The fundamental provisions for privacy and data protection in Greece are as follows, in order of priority.

Regulation (EU) 2016/679

Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (GDPR) is the main legislation for the protection of personal data. The GDPR is directly applicable in Greece and supersedes any provision of national law, including the Constitution. The GDPR provides for the imposition of penalties (Article 83) and the obligation to compensate for damages incurred (Article 82) in case of violation of its provisions.

Constitution

The Greek Constitution sets out the basic principles for the privacy of communications and the protection of personal data.

• Article 9A of the Constitution establishes protection from the processing, collection and use of personal data, and provides for establishing an independent authority to safeguard such rights. In 1997, the Hellenic Data Protection Authority (HDPA) was established according to Law 2472/1997.
• Article 19 of the Constitution establishes the privacy of correspondence (namely post/mail, which is the oldest form) and the freedom of communications in general, and provides for establishing an independent authority to safeguard such rights. In 2003, the Hellenic Authority for Communications Security and Privacy was established according to Law 3115/2003.

Civil Code

Articles 57–59 of the Greek Civil Code include fundamental provisions for protecting the individual’s personality. An offence to the individual’s personality may substantiate civil claims for injunction, compensation and moral damages.

Laws

• Law 4624/2019 provides the necessary measures for the implementation of the GDPR and transposes the provisions of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. Moreover, Law 4624/2019 includes provisions for the operation of the HDPA.
• Law 2472/1997 transposes Directive 95/46/EC on the protection of individuals with regard to the processing of personal data, and applies to the extent that a few of its articles remain in force.
• Law 3471/2006 provides for the protection of privacy and personal data in electronic communications.
• Law 3674/2008 provides for the necessary measures that must be applied by the providers of electronic communications networks and services to safeguard the safety and privacy of communications.
• Law 3917/2011 transposes the provisions of Directive (EU) 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks.
• Law 4727/2020 transposes the provisions of Directives (EU) 2016/2102, 2019/2024 and 2018/1972 on electronic communications.
• Law 5002/2022 on the privacy of communications and cybersecurity aims to protect the confidentiality of communications from surveillance and monitoring.
• Law 5086/2024 establishes the National Cybersecurity Authority.
• Law 5099/2024 incorporates Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services (the Digital Services Act) and designates the HDPA as the competent authority for supervising providers of intermediary services, enforcing Article 26 paragraphs 1 and 3 of the Regulation regarding user information on the display and targeting of advertisements, and Article 28 concerning the protection of minors’ personal data.
• Law 5160/2024 incorporating Directive (EU) 2022/2555 of the European Parliament and the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2).
• Law 5169/2025 ratifying the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of personal data.
• Regulatory acts and guidelines issued by the competent authorities.
• Lastly, the competent, independent authorities, such as the HDPA and the Hellenic Authority for Communication Security and Privacy, issue regulatory acts and guidelines.

GDPR General Principles

The GDPR sets the following general principles for the processing of personal data, which safeguard the fundamental rights of the natural persons, including their protection from the processing of their personal data:

• “lawfulness, fairness and transparency” – the processing of personal data must be lawful, legitimate and carried out in a transparent manner;
• “purpose limitation” – personal data must be collected for an explicit, specified and legitimate purpose and the processing must be compatible with such purpose;
• “data minimisation” – personal data must be adequate, relevant and limited to what is strictly necessary for the fulfilment of the purpose for which it is processed;
• “accuracy” – personal data must be accurate and kept up to date, and measures must be taken to rectify inaccurate data;
• “storage limitation” – personal data must be retained only for as long as necessary to fulfil the purpose of processing; and
• “integrity and confidentiality” – personal data must be processed securely and in a manner that protects it against unauthorised or unlawful processing, loss or destruction.

Data Subjects’ Rights

Chapter II of the GDPR sets out the rights of data subjects, which safeguard their fundamental freedoms regarding the processing of their personal data:

• Article 15 establishes the right of access, meaning that the data subject has the right to obtain confirmation from the data controller as to whether or not their personal data is being processed and, if so, to access such personal data and receive a copy thereof;
• Articles 16 and 17 establish the right to rectification or erasure, meaning that the data subject may request the correction of their personal data that is inaccurate or incomplete, and/or the deletion of his/her personal data, provided the request is lawful and there are no overriding legitimate grounds for the processing;
• Article 18 establishes the right to the restriction of processing, meaning that the data subject may request the suspension of processing, provided the request is lawful;
• Article 20 establishes the right to data portability, meaning that the data subject may request and receive a copy of their personal data in a structured, commonly used and machine‑readable format, and/or request their transmission to another data controller; and
• Article 21 establishes the right to object, meaning that the data subject may object to the processing of their personal data, provided the request is lawful.

Compliance Checklist for Data Controllers

The GDPR and Greek Law 4624/2019 set out the conditions under which entities/organisations may process personal data. Entities/organisations acting as data controllers must meet the following compliance requirements.

• Mapping processing activities.
• Providing information to data subjects regarding:
1. the type and nature of personal data collected and processed;
2. the purposes of the processing of personal data;
3. the legal basis on which the processing of personal data is carried out;
4. the retention period of the personal data;
5. the rights of data subjects and how these rights may be exercised;
6. whether the data subject is subject to automated decision‑making (profiling); and
7. the recipients or third parties to whom personal data are transferred.
• Drafting and publishing privacy policies (employee privacy policy, CCTV policy, website cookies policy, vendors’ privacy policy, etc).
• Collecting consent from data subjects where required (eg, sending newsletters for marketing purposes, cookies, processing special categories of data).
• Concluding data processing agreements with processors or third parties to whom personal data is transferred, in order to ensure transparency and the lawfulness of processing by third parties.
• Performing a Data Protection Impact Assessment (DPIA) when there is a high risk to the rights and freedoms of data subjects or when processing is carried out on a large scale.
• Implementing appropriate technical and organisational security measures, such as:
1. access control;
2. encryption;
3. pseudonymisation;
4. data back-ups;
5. strong password policies;
6. security incident management;
7. incident response plan for personal data breaches; and
8. procedure for notifying the HDPA and data subjects of personal data breaches.
• Training staff and raising awareness on the basic principles of the GDPR, the secure handling of personal data and the application of the privacy policies adopted.
• Continuously monitoring legislation and regularly reviewing and updating the privacy policies and technical and organisational security measures adopted.

