The fundamental provisions for privacy and data protection in Greece are the following in order of priority:

The Treaty on the Functioning of the EU (TFEU) and Regulation (EU) 2016/679

Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (GDPR) is the main legislation for the protection of personal data. The GDPR is directly applicable in Greece and supersedes any provision of national law, including the Constitution. The GDPR provides for the imposition of penalties (Article 83), as well as the obligation to compensate for damages incurred (Article 82) in case of violation of its provisions.

Constitution

The Greek Constitution sets out the basic principles for the privacy of communications and the protection of personal data. The articles regarding fundamental individual rights are included in the chapter. More specifically:

Article 9A of the Constitution establishes protection from the processing, collection and use of personal data and provides for establishing an independent authority to safeguard such rights. In 1997, the Hellenic Data Protection Authority (HDPA) was established according to Law 2472/1997.

Article 19 of the Constitution establishes the privacy of correspondence (namely post/mail, which is the oldest form) and the freedom of communications in general and provides for establishing an independent authority to safeguard such rights. In 2003, the Hellenic Authority for Communications Security and Privacy was established according to Law 3115/2003.

Civil Code

Articles 57-59 of the Greek Civil Code include fundamental provisions for protecting the individual’s personality. An offence to the individual’s personality may substantiate civil claims for injunction, compensation, and moral damages.

Laws

Law 4624/2019 provides the necessary measures for the implementation of the GDPR and transposes the provisions of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Moreover, Law 4624/2019 includes provisions for the operation of the HDPA.

• Law 2472/1997 transposes Directive 95/46/EC on the protection of individuals with regard to the processing of personal data applies to the extent that a few of its articles remain in force.
• Law 3471/2006 provides for the protection of privacy and personal data in electronic communications. 
• Law 3674/2008 provides for the necessary measures that the providers of electronic communications networks and services must apply to safeguard the safety and privacy of communications.
• Law 3917/2011 transposes the provisions of Directive (EU) 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
• Law 4727/2020 transposes the provisions of Directives (EU) 2016/2102, 2019/2024 and 2018/1972 on electronic communications.
• Law 5002/2022 on the privacy of communications and cybersecurity, aims to protect the confidentiality of communications from surveillance and monitoring.
• Law 5169/2025 ratifying the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of personal data.
• Regulatory acts and guidelines issued by the competent authorities.
• Lastly, the competent, independent Authorities, such as the HDPA and the Hellenic Authority for Communication Security and Privacy, issue regulatory acts and guidelines.

The Hellenic Data Protection Authority (HDPA)

Areas of jurisdiction

The HDPA has control powers, as well as corrective, advisory and licensing powers, as specified and analysed in Article 58 of the GDPR and in Article 15 of Law 4624/2019. Analytically, the HDPA:

• monitors the implementation and enforcement of the GDPR, Law 4624/2019 and other regulations concerning the protection of individuals from the processing of personal data;
• contributes to the consistent application of the GDPR throughout the Union and, for this purpose, cooperates with the supervisory authorities of the EU Member States and with the Commission;
• promotes public awareness of personal data protection issues and the obligations of controllers and processors;
• provides opinions on any regulation to be included in a law or regulatory act concerning data processing;
• issues instructions and makes recommendations on any matter concerning data processing;
• provides, upon request, information to data subjects regarding the exercise of their rights;
• handles complaints submitted for violation of the provisions of the GDPR;
• conducts investigations or audits regarding the implementation of personal data protection legislation;
• encourages the development of codes of conduct and approves codes of conduct that provide adequate safeguards;
• encourages the establishment of data protection certification mechanisms and data protection seals and marks, approves certification criteria;
• cooperates with other supervisory authorities through the exchange of information aiming for a more consistent application of the GDPR throughout the EU; and
• it shall contribute to the activities of the EDPB.

The Hellenic Authority for Communication Security and Privacy (ADAE)

Areas of jurisdiction

The ADAE is responsible for monitoring the implementation of all legislation relevant to the lawful interception of communications. Analytically, the ADEA:

issues regulations regarding the assurance of the confidentiality of communications;

performs audits on communications network/service providers, public entities and the Hellenic National Intelligence Service and holds respective hearings;

investigates relevant complaints from members of the public;

collects relevant information using special investigative powers.

