Despite the widespread use of cloud computing services, as yet there is no specific and uniform legislation set out to regulate them within Greece or the European Union. Instead, certain European-level legislative acts have been passed to partly fill this void by regulating certain aspects of the cloud computing services, such as data protection and cybersecurity. The E-commerce Directive (Directive 2000/31/EC), which was transposed into Greek legislation by PD 131/2003, contains specific rules in connection with the applicable law for information society services and is also applicable to cloud services. However, there are still several problems arising related to dispute resolution and applicable law based on the geographical location of the entity.
Cloud and Personal Data
Ιn Greece, when it comes to personal data protection in cloud services, the EU's General Data Protection Regulation 2016/679 (GDPR) applies, alongside the local implementation Law No 4624/2019 on the Protection of Personal Data, which introduces specific criminal penalties for illegal processing of personal data, in addition to the administrative penalties already applicable under the GDPR.
According to GDPR provisions, the parties involved in cloud services are obliged to provide transparency on the purposes of data processing, to ensure that data subjects can exercise their rights to information, correction and deletion with respect to their personal data and to identify clearly the roles of data controllers and data processors. The latter appears to be particularly challenging in the field of cloud computing, with great variations between B2B cases and B2C cases. In B2C cloud services, the cloud provider is usually the data controller collecting and processing personal data relating to end-customers; in B2B cloud services, with businesses involved as customers, they are considered as data controllers with the cloud providers acting as data processors, even though the business customers do not have full control of the infrastructure used for the processing.
Among other obligations that the cloud providers are asked to fulfil – in compliance with the GDPR framework – is the duty to use suitable technical solutions, to ensure the appropriate level of security depending on the nature of data processed, to have in place mechanisms for data breach notifications and not to transfer this data to third parties except if an adequate level of data protection is proven, meaning that safeguards such as binding corporate rules, standard contractual clauses, an approved code of conduct or certification mechanism are in place.
Cloud computing services are largely connected to the subject of cybersecurity. In Greece, the legal framework that applies to cloud providers offering computing services, as digital service providers, is the Greek Law 4577/2018, which transposes the Network and Information Security Directive 2016/1148/EU (NIS).
Businesses falling within the scope of Law 4577/2018 have certain obligations, among which are: to adopt technical and organisational measures for the security of networks and information systems; to adopt measures to prevent and minimise the impact of incidents affecting the security of networks and information systems; to notify without undue delay the National Cybersecurity Authority and the Hellenic Data Protection Authority of incidents with a serious impact on business continuity, while providing additional information regarding the severity of the relevant incident and to co-operate with the competent authorities.
Another legislative act related to cybersecurity is Act No 3674/2008, which states the obligations of network operators and electronic communication service providers in terms of network security, decryption, system and supervision.
Other provisions relevant to confidentiality of communications concern the criminalisation of the various acts of unlawful interception and further use of unlawfully acquired communications data (see articles 370–370D of the Greek Criminal Code) and the prohibition of using such unlawfully acquired evidence in the criminal procedure (see Article 177 of the Greek Code of Criminal Procedure).
Use of Cloud in Regulated Sectors
As far as the public administration sector is concerned, the General Secretariat of Public Administration Information Systems of Greece (GSIS) has created cloud (g-cloud – government cloud) infrastructures, which can be used by government agencies to host their information systems. For the achievement of the abovementioned goals, the Greek Law No 4623/2019 and Law No 3979/2011 (the “e-governance” law) have been implemented, imposing on public administrations the obligation to acquire computer programs after conducting a particular market evaluation on cloud providers and other software solutions.
From a financial services point of view, sector-specific frameworks on the use of cloud services are included in Act No 2577/2006 and Act No 2597/2007 of the Governor of the Central Bank of Greece with regard to internal control and privacy systems for the banking sector, as well as in Law No 3431/2006 and Law No 2472/1997, to the extent that they do not conflict with the provisions of the GDPR.
Blockchain technology is applicable to a number of significantly differentiated services and areas of everyday life, including financial and insurance services, keeping of registers/records, smart contracts, (digital) governance, as well as the management of digital identity, supply chain and intellectual property rights. This new technology offers stability, full anonymity and, first and foremost, safety since data manipulation and falsification are, in practice, almost impossible.
There have been numerous initiatives at EU level, aiming at promoting the use of blockchain technology for the purpose of achieving the goal of a "digital single market". A noteworthy example is the establishment of the Anti-Counterfeiting Blockathon Forum by the EUIPO, that was characterised as a “part of the broad EU strategy to create a blockchain ecosystem”. At national level, in 2018 Greece signed a joint declaration with six other EU member states (France, Spain, Italy, Cyprus, Portugal and Malta – the so-called "MED7") concerning promotion of the use of blockchain technology.
Risk and Liability
Blockchain technology does not interfere in the process of concluding the relevant agreement that had taken place prior to the use of the blockchain platform itself. Instead, it is for the purpose of fulfilling the mutual obligations undertaken under the agreement that the parties involved may choose to make use of the blockchain technology. As a result, the use of blockchain technology relies upon the will of the parties, consisting of the means through which the objective of the contract will be met. A typical example could be a service/work delegation contract concerning the development of a secure pilot document registration and verification system on the basis of the blockchain methodology.
As a result, such a contract is subject to the rules governing any agreement concluded under private law. Contractual clauses shall principally identify the type and extent of the risk and liability to be undertaken by each of the parties involved. Such a risk allocation may be freely chosen by the contracting parties among the options offered by the national commercial law on the grounds of freedom of contract; blockchain per se will be inevitably and profoundly governed by this determination that should further entail specific clauses targeting its operation in technical terms.