According to Article 9 of the GDPR and Law 4624/2019, special categories of personal data include data relating to:

• racial/ethnic origin;
• political opinions;
• religious/philosophical beliefs;
• trade union membership;
• genetic data;
• biometric data for identification;
• health data; and
• sex life or sexual orientation.

Processing the special categories of personal data is prohibited, and is permitted only if:

• the data subject has given his/her explicit consent for the processing;
• the processing is necessary for carrying out the obligations and exercising specific rights of the data controller or the data subject in the field of employment, social security and social protection law, including pensions in accordance with applicable law;
• the processing is necessary for the protection of the vital interests of the data subject or another natural person, where the data subject is physically or legally incapable of giving his/her consent;
• the processing takes place within the legitimate activities of a non‑profit entity/organisation with a political, philosophical, religious or trade union purpose, provided the processing regards only its members or former members and the personal data is not disclosed outside the entity/organisation;
• the processing is of personal data that has been manifestly made public by the data subject (eg, online posts, social media, interviews, publications);
• the processing is necessary for the establishment, exercise or defence of legal claims, or when courts act in their judicial capacity;
• the processing is necessary for reasons of substantial public interest;
• the processing is necessary for preventative or occupational medicine;
• the processing is necessary for public health purposes; or
• the processing is necessary for archiving purposes in the public interest, scientific or historical research, or for statistical purposes.

Personal Data Relating to Minors

Minors enjoy special protection as they are not aware of the risks involved in the processing of their personal data. Minors can consent to the processing of their personal data if they are at least 16 years old and the data controller uses clear, accurate and simple language to inform the minors prior to obtaining their consent.

When it comes to the internet and the provision of services to minors, minors can consent to the processing of their personal data if they are at least 15 years old. If minors are under this age, the consent must be granted by their legal representative – ie, parent or legal guardian. Decisions based solely on automated processing are prohibited, where such decisions legally affect or influence significantly minors. Profiling for promotional of marketing purposes is prohibited.

Personal Data Relating to Criminal Convictions

Greek Law 4624/2019 – which transposes Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data – provides the general principles and requirements for the processing of personal data relating to criminal convictions and offences by police, prosecutors and judicial authorities for criminal law enforcement purposes. Personal data relating to criminal convictions and offences constitutes a separate category of personal data, which may be processed only under the control of an official authority, when it is absolutely necessary for the performance of the duties of the data controller and with the application of appropriate safeguards for the rights and freedoms of the data subjects.

Health data is one of the special categories of personal data whose processing can take place under the requirements described in 1.3 Special Categories of Personal Data. According to Article 30 of Greek Law 4624/2019, by derogation to the above, health data can be processed for scientific purposes, including research and development, without the consent of the data subject, provided:

• the interest of the controller exceeds the interest of the data subject not to have his/her personal data processed; and
• the controller takes appropriate measures for the protection of the legal interests of the data subject, which may include:
1. limiting access to the personal data for the controller and processors;
2. pseudonymising personal data;
3. encrypting personal data; and
4. appointing a DPO.

In view of the above, companies that provide products or services to healthcare providers may anonymise patient personal data for the purposes of product development or scientific research.

Regulation (EU) 2025/327 of the European Parliament and of the Council of 11 February 2025 on the European Health Data Space (EHDS) entered into force in March 2025 and aims to establish a common framework for the use and exchange of electronic health data across the EU. It strengthens individuals’ access to and control over their personal electronic health data, while also allowing the further use of certain data for purposes of public interest, policy support and scientific research. It promotes a data environment specifically tailored to health, and supports the single market for digital health services and products. In addition, the Regulation establishes a harmonised legal and technical framework for Electronic Health Record (EHR) systems, enhancing interoperability, innovation and the smooth functioning of the internal market.

The EHDS Regulation will:

• enable individuals to access, control and exchange their electronic health data across borders for the provision of healthcare;
• allow the secure and trustworthy re‑use of health data for research, innovation, policymaking and regulatory activities; and
• promote a single market for electronic health record systems, supporting both primary and secondary uses of data.

Chapter IV of the EHDS Regulation sets out the conditions for the so-called “secondary use” of health data, including the use of personal data for research and development purposes. The data access bodies indicated by the member states shall grant access to electronic health data for secondary use when the processing of such health data is necessary for any of the following purposes:

• the public interest in the domain of public health;
• policy making and regulatory activities in the public sector;
• statistics;
• education or teaching activities in the sectors of health or care;
• scientific research and improvement in the fields of health or care, with the aim of benefiting end users such as patients, healthcare professionals and health system managers – this includes:
1. development and innovation activities for products or services; and
2. training, testing and evaluating algorithms, including those used in medical devices, in vitro diagnostic medical devices, AI systems and digital health applications.

Health data provided for the above purposes shall be limited to what is absolutely necessary, adequate and relevant to the purpose of the processing. Health data shall be provided in an anonymised format; if the specific processing cannot be achieved with anonymised data, then health data shall be provided in a pseudonymised format, while access to the information necessary to reverse the pseudonymisation shall be restricted and controlled.

Regulation (EU) 2024/1689, known as the AI Act, establishes harmonised rules on artificial intelligence and represents the first comprehensive legal framework for AI worldwide. It covers AI systems’ development, marketing, deployment and use. In Greece, there have been no recent legislative updates concerning the regulation of artificial intelligence that would affect data protection. Existing data protection laws continue to apply directly to the safeguarding of personal data, even in the context of using AI systems.

The AI Act does not seek to affect:

• the application of existing EU law governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments;
• the obligations of providers and deployers of AI systems in their role as data controllers or processors stemming from EU or national law on the protection of personal data insofar as the design, development or use of AI systems involves the processing of personal data; nor
• the rights and guarantees awarded to data subjects by such EU law, including the rights related to solely automated individual decision-making, including profiling.