Administrative Proceedings

Administrative proceedings before the HDPA are governed by the provisions of Law 3051/2002 and the Code of Administrative Procedure. Decision no 9/2022 of the HDPA, as stands amended, includes the Rules of Operation of the HDPA and provides that every case must follow the basic procedural steps:

• case file preparation before the hearing;
• hearing before the HDPA; the hearings are not open to the public;
• in the event of reprimand or imposition of penalties, the HDPA issues its decision only after having heard the parties involved, who may file submissions before the hearing, attend the hearing in person or with an attorney, provide clarifications upon request during the hearing and file closing submissions.

The HDPA may issue decisions on the merits of the case and provisional decisions with measures applicable until the issuance of its decision on the merits of the case. The HDPA’s decisions are binding on its addressees, while its enforceable acts are subject to appeal before the Administrative Courts and annulment by the Council of State.

Administrative fines

For individuals and private entities: According to Article 83 of the GDPR, administrative fines imposed by the HDPA upon private entities may amount to up to EUR10 million or, in case of an undertaking, up to 4% of the total worldwide annual turnover.

For public entities:  According to Article 39 of Law 4624/2019, administrative fines imposed by the HDPA upon public entities are limited to the amount of EUR10 million.

In 2023, 1.414 recourses/complaints were filed with the HDPA and penalties of a total amount of EUR637,000 were imposed by way of 27 decisions.

According to the HDPA’s published annual review, during the first five years of the GDPR, the HDPA has issued approximately 100 decisions imposing fines and penalties for a total amount of approximately EUR30 million. Most of the decisions were issued against private entities, although some were against public authorities as well. Please see some of the more prominent examples below.

• The HDPA (decision 4/2022) imposed fines of EUR6 million and EUR3,25 million upon major telecommunications providers for failure to implement appropriate organisational and technical means and for leakage of subscribers’ personal data.
• The HDPA (decision 35/2022) imposed a fine of EUR20 million upon a U.S. company for the violation of a data subject’s right of access to personal data that the company had processed.
• The HDPA (decision 25/2023) imposed a fine of EUR210,000 upon a Greek bank for lack of appropriate organisational and technical means, as automated processing could lead to illegal transfer of personal data and failure to reply appropriately to a data subject request.
• The HDPA (decision 35/2023) imposed a fine of EUR50,000 upon a Greek bank for failure to notify a data breach.
• The HDPA has occasionally imposed smaller fines amounting to approximately EUR10,000 per incident upon Greek banks for failing to satisfy data subject rights.

Regulation (EU) 2024/1689, known as the AI Act, establishes harmonised rules on artificial intelligence and represents the first comprehensive legal framework for AI worldwide. It covers AI systems’ development, marketing, deployment, and use. In Greece, there have been no recent legislative updates concerning the regulation of artificial intelligence that would affect data protection. Existing data protection laws continue to apply directly to the safeguarding of personal data, even in the context of using AI systems.

For example, the HDPA (decision 57/2022) examined the remote procedure for concluding new contracts through a digital onboarding service, in the context of which the data subject/subscriber is electronically identified by processing their biometric data (real-time selfie) on the legal basis of consent. The information provided to subscribers by the data controller contained ambiguities and shortcomings regarding the outsourcing of the onboarding service to a third-party data processor and recipient of the biometric data. The Authority reprimanded the telecommunications provider for established violations of Article 5 of the GDPR and instructed it to appropriately amend and supplement the text of the information provided to the data subjects to fully comply with the principle of transparency of processing.

As expressly stated in the preamble of the AI Act, the AI Act does not seek:

• to affect the application of existing EU law governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments;
• to affect the obligations of providers and deployers of AI systems in their role as data controllers or processors stemming from EU or national law on the protection of personal data in so far as the design, the development or the use of AI systems involves the processing of personal data; and
• to affect the rights and guarantees awarded to data subjects by such EU law, including the rights related to solely automated individual decision-making, including profiling.

On the contrary, the AI Act should facilitate the effective implementation and exercise of the data subjects’ rights and other remedies guaranteed under EU law on the protection of personal data.

