant economic or social disadvantage.

Under the GDPR, sensitive data is defined as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and genetic data, biometric data, health data, and data concerning a natural person’s sex life or sexual orientation. On the basis that sensitive data reveals more “intimate” information about individuals, it is granted additional protection.

When sensitive data is being processed, the controller shall take suitable and specific measures to ensure the protection of the interests of the data subjects, including implementation of technical and organisational measures, encryption or pseudonymisation of personal data, appointment of a DPO, restrictions on access rights from the controller and its processors, etc.

Financial data is not classified as sensitive data. Despite this, the HDPA has issued several sector-specific regulatory decisions governing the lawful operation of databases including financial information, which remain applicable after the entry into force of the GDPR. More importantly, the HDPA has set forth the conditions for the lawful operation of the main centralised database of the Greek banks, which includes negative financial information about individuals, as well as requirements for the legality of databases retained by credit scoring agencies for providing information on the credit worthiness of individuals. Furthermore, Law 4537/2018, which transposed the EU PSD2 Directive 2015/2366, includes special provisions on the processing of personal data through payment systems and by payment service providers.

External communications data and the content of communication (text in messages and voice telephony) are not considered sensitive data, however both categories are protected by the secrecy of communications. For more information on the conditions for lifting of the secrecy of communications please see the analysis in 3.1 Laws and Standards for Access to Data for Serious Crimes.

The GDPR and the Data Protection Law include several provisions which aim to protect minors' personal data. Among other things, any privacy notice addressed to children should be drafted in clear and plain language that a child can easily understand. Also, the processing of a child’s personal data in the context of information society services offered directly to a child, is lawful only if the child is at least 15 years old and has provided his or her consent.

The Data Protection Law does not include any provision on the processing of personal data that relates to criminal convictions and offences. Therefore, any processing of such data shall be performed only on the basis of Article 10 of the GDPR, namely where specifically authorised by specific provisions of the Greek law that provide appropriate safeguards.

Under the ePrivacy Law, the use of cookies, beacons and other similar technologies is, in principle, allowed with the user’s explicit consent. As an exception, no consent is required for the use of technical and necessary cookies, namely cookies used for the transmission of the electronic communication or for the provision of a service explicitly requested by the user. On the contrary, social plug-in tracking cookies, third-party advertising cookies and analytics cookies require the opt-in consent of the user. In light of the judgment of the CJEU in the Planet49 case, pre-ticked boxes do not constitute valid consent for the use of cookies and the information notice that should be provided to web users prior to giving consent should include clear and comprehensive information on the functionality of each cookie, the data retention periods, any recipients and any other information required under the GDPR.

In terms of behavioural advertising, the EDPB has reaffirmed the WP Opinion 2/2010 on online behavioural advertising, whereby a controller has to obtain the data subject’s prior consent in order to place the cookies necessary to engage in behavioural advertising. Also, behavioural advertising would require the conduct of a DPIA. As regards viewing and browsing data, no specific rules govern their use, so their processing could mainly rely on the user’s consent or an overriding legitimate interest of the controller.

In relation to search engines, according to the WP Opinion 1/2008, the collection and processing of personal data by search engines may be based on the data subject’s consent, the necessity of performing a contact where the data subject provides his or her personal data in order to sign-up for a certain service, or the necessity for the pursuit of a legitimate interest of the controller or a third party except where such interests are overridden by the interests of the data subject. In terms of the processing of personal data in the context of online services, the EDPB issued its Guidelines 2/2019, in which it discusses the criteria that need to be considered in order to determine when processing is necessary and not merely useful for the execution of the services or whether another legal basis is more appropriate.

Marketing activities through electronic means are governed by the ePrivacy Law, which sets different rules depending on the channel of communication involved. Such rules apply irrespective of whether the recipient of the marketing activity is an individual or a legal entity.

Telemarketing Calls Conducted by Call Operators

Telemarketing calls are permitted, even without the opt-in consent of the recipient, provided that they are performed by call operators (ie, are not automated calls) and the recipients of the calls have not requested to be deregistered from the marketing list retained by the entity on behalf of which the calls are performed and have not registered themselves with the special registries of telecom companies for refusing such calls (opt-out consent). This means that if the entity to be advertised relies on the opt-out consent, it should consult on a regular (monthly) basis all the separate registries of the telecom companies operating in Greece.