On the contrary, the AI Act should facilitate the effective implementation and exercise of the data subjects’ rights and other remedies guaranteed under EU law on the protection of personal data.

There are no specific laws regarding AI in Greece that relate to or affect the protection of personal data.

The reliance of AI technologies on large datasets can create significant privacy risks. AI systems are often trained on vast amounts of personal information, sometimes collected without proper consent, or used in ways that individuals might not expect. This can lead to unintended consequences, such as exposing sensitive personal details or allowing for intrusive profiling. For example, an AI model used to predict consumer preferences might draw on data from social media, shopping history or even biometric information, potentially leading to privacy violations, if such data is mishandled or shared without adequate safeguards.

To address the above risks and harness the benefits of AI responsibly, the EU has embarked on regulatory initiatives aimed at balancing innovation with the protection of fundamental privacy rights. Personal data protection legislation plays a vital role, as AI systems are often built on personal data and rely on it. Therefore, personal data principles and requirements help to address some of the above risks.

To support data protection professionals, the HDPA provides relevant training material developed by external experts of the EDPB under the supervision of the HDPA’s specialised scientific staff, which consists of two complementary training programmes, each accompanied by interactive comprehension and self‑assessment questions about the use of AI systems.

A personal data breach (Article 4(12) of the GDPR) is defined as a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data transmitted, stored or otherwise processed. According to the Guidelines 18/2018 of the Article 29 Working Party (now the European Data Protection Board) on personal data breach notification (“Guidelines on Personal Data Breach Notification under Regulation 2016/679”, WP 250 rev.1), one category of personal data breach is based on the security principle of confidentiality, which occurs when there is unauthorised access to personal data (“confidentiality breach”).

A breach may potentially have various significant adverse effects on individuals, which may lead to physical, material or non-material damage. The GDPR explains that such damage may include loss of control over personal data, limitation of rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, reputational harm, or loss of confidentiality of personal data protected by professional secrecy, among others.

In the case of a data breach, the data controller must comply with the following obligations.

Assess the Data Breach Without Undue Delay

The data controller must determine:

• what happened and when;
• which data was affected;
• how many data subjects are impacted;
• the likely consequences; and
• whether the breach poses a risk or high risk to data subjects.

The above assessment must be documented.

File a Notification With the HDPA

If the breach is likely to result in a risk to the rights and freedoms of the individuals, the data controller must notify the breach to the HDPA within 72 hours of becoming aware of such breach. The HDPA has an online form, which must be completed and filed by the data controller, including information on the nature of the breach, the categories of personal data affected, the number of the individuals affected, the mitigation measures implemented, the contact details of the data controller, etc. Any delay in filing the above notification with the HDPA must be justified.

Communicate the Breach to Affected Individuals

If the breach is likely to result in a high risk to the rights and freedoms of the individuals, the data controller must inform the individuals about such breach immediately and without undue delay, in clear and plain language, explaining:

• the nature of the breach;
• the potential consequences;
• the contact details of the data controller; and
• the mitigation measures implemented or suggested.

Communication may be avoided only in limited cases – eg, where data was encrypted and not readable to third parties without authorisation, or if any risk has been fully mitigated.

Maintain an Internal Breach Register

All breaches – even those not notified – must be recorded with details of facts, effects and remedial actions.

The Hellenic Data Protection Authority (HDPA)

The HDPA has control powers, as well as corrective, advisory and licensing powers, as specified and described in Article 58 of the GDPR and Article 15 of Law 4624/2019. Analytically, the HDPA:

• monitors the implementation and enforcement of the GDPR, Law 4624/2019 and other regulations concerning the protection of individuals from the processing of personal data;
• contributes to the consistent application of the GDPR throughout the European Union and, for this purpose, co-operates with the supervisory authorities of the EU member states and with the Commission;
• promotes public awareness of personal data protection issues and the obligations of controllers and processors;
• provides opinions on any regulation to be included in a law or regulatory act concerning data processing;
• issues instructions and makes recommendations on any matter concerning data processing;
• provides, upon request, information to data subjects regarding the exercise of their rights;
• handles complaints submitted for violation of the provisions of the GDPR;
• conducts investigations or audits regarding the implementation of personal data protection legislation;
• encourages the development of codes of conduct and approves codes of conduct that provide adequate safeguards;
• encourages the establishment of data protection certification mechanisms and data protection seals and marks, and approves certification criteria;
• co-operates with other supervisory authorities through the exchange of information, aiming for a more consistent application of the GDPR throughout the EU; and
• contributes to the activities of the EDPB.

The Hellenic Authority for Communication Security and Privacy (ADAE)

The ADAE is responsible for monitoring the implementation of all legislation relevant to the lawful interception of communications. Analytically, the ADEA:

• issues regulations regarding the assurance of the confidentiality of communications;
• performs audits on communications network/service providers, public entities and the Hellenic National Intelligence Service, and holds respective hearings;
• investigates relevant complaints from members of the public; and
• collects relevant information using special investigative powers.

The Hellenic Cybersecurity Authority (NCSA)

The NCSA aims to organise, co-ordinate and implement a comprehensive framework of strategies, measures and actions for achieving and maintaining a high level of prevention, protection, deterrence, response and recovery from cyber-attacks. Analytically, the NCSA:

• monitors and supervises the implementation of the EU Directive on measures for a high common level of cybersecurity across the EU (NIS2) in Greece;
• sets the regulatory framework for the operation of critical infrastructure digital systems in Greece;
• supports scientific research, innovation and investments in cybersecurity, contributes to the development of national and international standards, and promotes education and awareness in the field;
• is the designated single point of contact for reporting security incidents and may intervene to assist in the management of such incidents; and
• co-operates with national and international authorities to exchange information and best practices.