There are no specific laws regarding AI in Greece that relate to or affect the protection of personal data.

In 2023, a total of 1,414 complaints were submitted to the HDPA, resulting in 43 issued decisions. Specifically, the breakdown of complaints includes 440 related to the illegal processing of personal data, 411 concerning violations of data subject rights, 287 about unsolicited electronic communications (SPAM, emails, and SMS), and 275 regarding telephone harassment related to product and service promotions. The HDPA strictly safeguards the GDPR provisions and follows the CJEU’s jurisprudence.

The HDPA (decision 16/2024) imposed a fine of EUR400,000 on the Ministry of Internal Affairs for the unauthorised transfer of personal data of Greek nationals – voters living abroad – and a fine of EUR40,000 on a member of the EU Parliament and candidate for the coming EU Parliament elections of 2024 for the illegal collection and processing of the above personal data for the purposes of political communications.

Law 5019/2023 transposes the provisions of Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers. Actions may be brought against infringements by traders of the provisions, among others, of the GDPR and Law 3471/2006 for the protection of privacy and personal data in electronic communications.

Domestic representative actions can be filed by consumers’ unions or organisations, including entities that have been qualified in other Member States to bring cross-border representative actions. Consumers’ unions or organisations must provide sufficient information about their members/consumers in order for the Court to decide on its jurisdiction and applicable law. The representative action may seek injunctive or redress measures.

Regulation (EU) 2023/2854 of the European Parliament and the Council, adopted on 13 December 2023, establishes harmonised rules for fair access to and usage of data, commonly referred to as the Data Act. This regulation complements Regulation (EU) 2022/868, enacted on 30 May 2022, which focuses on European data governance, known as the Data Governance Act. Together with Regulation (EU) 2018/1807, which was adopted on 14 November 2018 and outlines a framework for the free flow of non-personal data within the EU, these regulations aim to create a comprehensive framework for data sharing and its utilisation.

The Data Act sets the rights and obligations of users, data holders and data processing services. The main objective of the Data Act is to safeguard the fair allocation of the value of the data created from the use of connected products and related services for the benefit of all factors of the digital economy and the promotion of access to data and their use. The Data Act aims to facilitate access to data and the users’ open use of data to create a well-functioning internal market for data.

The Data Act mainly regulates access to non-personal data, while in the case of personal data, reference is made to the GDPR. The GDPR also applies to processing data generated from the use of connected products and related services. Insofar as the users are data subjects, they have the rights provided in the GDPR, while the rights provided by the Data Act complement the right of access by the data subject and the right of portability provided in the GDPR. In the event of a conflict between the Data Act and the GDPR and EU law on the protection of personal data, the latter shall prevail.

The Data Act, which is directly applicable in Greece, regulates the use of IOT services and provides the following obligations.

• Obligation to design, manufacture and provide connected products and related services in a manner that product data and associated service data (including the relevant metadata necessary to interpret and use those data) are easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format and directly accessible to the user.
• If the user cannot directly access data from the connected product or related services, data holders are required to promptly make the data and any relevant metadata available to the user. This data must be of the same quality as what is accessible to the data holders and should be easy to access, secure, free of charge, comprehensive, structured, commonly used, and in a machine-readable format. Additionally, where relevant and technically feasible, this data should be provided continuously and in real-time upon a simple request through electronic means.
• The seller or lessor of a connected product, as well as the service provider of a related service, is obligated to provide the user with clear and comprehensive information regarding the product data or service data prior to the sale, rental, or lease of the connected product, or the provision of the related service. This information must include the type, format, and volume of data that the connected product can generate, as well as details on how to access, retrieve, or erase this data.
• Obligation of data holders not to make the exercise of the users’ right to restrict or prohibit accessing, using or further sharing data unduly difficult.
• Data holders are obliged to take all necessary measures prior to the disclosure of trade secrets to preserve their confidentiality, particularly regarding third parties.
• Obligation of data holders to use only any readily available data that is non-personal data on the basis of a contract with the user; obligation of data holders not to use above data to derive insights about the economic situation, assets and production methods of, or the use by, the user in any other manner that could undermine the commercial position of that user on the markets in which the user is active.
• Obligation of data holders not to make non-personal product data available to third parties for commercial or non-commercial purposes other than fulfilling their contract with the user; where relevant, data holders shall contractually bind third parties not to further share data received from them.