Email, SMS and MMS

Emails, SMS and MMS with marketing materials can be sent even without the opt-in of the recipient, if the entity that conducts the marketing uses the email address or mobile phones that it has lawfully collected in the context of the sale of goods or services or for the facilitation of similar purposes, provided that this entity: (i) informs the recipient at the time of the collection of the data and in every communication, in a clear and explicit manner, of the right to object to the processing of his or her data in an easy manner and without any cost and provides a valid address to this end; and (ii) informs the recipient in every communication, and in a clear manner, of the identity of the sender or the person on behalf of which the communication is made.

Other Media of Electronic Communications

All promotional activities conducted through electronic communications, other than the ones analysed above, are not allowed unless the recipient has granted his or her prior opt-in consent. This situation relates particularly to advertising conducted through automated telephone calls and faxes. The HDPA has issued Directive 2/2011, which sets out the legal requirements for the validity of such an opt-in consent when given by use of electronic means. Although the double opt-in consent is considered as best practice, it is not strictly required.

Last but not least, the GDPR applies as regards marketing conducted through messaging applications, such as WhatsApp, Viber and Facebook, which are classified as information society services (as opposed to electronic communications services). In this respect, the safest solution is for the entity that intends to conduct the marketing activities to obtain the opt-in consent of the recipients, instead of relying on its legitimate interest.

According to the Data Protection Law, employee personal data may, in principle, be processed when this is necessary for the performance of the employment contract and it is strictly required during the recruitment process. A novelty of such law is that it allows the processing of employees ordinary and sensitive data, on the basis of a collective labour agreement.

The consent of employees is only exceptionally recognised as a valid legal basis in the employment context and should generally be avoided. For such consent to be valid, it should be clearly distinguished from the employment agreement and should be freely given. The criteria for determining whether the consent is provided freely are the existing dependence of the employee and the circumstances under which consent was obtained.

The sensitive data of employees may be processed under the legal bases provided in the GDPR, or when it is necessary for the exercise of rights or fulfilment of legal obligations stemming from employment or social security law and the employee’s legitimate interest does not override the employer’s legitimate interest.

As regards cameras in the workplace, CCTV may only be lawfully operated in the premises of the employer if it is necessary for the protection of persons and assets. Employees must be specifically informed about the use of the CCTV system, whereas any personal data recorded through that system shall not be used as criteria for evaluating the employee’s performance.

The prevailing position in Greece is that the preventive monitoring of employee’s communications is not allowed. However, in exceptional circumstances, when there is an overriding legitimate interest of the employer, the latter may review the use of communications systems of employees, provided that the employees have been appropriately informed of this possibility prior to any such review and the review is conducted in line with the principles of necessity and proportionality (eg, limitation on the employees under review, search by key words).

Labour organisations and work councils are not active in matters of data protection. According to HDPA’s Guidance 115/2001, however, the representatives of employees should be notified and given the opportunity to express their opinion before any monitoring method is implemented in the workplace.

There is no specific legislation or regulatory framework on whistle-blower protection; therefore, the relevant pieces of legislation are the GDPR and the Data Protection Law, whereas useful guidance is provided in the WP Opinion 1/2006. Under the current regime, the HDPA seems to adopt the view that the matters which can be reported through a hotline should be primarily limited to those covered by the WP Opinion above, namely accounting, internal accounting, controls, auditing matters, fight against bribery, banking and financial crime. Anonymous reporting in the context of whistle-blowing schemes is allowed, but should not be encouraged as the usual way of reporting. In an individual case, the HDPA held that the employer is obliged to provide the identity of the reporter to the incriminated person, when the latter exercises the right of access.

The HDPA has the power to conduct an investigation either on its own initiative or following a complaint. While conducting such investigations the HDPA can obtain access to all the information owned by the controller or processor that is necessary for the investigation, while no secrecy restriction can be put forward.

The Data Protection Law provides that the HDPA may:

  • issue warnings to a controller or processor concerning the non-compliance of certain processing activities with the Data Protection Law;
  • order the controller or processor to comply in a specific manner, and within a specific period of time, with the provisions of the Data Protection Law, in particular in ordering the rectification or erasure of data;
  • order and enforce the temporary or permanent restriction or prohibition of processing activities;
  • order and enforce the submission of documents, systems of archiving, equipment or means of processing, as well as their content; and
  • proceed to confiscation of documents, information, archiving systems, equipment or mean infringing the protection of personal data, as well as their content, which comes to its attention during an investigation.

As mentioned in 1.3 Administration and Enforcement Process, the HDPA has the power to impose the administrative sanctions provided by the GDPR, which as regards public bodies, cannot exceed the amount of EUR10 million.