Enforcement Proceedings

Enforcement proceedings before the HDPA are governed by the provisions of Law 3051/2002 and the Code of Administrative Procedure. Decision No 9/2022 of the HDPA, as amended, includes the Rules of Operation of the HDPA and provides that every case must follow these basic procedural steps:

• case file preparation before the hearing;
• hearing before the HDPA – the hearings are not open to the public; and
• in the event of reprimand or the imposition of penalties, the HDPA issues its decision only after having heard the parties involved, who may file submissions before the hearing, attend the hearing in person or with an attorney, provide clarifications upon request during the hearing and file closing submissions.

The HDPA examines complaints and conducts investigations or audits either ex officio or following a complaint, in order to ensure compliance with applicable legislation regarding the protection of personal data. In exercising its powers, the HDPA may dismiss applications, inquiries or complaints that are deemed to be manifestly vague, unfounded, abusive or anonymous. The HDPA informs the person who has filed a complaint, and all parties involved, about the actions it takes.

Without prejudice to the deadlines set by the GDPR, the prioritisation of applications, inquiries and complaints is assessed by the HDPA based on the importance and broader public interest of the matter. The HDPA may issue decisions on the merits of the case and provisional decisions with measures applicable until the issuance of its decision on the merits of the case. The HDPA’s decisions are binding on its addressees, while its enforceable acts are subject to appeal before the Administrative Courts and to annulment by the Council of State.

Administrative Fines

• For individuals and private entities: according to Article 83 of the GDPR, the HDPA may impose administrative fines of up to EUR10 million on private entities or, in the case of an undertaking, up to 4% of the total worldwide annual turnover.
• For public entities: according to Article 39 of Law 4624/2019, administrative fines imposed by the HDPA upon public entities are limited to the amount of EUR10 million.

In 2023, 1,414 recourses/complaints were filed with the HDPA, and penalties totalling EUR637,000 were imposed by way of 27 decisions.

According to Article 83 of the GDPR, when imposing an administrative fine and determining its amount, the HDPA takes the following factors into account:

• the nature, gravity and duration of the violation, considering the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered;
• the intentional or negligent character of the violation;
• any actions taken by the controller or processor to mitigate the damage suffered by data subjects;
• the degree of responsibility of the controller or processor, taking into account the technical and organisational measures implemented;
• any relevant previous violations by the controller or processor;
• the degree of co-operation with the HDPA to remedy the infringement and mitigate its possible adverse effects;
• the categories of personal data affected by the violation;
• the manner in which the HDPA became aware of the violation, particularly whether and to what extent the controller or processor notified it;
• compliance with measures previously ordered under Article 58(2) concerning the same subject matter;
• adherence to approved codes of conduct or approved certification mechanisms; and
• any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained or losses avoided, directly or indirectly, as a result of the infringement.

The HDPA has recently issued decisions imposing significant administrative fines for violations of data protection legislation.

• Decision No 44/2025 imposed an administrative fine of EUR10,000 and EUR80,000 upon an energy provider and call centre in its capacity as data processor, for making telephone calls promoting products and services to individuals who had expressly requested not to receive such calls.
• Decision No 42/2025 imposed an administrative fine of EUR30,000 on an energy services company for violating data subjects’ rights of access, rectification and erasure of their personal data.
• Decision No 38/2025 imposed an administrative fine of EUR10,000 on a Municipality for operating a CCTV surveillance system at a vehicle depot without proper notification to the data subjects.

Criminal Penalties

Greek Law 4624/2019 provides for imprisonment and criminal penalties ranging between EUR100,000 and EUR300,000 for the violation of the legislation for the protection of personal data.

The current most significant enforcement trends in Greece revolve around the following three pillars.

Ex Officio Audits of Surveillance Systems

The HDPA has initiated an audit ex officio on the software developed and installed by the Ministry of Migration and Asylum at the reception and hospitality structures for third-country nationals located at the borders of Greece. The software programs provided for:

• digital management of the electronic and physical security of the above structures with the use of CCTV, drones and artificial intelligence behavioural analytics; and
• control of the persons entering and exiting the above structures, including personnel, third-country nationals seeking asylum and representatives of NGOs, with the use of RFID in combination with two-factor authentication processing biometrical data.

The HDPA attested many violations, including:

• failure to define an appropriate legal basis for the processing of personal data, much of which belongs to the special categories;
• providing deficient information to data subjects prior to the processing;
• inadequate and deficient data processing agreements with the data processors;
• failure to keep a registry of processing activities; and
• failure to perform an appropriate DPIA.

The HDPA imposed an administrative fine of EUR175,000 on the Ministry of Migration and Asylum (Decision No 13/2024).

Implementation of Appropriate Technical and Organisational Measures and Data Breaches

The HDPA has imposed administrative fines for failure to apply appropriate technical and organisational measures, resulting in data breaches from an insider thread (Decision Nos 7/2025, 33/2025).

Violation of Data Subjects’ Rights

The HDPA steadily reviews complaints and applies administrative penalties in case of violation of data subjects’ rights to access, rectification, erasure and restriction of their personal data (Decision No 1/2025).

The violation of privacy legislation may cause damages, and the affected party has the right to request compensation for material or moral damages from the data controller or processor. The First Instance Court freely determines the amount of compensation based on the factual circumstances of the case and taking into account all relevant factors, such as the nature and extent of the violation, the degree of fault, the absence of contributory negligence by the data subject, and the financial and social situation of the parties.

Decision No 573/2025 of the Athens Court of Appeal ruled that the unlawful sending of text messages for the purpose of commercial promotion of services established the liability of the sender in his capacity as data controller. Consequently, the data controller was ordered to pay monetary compensation for moral damages to the data subject amounting to EUR10,000 for each text message (SMS).

Article 82(1) of the GDPR provides that any individual who has suffered material or non‑material damage as a result of a GDPR infringement is entitled to compensation. Recitals 75 and 85 of the GDPR list examples of non‑material damages, such as loss of control over personal data, restriction of rights, discrimination, identity theft or fraud, unauthorised reversal of pseudonymisation, damage to reputation, loss of data, loss of confidentiality of data and similar harms. Non‑material damages may incur when personal data is disclosed or transferred to third parties without the data subject’s consent.