The Data Act provides the following obligations for third parties receiving data at the request of the user in order to safeguard data processing, as outlined below.

• Data may be processed only for the purposes and under the conditions agreed with the user and subject to EU and national law on the protection of personal data, including the rights of the data subject insofar as personal data are concerned.
• Data shall be erased when no longer necessary for the agreed purpose unless otherwise agreed with the user in relation to non-personal data.
• The exercise of the users’ right to restrict or prohibit accessing, using or further sharing data shall be rendered unduly difficult.
• Data shall not be used for profiling, unless it is necessary to provide the service requested by the user.
• Data shall not be made available to another third party unless it is made available on the basis of a contract with the user and provided that the other third party takes all necessary measures agreed upon between the data holder and the third party to preserve the confidentiality of the trade secret.
• Data shall not be made available to an undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925.
• Data shall not be used to develop a product that competes with the connected product from which the accessed data originate or be shared with another third party for that purpose. Also, third parties shall not use any non-personal product data or related service data made available to them to derive insights about the economic situation, assets and production methods of, or use by, the data holder.
• Data shall not be used in a manner that has an adverse impact on the security of the connected product or related service.
• Any specific measures agreed with a data holder or a trade secret holder to preserve their confidentiality will not be disregarded.
• The user who is a consumer shall not be prevented from making the data it receives available to other parties.

The Data Act provides specific obligations for data holders when they are obliged to make data available to a data recipient. Among other things, data shall be made available under fair, reasonable, and non-discriminatory terms and conditions, in a transparent manner, and with a reasonable compensation to be agreed upon.

The Data Act also includes specific provisions to facilitate switching between data processing services.

The HDPA is responsible for applying and enforcing the Data Act in Greece regarding the protection of personal data.

The use of cookies is governed by Law 3471/2006 and Recommendation 1/2020 of the HDPA. The basic requirement for the use of cookies is the prior informed consent of the subscriber or user of the terminal equipment. More specifically:

• the consent requires a clear positive act (“opt-in”) and cannot be inferred (ie, preselected cookies, inferred acceptance by scrolling); and
• consent must be given after the appropriate information of the subscriber or user, including the purpose of processing each cookie separately, the term of operation, the identity of the data controller, and the data recipients or categories of recipients.

As an exception to the above, prior informed consent is not required for cookies, which are technically necessary to connect to the website or obtain the internet service requested by the subscriber or user, for example:

• cookies necessary to authenticate the subscriber or user for services that require authentication (ie, for banking transactions via the Internet);
• cookies for the purpose of safety of the subscriber or user, such as cookies that detect repeated unsuccessful attempts to log in to the user’s account on a specific website;
• cookies necessary for load balancing; and
• cookies that “remember” the subscriber’s or user’s choices regarding the presentation of the website (ie, cookies related to the choice of language).

Cookies installed for the purpose of online advertising, either first-party or third-party cookies, and cookies for the purpose of statistical analysis (eg, Google Analytics) are not included in the above exception and require prior informed consent. 

Personalised advertising and other online marketing practices can occur through various electronic means. As long as it does not conceal any commercial or other forms of advertising, market research does not qualify as advertising and is therefore excluded from the following.

Advertising communications through electronic means requires the express consent of the data subject. This category includes electronic communications such as:

• emails;
• messages through mobiles (SMS, MMS);
• faxes;
• instant messaging;
• electronic messaging services, such as through social networking sites; and
• calls without human intervention, such as through an automated call system.

If the data subject has not given their prior consent, the above communications are considered unwanted (ie, “spam”), and the data subject can file a complaint with the HDPA.

Exceptionally, advertising communications through electronic means can take place without the express consent of the data subject, provided:

• the personal data have been acquired legally in the context of the sale of goods or supply of services or other transactions;
• the personal data are being used for the direct marketing and promotion of similar goods or services; and
• the data subject has been given the option to object in a clear and precise manner easily and without cost to the collection and use of his/her electronic data both at the time of collection of the data, as well as in every message (Article 11 par 3 of Law 3471/2006).