The HDPA has dealt with a number of cases and has imposed several fines during the last 12 months, including:

  • EUR150,000 to a multinational auditing company for unlawful processing of employees’ personal data on the basis of consent;
  • EUR200,000 to a major telecoms company for violations of data protection by design and of the principle of data accuracy, affecting for several years a large number of individuals;
  • EUR200,000 to a major telecoms company for violation of data protection by design and for failure to effectively comply with the data subject’s right to object to processing for direct marketing purposes;
  • EUR15,000 to a shipping management company for unjustifiably refusing to satisfy the right of access of a former employee and for having installed a CCTV system which violated the privacy of all employees; and
  • EUR150,000 to a marine fuel company for not taking any steps to comply with the GDPR and for violating the principle of secure processing, leading to the unlawful copying and disclosure of employees’ personal data.

Also, the HDPA has recently conducted several ex officio audits on Greek websites and on auditing companies and has issued a number of warnings for controller's failures to comply with the data protection legislation.

As regards civil litigation, no major litigation cases under the GDPR have been publicly available. Unlike the US system, the Greek legal system does not provide for class actions. However, pursuant to the Greek Civil Procedure Code, more than one plaintiff may file a claim against the same defendant. Also, the GDPR and the Data Protection Law provide the possibility for data subjects to be represented by a non-profit body, organisation or association.

Access to personal data by law enforcement authorities in Greece is governed by a combination of data protection legislation, the provisions governing the secrecy of communications, the Code of Criminal Procedure and the EU Police Directive 2016/680, as it has been transposed into Greek law.

The most pivotal question at the beginning of any investigation by Greek authorities is whether the personal data in question is protected by secrecy of communications. Personal data that is protected by the secrecy of communication includes both the content, as well as the external elements of communications, for which increased warranties apply.

Personal Data Protected by the Secrecy of Communications

Pursuant to Law 2225/1994, which is the applicable law on law enforcement requests for the disclosure of data protected by the secrecy of communications (such as time of app store transactions, “find my device” data, location data, call and messaging logs etc), the following conditions should be met for the lawful request of such data:

  • the criminal offence for which the investigation is conducted must be one of the particularly serious felonies which are identified specifically in this law (eg, high treason, assault of government officials, torture, arson, terrorism, murder, robbery, felonious theft and felonious blackmail); and
  • the request should be in the form of a Court Justices’ Council order.

If the above conditions are met, the entity receiving the request is obliged to provide the data to the authorities. If the request is in the form of a prosecutor’s order, which is usually the case, the entity receiving the request is not obliged to provide the requested data, but instead it is permitted to do so, following a balancing test for assessing whether the data request is necessary and proportionate in the context of the investigation.

Personal Data Not Protected by the Secrecy of Communications

In cases where the personal data requested by the authorities is not covered by secrecy of communications (eg, CCTV footage, employee records, client records), the conditions are less strict. A public entity or police authority can request personal data from a controller, if it deems this necessary for the prosecution of the crime without necessarily requesting the issuance of a judicial order. The controller in this case needs to perform the above-mentioned balancing test by assessing what is strictly necessary to assist the authorities in investigating and prosecuting the crime. In this respect, the GDPR and the Greek Data Protection Law allow controllers to lawfully disclose personal data, which has been collected for a different purpose, to public authorities for the prosecution of criminal offences, unless, based on the specific circumstances of the case, the right of the individual not to have his or her personal data disclosed, overrides.

The distinction mentioned above in 3.1 Laws and Standards for Access to Data for Serious Crimes, between personal data that is protected by secrecy of communications and personal data that is not, also applies in access requests for national security purposes.

As regards communication data, the restrictions are much more limited in comparison to access requests for “serious crime”. Any judicial, political, military or police authority which is tasked with matters of national security can file a request with a competent prosecutor who will decide within 24 hours whether special circumstances of national security warrant lifting the secrecy of communications. It is clear that, in such cases, the legislature wanted a procedure that can move fast and with little bureaucratic burden, enabling the authorities to effectively combat terrorist threats.

In the case of non-communication data, the same conditions apply as in 3.1 Laws and Standards for Access to Data for Serious Crimes. The Greek Data Protection Law provides blanket permission for both public bodies and private entities to disclose personal data to authorities when such disclosure is deemed necessary for “the prevention of threats to national or public security or national defence”. The controller is, however, burdened with carrying out the test of necessity and proportionality explained above.