In 2021, the CJEU addressed the concept of non-material damages under Article 82 of the GDPR for the first time, in Case C-300/21. More specifically, the harmful conduct of the company consisted in processing the personal data of an individual, which, combined with social or demographic information, led to the identification of that individual with a specific political party. The CJEU clarified the notion of material damage under Article 82 of the GDPR and emphasised the following three requirements for the establishment of the right to compensation in paragraph 36 of its decision:

• the processing of personal data carried out in breach of the provisions of the GDPR;
• the damage suffered by the data subject; and
• a causal link between the unlawful processing and the damage.

Furthermore, in paragraph 59 of the decision, the CJEU stressed that Article 82 of the GDPR must be interpreted as meaning that, for determining the amount of compensation due on the basis of the right established in that article, national courts must apply the domestic rules of each member state concerning the extent of financial compensation, provided that the principles of equivalence and effectiveness of EU law are respected.

The CJEU has issued case law interpreting Article 82 of the GDPR. In particular, in Case C‑655/23, the Court held that Article 82(1) of the GDPR must be interpreted as meaning that the term “non‑material damage” covers the negative emotions experienced by the data subject due to the unauthorised disclosure of their personal data to a third party, such as fear or distress arising from the loss of control over the data, the risk of their potential misuse, or harm to reputation – provided that the data subject demonstrates that these emotions, together with their negative consequences, are causally linked to the infringement of the Regulation.

Law 5019/2023 transposes the provisions of Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers. Actions may be brought against infringements by traders of the provisions of the GDPR and Law 3471/2006, among others, for the protection of privacy and personal data in electronic communications. Domestic representative actions can be filed by consumers’ unions or organisations, including entities that have been qualified in other member states to bring cross-border representative actions. Consumers’ unions or organisations must provide sufficient information about their members/consumers in order for the Court to decide on its jurisdiction and applicable law. The representative action may seek injunctive or redress measures.

In Greece, there is no case law concerning the collective bringing of actions and the awarding of compensation for privacy violations. However, the issue has been addressed by the CJEU, which held in paragraph 32 of Case C‑757/22, Meta Platforms Ireland, that Article 80(2) of the GDPR must be interpreted as not precluding national legislation that allows a consumer protection association to bring legal proceedings – without a mandate granted to it for that purpose and irrespective of the existence of an infringement of specific rights of an individual data subject – against an alleged infringer of data protection rules, relying on the violation of the prohibition of unfair commercial practices, the breach of consumer protection legislation or the violation of the prohibition on the use of unfair contract terms, provided that the data processing at issue is capable of affecting the rights conferred on identified or identifiable natural persons by the GDPR.

Regulation (EU) 2018/1807 of the European Parliament and the Council, adopted on 14 November 2018, establishes the principle of the free flow of non-personal data within the EU. Regulation (EU) 2023/2854 of the European Parliament and the Council, adopted on 13 December 2023 and commonly referred to as the Data Act, establishes harmonised rules for fair access to and usage of non-personal data, and sets the rights and obligations of data users, data holders and data processing services. The main objective of the Data Act is to safeguard the fair allocation of the value of the data created from the use of connected products and related services for the benefit of all factors of the digital economy and the promotion of access to data and its use. The Data Act aims to facilitate access to data and the users’ open use of data to create a well-functioning internal market for data.

The expanding Internet of Things (IoT), AI and machine learning represent major sources of non-personal data – for example, as a result of their deployment in automated industrial production processes. Specific examples of non-personal data include aggregate and anonymised datasets used for big data analytics, data on precision farming that can help to monitor and optimise the use of pesticides and water, or data on maintenance needs for industrial machines. If technological developments make it possible to turn anonymised data into personal data, such data is to be treated as personal data, and the GDPR is to apply accordingly.

IoT

In Greece, Law 4961/2022 introduces for the first time a regulatory framework for the secure use of IoT devices by operators of critical infrastructure in both the public and private sectors. Specifically, the law sets out obligations and compliance declarations for IoT device manufacturers, including the following.

• Cybersecurity measures to be embedded in IoT devices are defined according to their use and the associated security risks, in order to ensure an appropriate level of cybersecurity.
• The minimum content of the manufacturer’s declaration of conformity for IoT devices is specified, and such declaration must accompany every device intended to be made available to IoT operators. The law also establishes the manufacturer’s obligation to inform all parties involved and the NCSA if the manufacturer becomes aware, by any means, of non‑compliance.
• The obligations of importers and distributors of IoT devices are defined, particularly their duties to:
1. verify that the device is accompanied by the declaration of conformity;
2. inform other parties involved and the NCSA if they themselves become aware, by any means, of non‑compliance; and
3. maintain a record of notification actions and communicate such record to the NCSA.
• The obligations of IoT operators are set out, including the requirement to appoint an IoT Security Officer, who is responsible for implementing and properly monitoring the technical and organisational measures adopted by the IoT operator to manage risks related to the security of the IoT devices used, and for informing other involved parties and the NCSA if a risk associated with the device’s use arises.
• The responsibilities of the NCSA are further specified regarding the assessment and monitoring of compliance by manufacturers, importers, distributors and IoT operators. In addition, manufacturers, importers and distributors of IoT devices are required to comply with the NCSA’s instructions by taking any corrective action necessary to achieve compliance. For the operator using the device, such measures may extend to the suspension of the device’s use.
• Given the high risk of disruption to the operation of an IoT device and its potential impact, the law establishes a specific obligation for manufacturers to maintain a process for managing security incidents or vulnerabilities, for each device.
• IoT operators are required to provide users with information about the devices so that each user – regardless of their familiarity with new technologies – can understand basic issues related to the safe installation, configuration and operation of the device.
• Finally, because the processing of personal data within IoT environments may pose a high risk to the rights and freedoms of individuals, IoT operators are required to conduct a DPIA for the planned processing activities related to the operation of IoT devices, in accordance with Article 35(1) of the GDPR.