Telemarketing

Telephone calls with human intervention are permitted, provided the data subject has not objected to receiving such calls (“opt-out”) 30 days before such calls. The data subject can state his objection either to the data controller or the telephone service provider (mobile or fixed). All telephone service providers must keep a public record with the “opt-out” subscribers (Article 11 par. 2 of Law 3471/2006, as amended by Article 16 of Law 3917/2011), accessible to anyone interested in direct advertising.

General Rules for Advertising Communications

Advertising communications shall:

• state clearly and precisely the identity of the sender;
• state instructions for the recipient to object to and stop receiving further advertising communications; and
• state their “commercial” nature in the message’s subject matter, if any.

The HDPA has issued Guideline 2/2011 with examples and best practices for obtaining the data subject’s consent electronically.

The organisation and management of work and the observance of the employer’s legal obligations require the processing of the employees’ personal data. Provisions applicable to processing employees’ personal data (included in the GDPR and Law 4624/2019) are outlined below.

• Legal basis for the processing of personal data of employees: The legal basis for the processing of the personal data of the employees is the performance of the employment contract (Article 6 par 1 (b) of the GDPR). The legal basis for the processing of special categories of employees’ personal data is the exercise of rights or the performance of legal obligations deriving from employment law, social security law and social protection law (Article 9 par 2 (a) of the GDPR).
• The legal basis of consent (Article 6 par 1 (a) of the GDPR) should be exceptionally used only when there is no other legal basis for the processing of personal data of employees, taking into account the clear inequality between the data subject (employee) and the data controller (employer).
• Legal principles for the processing of personal data of employees: The basic legal principles governing the processing of personal data, namely the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy (Article 5 of the GDPR), also apply to the processing of personal data of employees. In the event that any of the above principles is breached, the processing should be considered illegal.
• Prohibition of monitoring employees by CCTV: The processing of personal data of employees by means of closed-circuit visual recording systems (CCTV) at the workplace, whether publicly accessible or not, is permitted only if it is necessary for the protection of persons and property. Data collected through CCTV may not be used to assess employee efficiency and performance. Employees must be informed in advance in writing of the installation and operation of any CCTV system at the workplace.

The HDPA has issued various guidelines and decisions on the processing of employees’ personal data, including Guideline 115/2001 on the protection of employees’ personal data and Guidelines 1/2021 and 2/2020 on the protection of personal data in remote working (telework).

Asset deals involve, in general, the sale and/or transfer of large volumes of personal data that are considered to constitute a separate asset. The law does not provide special requirements for asset deals; therefore, the requirements for transferring personal data also apply to asset deals. The HDPA, when asked by the First Instance Court whether the CD-ROM with the clients of a bankrupt company could be included in the bankruptcy assets and be legally divested to a competitor of the bankrupt company, opined as follows: “The transfer of the personal data of the clients of a company to another company can take place only with the express written consent of the data subjects, following their appropriate information.”

Transfers of Personal Data Within the EU

The transfer of personal data from an EU member state to another EU member state may take place freely (Article 44 of the GDPR), provided the other provisions of the GDPR are met.

Transfers of Personal Data to a Non-EU Country or International Organisation

Adequacy decisions

The transfer of personal data from an EU member state to a non-EU country or international organisation may take place freely if the European Commission decides that such a non-EU country or international organisation ensures adequate protection for personal data. Such transfer shall not require any specific authorisation (Article 45 of the GDPR).

The European Commission has so far issued adequacy decisions for the following: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK, Uruguay and the USA (commercial organisations that are included in the “Data Privacy Framework List” maintained and publicly available by the U.S. Department of Commerce).

With the exception of the UK, the above-mentioned adequacy decisions do not cover data exchanges in the law enforcement sector, which are governed by Law Enforcement Directive (EU) 2016/680.

Appropriate safeguards

In the absence of an adequacy decision by the European Commission as described above, transfers of personal data to a non-EU country or international organisation may take place subject to appropriate safeguards provided by the data controller or data processor and on condition that enforceable data subject rights and effective legal remedies are available. Such transfer shall not require any specific authorisation (Article 46 of the GDPR). Appropriate safeguards may be provided by:

• a legally binding and enforceable instrument between public authorities or bodies;
• binding corporate rules;
• standard data protection clauses adopted by the European Commission;
• an approved code of conduct; or
• an approved certification mechanism.