There is no explicit legal basis in Greek law that allows a private entity to directly transfer data to foreign political, police or judicial authorities. In principle, personal data can be transferred to foreign authorities for the purpose of criminal prosecution by the competent Greek authorities and under the conditions and the safeguards provided in the European Convention on Mutual Assistance, the Greek Code of Penal Procedure and Mutual Legal Assistance Treaty (MLAT), to which Greece is a signatory.

This means that a foreign authority should address the request to the competent public authority in Greece and not directly to the private entity holding the personal data, which should in turn examine the request and issue an order to the private entity established in Greece to provide the data. Following provision of the data by the private entity, the Greek public entity should disclose these to the foreign public entity under the MLAT.

Aside from the permissibility or obligation of disclosing the personal data to foreign entities, any transfer of personal data to foreign entities located outside the EU/EEA should satisfy the requirements of Chapter V of the GDPR. Among others, data transfers may be conducted when a foreign enforcement agency requires a controller or processor to transfer or disclose personal data to such an agency only on the basis of MLAT.

Notably, the application of the US CLOUD Act, which gives US law enforcement authorities the power to directly request data from entities located outside the US, and which consequently has extraterritorial effect, can conflict with the above-mentioned provisions of the GDPR. In an effort to shed some light on this issue, the EDPB and the European Data Protection Supervisor (EDPS) concluded that only in very limited cases would an EU-based entity be able to respond to an order by US enforcement agencies on the basis of the US CLOUD Act.

Other than the installation of cameras in public spaces, the Greek State has not yet made use of “privacy-intrusive” technologies, such as AI, facial recognition and biometrics, as means of citizen surveillance. This being the case, and unlike other jurisdictions, there is currently no public debate on the use of these surveillance methods.

Personal data can be transferred within the EU and the EEA freely. On the other hand, data transfers outside the EU and the EEA are in principle prohibited, unless the conditions set out under Chapter V of the GDPR are met.

In principle, the mechanisms that satisfy the conditions of the GDPR for transfers outside the EU and EEA countries are the following:

  • A decision issued by the EU Commission, pursuant to which the data protection regime of the country in which the data importer is established is ruled to provide an adequate level of data protection; among others, the EU Commission has declared that the EU-US Privacy Shield, in which US-based entities may freely participate, provides an adequate level of data protection.
  • Standard contractual clauses entered into between the data exporter and the data importer; currently there are three sets of model clauses that have been adopted by the EU Commission, namely two sets that can be used for data transfers between controllers and one set that can be used for transfers from controllers to processors (given that the existing model clauses were drafted before the entry into force of the GDPR, these clauses are expected to be revisited by the EU Commission).
  • Approved binding corporate rules, namely intra-group rules that govern the processing of personal data within a group of undertakings which have been approved by the competent EU supervisory authority.
  • Ad hoc contractual clauses approved by the competent supervisory authority; as yet, the HDPA has not approved any such clauses.

The GDPR also provides for derogations for specific situations that allow data transfers even if the conditions above are not met (on the basis of the data subject’s consent or when necessary for the performance of a contract), but these derogations should be interpreted narrowly and apply only in exceptional circumstances.

Unlike the previous regime, no notifications and approvals are required for the transfer of personal data outside the EU/EEA.

As an exception, a notification is required with the HDPA when there are no other grounds to legitimate the data transfer and the transfer meets certain conditions – ie, is not repetitive, concerns a limited number of data subjects and is necessary for the compelling and overriding legitimate interests of the controller.

In principle there are no data localisation requirements set forth in Greek law. On the contrary, the EU Free Flow of Non-Personal Data Regulation 2018/1807, which entered into force on 28 May 2019, prohibits, as a rule, member states from imposing requirements on where data should be located.

This being said, Law 3917/2011, which transposed into Greek law the EU Data Retention Directive 2006/24, stipulates that the providers of publicly available electronic communications services and of public communications networks should store specific traffic and location data and related data necessary to identify the subscriber or user, in physical media which should be exclusively located within the Greek territory.

There are no specific provisions requiring the sharing of software codes or algorithms or other similar technical details with the government.

Please refer to 3.3 Invoking a Foreign Government.

There are no relevant “blocking” statutes in Greece. Only Law 4605/2019, which transposed EU Trade Secrets Directive 2016/943, provides restrictions in relation to obtaining, using and disclosing trade secrets.

Most contemporary technological issues have not been directly addressed by the Greek legislature. Having said this, the GDPR and the Data Protection Law can apply to all new technologies, since they are both technologically neutral pieces of legislation. Also, importance guidance on these issues is provided by the EDPB and the WP.