Cloud Computing

Cloud computing technology, through which entities and individuals can process and store large volumes of data, creates serious threats to data security and privacy. Law 4727/2020 establishes the government cloud for the public sector (G Cloud) as a set of digital infrastructures managed by the General Secretariat of Information Systems. Government cloud infrastructures also exist in specific public sectors, such as Research and Education (RE Cloud) and the Health Government Cloud (H Cloud). All central electronic applications and central information systems maintained by Ministries, independent authorities and the Information Society are connected to the G Cloud, and they relate to transactions with natural persons, legal entities and public administration.

Although the G Cloud offers significant advantages in terms of flexibility and efficiency, it simultaneously creates serious threats to privacy and personal data protection, because a large volume of citizens’ data is stored therein, such as health data. This raises concerns regarding security and confidentiality, especially in the event of a cyber-attack, data breach or violations of personal data.

AI

Regulation (EU) 2024/1689, commonly referred to as the AI Act, establishes harmonised rules on AI and represents the first comprehensive legal framework for AI worldwide. It covers AI systems’ development, marketing, deployment and use. In Greece, Law 4961/2022 includes provisions on the use of AI systems in the public sector for decision‑making processes that affect the rights of natural persons and legal entities. Public entities that use AI systems are required to carry out a DPIA in accordance with Article 35 of the GDPR and to take the following into account:

• the intended purpose, including the public interest served through the use of the AI system;
• the capabilities, technical characteristics and operating parameters of the AI system;
• the type and categories of decisions made or acts issued with the involvement of the AI system, or supported by it;
• the categories of data collected, processed or entered into the system, or generated by it;
• the risks that may arise for the rights, freedoms and legitimate interests of the natural or legal persons to whom the decision relates or whom it affects; and
• the expected benefit for society as a whole in relation to potential risks and impacts that may result from the use of the AI system, particularly for racial, ethnic, social or age groups and categories of the population such as persons with disabilities or chronic conditions.

Every public entity that uses AI systems must provide specific information to natural persons who are subject to decision‑making based on such systems, such as:

• the date on which the AI system began operating;
• the operating parameters, capabilities and technical characteristics of the AI system;
• the categories of decisions made or acts issued with the involvement of the AI system or supported by it; and
• the conduct of an algorithmic impact assessment.

Regulation (EU) 2018/1807 of the European Parliament and the Council, adopted on 14 November 2018, establishes the principle of the free flow of non-personal data within the EU. Throughout its text, the Regulation uses the term “data”, which is defined as “data other than personal data”. Such data, which is also referred to as “non-personal data”, is inferred a contrario to personal data, as defined in the GDPR. According to the GDPR, “personal data” includes any information relating to an identified or identifiable natural person – ie, the “data subject”. On the contrary, non-personal data can be categorised by origin as:

• firstly, data that originally did not relate to an identified or identifiable natural person, such as data on weather conditions generated by sensors installed on wind turbines or data on maintenance needs for industrial machines; or
• secondly, data that was initially personal data but was later rendered anonymous.

Mixed Datasets

In new technology systems, mixed datasets often appear that consist of both personal data and non-personal data. Mixed datasets represent the majority of datasets used in the data economy and are common because of technological developments such as the IoT (ie, digitally connecting objects), AI and technologies enabling big data analytics. In the case of a dataset composed of both personal and non-personal data, Regulation (EU) 2018/1807 applies to the non-personal data part of the dataset and the GDPR applies to the personal data part of the dataset. Where personal and non-personal data in a dataset are inextricably linked, Regulation (EU) 2018/1807 shall not prejudice the application of the GDPR, meaning that:

• Regulation (EU) 2018/1807 on the free flow of non-personal data applies to the non-personal data part of the dataset;
• the GDPR applies to the personal data part of the dataset; and
• if the non-personal data part and the personal data parts are “inextricably linked”, the data protection rights and obligations stemming from the GDPR apply fully to the whole mixed dataset, including when personal data represents only a small part of the dataset.

Access Right

Regulation (EU) 2018/1807 on the free flow of non‑personal data within the EU provides that national competent authorities have the right to request or obtain access to data for the purpose of carrying out their official duties in accordance with EU or national law. Providers are not permitted to refuse competent authorities access to data on the grounds that the data has been processed in another member state. If a competent authority does not obtain access following a request for access to a user’s data, that authority may request the assistance of another competent authority from a different member state. Once access to the data and to any equipment or means of data processing is obtained, such access must comply with fundamental principles and with national and European legislation.

Portability Right

Regarding the right to data portability, the Commission encourages the development of self‑regulatory codes of conduct at EU level in order to contribute to a competitive data economy in line with the principles of transparency and data interoperability. In particular, Article 6 of the Regulation provides that the following must be ensured:

• best practices for facilitating the switching of service providers and the porting of data in a structured, commonly used and machine-readable format, including open standard formats where required or requested by the service provider receiving the data;
• minimum information requirements to ensure that professional users are provided – before a contract for data processing is concluded – with sufficiently detailed, clear and transparent information regarding the processes, technical requirements, timeframes and charges that apply if a professional user wants to switch to another service provider or port data back to its own IT systems;
• approaches to certification schemes that facilitate the comparison of data processing products and services for professional users, taking into account established national or international norms, to facilitate the comparability of those products and services – such approaches may include quality management, information security management, business continuity management and environmental management; and
• communication roadmaps taking a multidisciplinary approach to raise awareness of the codes of conduct among relevant stakeholders.

The GDPR and Regulation EU 2018/1807 refer to data portability and the aim to make it easier to port data from one IT environment to another – ie, to another provider’s systems or to on-site systems. This prevents vendor lock-in and fosters competition between service providers.

However, the above Regulations differ in their approach to portability when it comes to the relation between the targeted interest groups and the legal nature of the provisions. The right to portability of personal data under Article 20 of the GDPR focuses on the relation between the data subject and the controller. It concerns the right of the data subject to receive personal data which they have provided to the controller, in a structured, commonly used and machine-readable format, and to transmit such data to another controller or to their own storage capacities without hindrance from the controller to which the personal data has been provided. Typically, the data subjects in this relation are consumers of various online services that wish to switch between these service providers.