Derogations for specific situations

In the absence of an adequacy decision and appropriate safeguards, transfers of personal data to a non-EU country or international organisation may take place exceptionally only on one of the following conditions (Article 49 of the GDPR):

• the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the data controller or the implementation of pre-contractual measures taken at the data subject’s request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving consent; or
• the transfer is made from a register which, according to EU or member state law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU or member state law for consultation are fulfilled in the particular case.

Transfers of Personal Data by Public Authorities

Law 4624/2019 transposes Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data.

Article 75 Law 4624/2019 sets out the following additional requirements:

• the recipient authority or international organisation is competent for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
• the European Commission has adopted an adequacy decision, meaning that the non-EU state in question provides adequate protection for personal data, or in the absence of an adequacy decision, appropriate safeguards have been provided, or in the absence of such appropriate safeguards, one of the following specific derogations applies:
1. the transfer is necessary to protect the vital interests of the data subject or another person;
2. the transfer is necessary to safeguard the legitimate interests of the data subject;
3. the transfer is necessary for the prevention of an immediate and serious threat to public safety; or
4. the transfer is necessary in certain individual cases.

The prior authorisation of the competent data protection authority of the EU member state is required. Exceptionally, such prior authorisation may be omitted if the transfer of personal data is necessary to prevent an immediate and serious threat to the public safety of a member state or a non-EU country, and the prior authorisation cannot be obtained in a timely manner.

The transfer of personal data is not permitted, despite the existence of an adequacy decision and the need to safeguard the public interest, if the protection of the fundamental rights and interests of the data subject cannot be ensured in the specific case. The data controller assesses the level that would ensure the protection of the above rights of the data subject based on the guarantees for the protection of the personal data offered by the recipient authority or international organisation of the personal data in the non-EU country.

Transfers of personal data to an EU Member State, a third country or an international organisation do not require any notification or prior approval by a government authority. The data controller or data processor must enter the transfers in the records of processing activities (Article 30 of the GDPR), stating at least the recipient and the documentation proving the existence of appropriate safeguards. Such records, including records of transfers, should be made available to the HDPA upon request.

The data controller must inform the data subject upon collection of their personal data, among others, about the purpose of the processing, the recipients of the processing, and any transfers of the data outside the EU on the basis of an adequacy decision, appropriate safeguards or other mechanisms discussed above under Transfers of Personal Data to a Non-EU Country or International Organisation (Articles 13 and 14 of the GDPR).

Given the above, if the information notice does not include the transfer of personal data to a non-EU state or international organisation, the data controller must inform the data subject anew about such intended transfer prior to the actual transfer of personal data. The data controller is not obliged to inform the data subject about the transfer of personal data within the EU.

The data controller must enter the transfer in the records of processing activities (Article 30 of the GDPR), stating at least the recipient and the documentation proving the existence of appropriate safeguards.

Apart from the above, there are no data localisation requirements. 

There are no “blocking” statutes, meaning there are no Greek laws or statutes that prohibit compliance with EU regulations. As already stated in 1.1 Overview of Data and Privacy-Related Laws, EU Regulations are directly applicable in Greece and supersede any provision of national law, including the Constitution.

Greece closely follows the EU developments in the international transfer of data.

Recently, Law 5169/2025 ratified the Protocol amending the Convention for the Protection of Individuals regarding Automatic Processing of Personal Data, also known as Convention 108. The Protocol modernises the Council of Europe Convention, eg, definitions are updated to ensure the uniform application of its terms; its scope is extended to include application in the public and private sectors; the basic principles of proportionality in relation to the legitimate purpose pursued, transparency, prior consent or other legitimate bases for processing, adequacy and accuracy of the personal data have been supplemented; the rights of the data subjects have been extended. Moreover, the Protocol strengthens the safeguards for cross-border data transfers, requiring the member parties to set stricter evaluation and approval procedures. Finally, it defines the powers of the supervisory authorities, who are responsible for ensuring compliance with the provisions of the Convention and providing co-operation and mutual assistance among the supervisory authorities of the member parties.