Furthermore, an investment law that was passed in October 2019 explicitly provided for a “National Broadband Plan” which establishes, among others, specialised committees for driving investments in 5G, smart-city and IoT technologies. This should be considered as an indicator that Greek policymakers actively seek to include novel technologies in their agendas.

Regarding the operation and piloting of drones, the legal landscape is similar to most EU member states and will be in effect until June 2020, when the EU Regulation 2019/945 and Regulation 2019/947 will enter into effect and establish a harmonised legal system for drones. The current regime does not introduce specific rules on the protection of personal data; however, it clearly provides that all pilots should comply with applicable data protection legislation and provides that the Hellenic Civil Aviation Authority should collaborate with the HDPA in case of any violation of privacy related to the use of drones.

It is not common in Greece for organisations to establish fair data practice review boards or protocols for digital governance. In 2018 the Ministry of Justice formed a committee to assess the effect of AI in judicial proceedings, but the report of the relevant committee is still pending.

Please see 2.5 Enforcement and Litigation.

The compliance of a company with data protection legislation has become an essential part of due diligence checks and Greek corporate transactions are no different in this regard.

The main compliance check consists of reviewing all data protection related documents used by the target both internally and externally, including:

  • the records of processing activities that should provide a comprehensive snapshot of the target’s databases, corporate activities that involve processing of personal data, the data subjects and the categories of data being processed, the recipients of the data, possible transfers outside the EU, as well as the data retention periods;
  • internal data protection policies and procedures (eg, a data breach response plan, a policy for the handling of subject’s requests and data retention policy);
  • privacy notices and, when required, consent forms (eg, for employees, customers and suppliers);
  • data processing agreements with service providers that have access to personal data; and
  • data Protection Impact Assessments on “sensitive” databases.

Greek law does not contain any blanket provision that establishes an obligation to disclose cybersecurity profiles for all companies. There are, however, rules obliging certain companies, which are under special legal regimes, to communicate cybersecurity related information to the competent authorities. These include the following entities:

  • Operators of Essential Services (OESs) and Digital Service Providers (DSPs), which have the obligation to conduct a cybersecurity “self-evaluation” report and present it to the National Cybersecurity Authority (NCA); the report shall be drafted on a yearly basis and upon the NCA’s request.
  • Payment Services Providers, which should include in their application requesting the issuance of a licence for operating in Greece a complete profile and policy on information security, as well as a detailed risk assessment of potential threats to users and the envisioned security measures that should be implemented to mitigate these threats.
  • Financial institutions, which are obliged to maintain a detailed IT Security Policy which shall be approved by the Bank of Greece and should include risk assessments for the institution’s general activities, but also specific risk assessments for every substantial IT project that the institution undertakes.

During the last year there have been significant developments in the neighbouring field of cybersecurity.

In particular, EU NIS Directive 2016/1148 has recently been transposed into Greek law by Law 4577/2018, which set a range of network and information security requirements to OESs and DSPs. OESs include enterprises in the energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure sectors, and DSPs include cloud service providers, online marketplaces and search engines.

Importantly, under the new regime, OESs are obliged to notify incidents in their security and information systems that have a significant impact on the continuity of their essential services, whereas DSPs should notify incidents that have a substantial impact on the provision of the services that they offer. These notifications should be filed with both the National Cybersecurity Authority, namely the Cybersecurity Directorate of the General Secretariat of Digital Policy within the Ministry of Digital Governance, and the Greek CSIRT, which is the Cyberdefence Directorate of the Hellenic National Defence General Staff.

Zepos & Yannopoulos

280 Kifissias Ave
152 32 Halandri

+30 210 69 67 000

+30 210 69 94 640
Author Business Card

Law and Practice


Zepos & Yannopoulos is a leading Greek law firm renowned for its long heritage, legal acumen and integrity and strong international orientation. The long-established data protection & cybersecurity practice helps companies navigate the complex data protection and cybersecurity landscape, manage data, mitigate risks and effectively develop cutting-edge technologies. Clients include high-tech market leaders, pharmaceutical and insurance companies, commercial retailers and non-profit organisations. The team is involved with state-of-the-art projects, including products with AI capabilities, innovative applications for medical and insurance services and monitoring systems in the workplace. Regular work includes the design and implementation of privacy compliance projects, the performance of audits and the conduct of due diligence exercises in the context of M&A transactions. On an advisory level, the team consults in areas such as marketing campaigns, behavioural advertising and the operation of online shops, as well as on employment-related issues, such as whistle-blowing schemes and internal investigations.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.