Article 6 of Regulation EU 2018/1807 does not provide for a right for professional users to port data, but has a self-regulatory approach, with voluntary codes of conduct for the industry. At the same time, it targets a situation where a professional user has outsourced the processing of its data to a third party offering a data processing service. In accordance with Article 3(8) of Regulation EU 2018/1807, a “professional user” can include “both natural and legal persons, including public authorities or bodies governed by public law, using or requesting a data processing service for purposes related to their trade, business, craft, profession or task”. In practice, the portability under Article 6 of the Free Flow of Non-Personal Data Regulation concerns business-to-business interactions between a professional user (which may qualify as a “controller” in accordance with the GDPR in cases that include the processing of personal data) and a service provider (similarly, to be qualified in some cases as a “processor”).

The Ministry of Digital Governance is responsible for matters of data governance, such as cloud infrastructures and interoperability. The National Cybersecurity Authority is the competent body for the security of information systems and access to data. Although the Regulation on the free flow of non‑personal data does not establish a new supervisory authority, its implementation often interacts with the HDPA, particularly when datasets are mixed and include both personal and non‑personal data.

The Hellenic Competition Commission also plays an important role, especially in relation to the enforcement of the Digital Market Act (DMA). In Greece, the authority responsible for ensuring compliance with the DMA is the Competition Commission, particularly regarding the obligations imposed on gatekeepers, such as:

• the prohibition on combining personal data for advertising purposes unless the user consents (Article 5(2) of the DMA);
• the prohibition on using non‑public data generated or provided by the gatekeeper’s business users to compete against them (Article 6(2) of the DMA);
• the obligation to provide access to data (Article 6(10) of the DMA); and
• the obligation to provide access to search data (Article 6(11) of the DMA).

The use of cookies is governed by Law 3471/2006 and Recommendation 1/2020 of the HDPA. The basic requirement for the use of cookies is to obtain the prior informed consent of the subscriber or user of the terminal equipment. More specifically:

• the consent requires a clear positive act (“opt-in”) and cannot be inferred (ie, preselected cookies, inferred acceptance by scrolling); and
• consent must be given after the appropriate information of the subscriber or user, including the purpose of processing each cookie separately, the term of operation, the identity of the data controller, and the data recipients or categories of recipients.

As an exception to the above, prior informed consent is not required for cookies that are technically necessary to connect to the website or obtain the internet service requested by the subscriber or user, such as:

• cookies necessary to authenticate the subscriber or user for services that require authentication (ie, for banking transactions via the internet);
• cookies for the purpose of safety of the subscriber or user, such as cookies that detect repeated unsuccessful attempts to log in to the user’s account on a specific website;
• cookies necessary for load balancing; and
• cookies that “remember” the subscriber’s or user’s choices regarding the presentation of the website (ie, cookies related to the choice of language).

Cookies installed for the purpose of online advertising, either first-party or third-party cookies, and cookies for the purpose of statistical analysis (eg, Google Analytics) are not included in the above exceptions and require prior informed consent.

According to law 3471/2006 for the protection of personal data in the sector of electronic communications, personalised or targeted advertising and other online marketing practices require the express consent of the data subject. Market research does not qualify as advertising to the extent that it does not conceal any commercial or other forms of advertising. Advertising communications through electronic means include:

• emails;
• messages through mobiles (SMS, MMS);
• faxes;
• instant messaging;
• electronic messaging services, such as through social networking sites; and
• calls without human intervention, such as through an automated call system.

If the data subjects have not given their prior consent, the above communications are considered unwanted (ie, “spam”), and the data subjects can file a complaint with the HDPA.

Exceptionally, advertising communications through electronic means can take place without the express consent of the data subject, provided:

• the personal data has been acquired legally in the context of the sale of goods or supply of services or other transactions;
• the personal data is being used for the direct marketing and promotion of similar goods or services; and
• the data subject has been given the option to object in a clear and precise manner, easily and without cost, to the collection and use of his/her electronic personal data both at the time of collection of the data and in every message (Article 11 par 3 of Law 3471/2006).

Telephone calls with human intervention are permitted if the data subject has not objected to receiving such calls (“opt-out”) 30 days before such calls. The data subject can state his/her objection to either the data controller or the telephone service provider (mobile or fixed). All telephone service providers must keep a public record with the “opt-out” subscribers (Article 11 par 2 of Law 3471/2006, as amended by Article 16 of Law 3917/2011), accessible to anyone interested in direct advertising.

Minors can consent to the processing of their personal data if they are at least 16 years old and the data controller uses clear, accurate and simple language to inform the minors prior to obtaining their consent. When it comes to the internet and the provision of services to minors, minors can consent to the processing of their personal data if they are at least 15 years old. If minors are under this age, the consent must be granted by their legal representative – ie, parent or legal guardian. Profiling for promotional of marketing purposes is prohibited for minors.

Advertising communications must:

• state clearly and precisely the identity of the sender;
• include instructions for the recipient to object to and stop receiving further advertising communications; and
• state their “commercial” nature in the message’s subject matter, if any.

The HDPA has issued Guideline 2/2011 with examples and best practices for obtaining the data subject’s consent electronically.

The organisation and management of work and the observance of the employer’s legal obligations require the processing of employees’ personal data. The provisions applicable to processing employees’ personal data (included in the GDPR and Law 4624/2019) are outlined below.

• The legal basis for the processing of the personal data of the employees is the performance of the employment contract (Article 6 par 1 (b) of the GDPR). The legal basis for the processing of special categories of employees’ personal data is the exercise of rights or the performance of legal obligations deriving from employment law, social security law and social protection law (Article 9 par 2 (a) of the GDPR).
• The legal basis of consent (Article 6 par 1 (a) of the GDPR) should be used only when there is no other legal basis for the processing of personal data of employees, taking into account the clear inequality between the data subject (employee) and the data controller (employer).
• The basic legal principles governing the processing of personal data – namely the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy (Article 5 of the GDPR) – also apply to the processing of employees’ personal data. If any of the above principles is breached, the processing should be considered illegal.
• The processing of employees’ personal data by means of CCTV in the workplace, whether publicly accessible or not, is permitted only if it is necessary for the protection of persons and property. Data collected through CCTV may not be used to assess employee efficiency and performance, nor to track working hours. Employees must be informed in advance in writing of the installation and operation of any CCTV system in the workplace.

The HDPA has issued many guidelines and decisions on the processing of employees’ personal data, including Guideline 115/2001 on the protection of employees’ personal data and Guidelines 1/2021 and 2/2020 on the protection of personal data in remote working (telework).

In business mergers and acquisitions, as well as during due diligence, where the exchange of information is necessary for the completion of the transaction, there is no specific legislation that sets out special requirements regarding the privacy and security of personal and non-personal data. On the contrary, the general legislation applies, including the GDPR and Law 4605/2016 on the protection of trade secrets, along with the provisions set by the parties in the Non-Disclosure Agreement, which usually deals with such issues. In addition, Law 3959/2011 on free competition provides for the cases that require notification of the merger to the Hellenic Competition Authority, which assesses the nature of the exchanged information as confidential.

The transfer of personal data from an EU member state to another EU member state may take place freely (Article 44 of the GDPR), provided the other provisions of the GDPR are met. The transfer of personal data from an EU member state to a non-EU country or international organisation may take place freely if the European Commission decides that such a non-EU country or international organisation ensures adequate protection for personal data. Such transfer shall not require any specific authorisation (Article 45 of the GDPR).

In the absence of such an adequacy decision by the European Commission, transfers of personal data to a non-EU country or international organisation may take place subject to appropriate safeguards provided by the data controller or data processor and on the condition that enforceable data subject rights and effective legal remedies are available. Such transfer shall not require any specific authorisation (Article 46 of the GDPR).

Appropriate safeguards may be provided by:

• a legally binding and enforceable instrument between public authorities or bodies;
• binding corporate rules;
• standard data protection clauses adopted by the European Commission;
• an approved code of conduct; or
• an approved certification mechanism.

In the absence of an adequacy decision and appropriate safeguards, transfers of personal data to a non-EU country or international organisation may take place only on one of the following conditions (Article 49 of the GDPR):

• the data subject has explicitly consented to the proposed transfer after having been informed of the possible risks of such transfer for the data subject due to the absence of an adequacy decision and appropriate safeguards;
• the transfer is necessary for the performance of a contract between the data subject and the data controller, or for the implementation of pre-contractual measures taken at the data subject’s request;
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data controller and another natural or legal person;
• the transfer is necessary for important reasons of public interest;
• the transfer is necessary for the establishment, exercise or defence of legal claims;
• the transfer is necessary to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving consent; or
• the transfer is made from a register which, according to EU or member state law, is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by EU or member state law for consultation are fulfilled in the particular case.

For non-personal data, Article 4 of Regulation (EU) 2018/1807 states that free flow is the rule, and data localisation is the exception, if justified on grounds of public security in accordance with the principle of proportionality.

The GDPR does not provide a legal definition of the concept of “transfer of personal data to a third country or an international organisation”. In EDPB Guidelines 5/2021, three cumulative criteria are set out that must be met in order for a processing operation to be characterised as a “transfer”:

• the controller or processor (“exporter”) is subject to the GDPR with regard to the specific processing;
• the exporter discloses by transmission or otherwise makes available personal data that is subject to that processing to another controller, joint controller or processor (“importer”); and
• the importer is located in a third country, regardless of whether the importer is subject to the GDPR for the given processing under Article 3, or is an international organisation.

Furthermore, according to EDPB Recommendation 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, remote access by an entity in a third country to data located in the EEA is also considered a transfer. Therefore, provided that the above criteria are met, remote access is regarded as a transfer.

In Greece, no authorisation is required for the international transfer of data, meaning that no specific registrations, notifications or approvals from national authorities are necessary for such transfers. Please see 5.1 Restrictions on International Data Transfers regarding international transfers of personal data.

However, the data controller or processor must enter the transfers of personal data in the records of processing activities (Article 30 of the GDPR), stating at least the recipient and the documentation proving the existence of appropriate safeguards. Such records, including records of transfers, should be made available to the HDPA upon request.

In general, Regulation (EU) 2018/1807 promotes the free flow of non-personal data across EU member states. EU member states can only impose localisation requirements for non-personal data if doing so is justified on grounds of public security, in compliance with the principle of proportionality.

In the above context, there are laws that require the localisation of non-personal data in sectors such as:

• taxation and social security;

• customs; cybersecurity; and
• specific sectors of the government regarding the Ministry of National Defence, the Ministry of Citizen Protection, the Ministry of Foreign Affairs, the Coast Guard of the Ministry of Shipping, the General Secretariat of Citizenship of the Ministry of Interior, the National Intelligence Service and the services of Criminal Records of the Ministry of Justice.

Please see 5.1 Restrictions on International Data Transfers regarding whether or not remote access to data is considered a transfer.

There are no “blocking” statutes in Greece, meaning there are no Greek laws or statutes that prohibit compliance with EU regulations. Every international transfer of personal and non‑personal data must comply with EU transfer rules. Requests for data transfers originating from third countries cannot be fulfilled unless they are consistent with these rules. Article 48 of the GDPR provides that any judgment of a court or decision of an administrative authority of a third country requiring a data controller or processor to transfer or disclose personal data may be recognised or enforced in any way only if it is based on an international agreement, such as a mutual legal assistance treaty, that is in force between the requesting third country and the EU or a member state, without prejudice to other grounds for transfer.

Greece is steadily investing in improving data governance, data protection and cybersecurity, and in upgrading its digital infrastructure. These initiatives align with the EU’s digital decade objectives and help to create the conditions for future developments and legal frameworks. As Greece’s digital maturity continues to grow, it is likely that new measures or further clarifications in the area of data international transfers will emerge in the coming years.