Intellectual property rights, in particular copyright, may be acquired (under the prerequisites established by law) for the creation of a work embodied in blockchain technology such as the source code, the preparatory design material and the database itself on the grounds of the original selection or arrangement of its content. In that case, a database may be qualified, under national copyright law, as the author’s own intellectual creation. However, the protection afforded does not extend to the contents per se of the database (which may attract the protection granted under the sui generis right afforded to the maker of a database). In addition, patent rights may be also sought provided that the conditions set by the law are fulfilled.
In terms of copyright, the most crucial aspect of such an acquisition is the determination, through explicit contractual clauses, of the issues of ownership, transfer and license of the economic rights over a work (since moral rights are not transferable), and foremost of the right to use the work at issue and proceed to acts of economic exploitation. Where such an agreement is not expressly stated, the presumptions provided under the Greek Copyright Act are applicable; for instance, the economic right in a computer program created by an employee in the execution of the employment contract or in accordance to the instructions of the employer, shall be ipso jure transferred to the latter unless otherwise provided by the contract.
Moreover, blockchain may significantly contribute to the achievement of a high level of protection. Blockchain is an effective medium through which proof of authorship may be achieved or, at least, be significantly facilitated through the provision of a certain date to a given work. Blockchain technology, in conjunction with "smart contracts", may be proven valuable with respect to the core issue of copyright management, further entailing the control over unauthorised uses of copyright protected content, as well as ensuring the effectiveness of the authors’ reward through innovative, transparent and accurate methods.
Blockchain has also been considered a tool for the digital exhaustion of rights. It is true that the clearance of rights and the identification of the holder of rights over a work remains, in many cases, a difficult task (due to the absence of relevant records and/or databases). In addition, collecting societies are bound by strict obligations (especially since the establishment of Law No 4481/2017 implementing into the national legal order Directive 2014/26/EU) that refer not only to the distribution of the amounts due to right-holders but also to their obligation to achieve and retain a high standard of governance, transparency, accountability, reporting and financial management. In this regard, blockchain could benefit both copyright and related rights-holders (by means of a complete and accurate database through which distribution could take place even in real time and in differentiated levels) and users (facilitating the payment of the compensation due for the use of protected content, while also providing for legal certainty and transparency).
The question on whether distributed ledgers are capable of being squared with the European Union's General Data Protection Regulation (GDPR) has emerged during the past few years. Conflicts arise due to the decentralised nature of the data entered into blockchain – contrary to the GDPR’s underlying presumption of a data controller as at least one natural or legal person – and to the unchanged character of such a chain, ensuring data integrity and increasing trust in the network, but contrary to the GDPR’s presumption of data modification and erasure where it is deemed necessary. A number of policy options (“concrete policy recommendations”) have been proposed by the European Parliament in order to explore the opportunities offered by new technologies, consisting of regulatory guidance, support of codes of conduct and certification mechanisms (concerning the legal framework’s applicability), and to interdisciplinary research funding and promotion. Moreover, the data that may be entered into blockchain concerns, on one hand, the identification of participants and secondary users, and, on the other hand, the complementary data registered within a given transactional framework. On these grounds, an ad hoc evaluation and examination of the suitability of blockchain in relation to other technologies in terms of the objectives pursued and the specific characteristic of the personal data processing at issue, has been proposed by, among others, the CNIL (Commission Nationale de l'Informatique et des Libertés), that could further entail a data protection impact assessment (DPIA).
The case-by-case analysis suggested shall consider a number of crucial issues, such as the choice of jurisdiction and special conditions introduced by Law No 4624/2019 (implementing the GDPR) concerning, indicatively, minor consent, the lawfulness of employees’ consent, and the interrelation of personal data processing with freedom of expression and information.
The general rules applicable to other technology-related services and transactions in general apply mutatis mutandis to this innovative field. Such service level agreements shall incorporate terms on the subject-matter of the service provided, on the users’ rights (such as the extent of the access permitted), duties (ie, confidentiality) and liability in the case of a breach of the contract, on those applying and determining the role of service providers, as well as of any other person participating in the transaction at issue on the basis of the need to determine in advance and in a clear and unambiguous manner, the consent of the parties involved as regard to risk allocation and liability. Other issues to be covered are those of technical support, of the interrelation between the agreement concerning the use of blockchain technology per se and other contracts (to which blockchain is attached), as well as of the application of the general service commitment to blockchain especially in the case of the latter’s unavailability, suspension or termination.
The mandatory rules applying under differentiated national regimes should be principally taken under consideration, as being further complemented by regional law – for example, Regulation (EC) No 593/2008 on the law applicable to contractual obligations (Rome I). Moreover, parties are encouraged to adopt a specific clause on alternative dispute resolution methods by reason of the cons inevitably implied in court litigation (ie, its time-consuming character). In any case, the applicable law is also relevant to procedural law as related to the crucial issue of evidence since blockchain may have specific implications on the relevant taking of evidence as being further related to the proof of titles of ownership, transactions, of the certain date on which factual circumstances had taken place, etc.
Businesses planning to run big data projects processing personal data in Greece need to consider the General Data Protection Regulation and Law No 4624/2019. Such businesses are required to ensure a high standard of personal data protection, while also using fully anonymised data sets, which do not fall within the scope of the GDPR.
As regard to the use of non-personal data, businesses should take note of Regulation 2018/1807 on the free movement of non-personal data which entered into force on 28 May 2019 and is applicable in Greece. It introduces the principle of the free flow of non-personal data across borders and prevents countries from setting barriers (eg, data localisation restrictions) that unjustifiably force data to be held exclusively within national territory.
Developments are expected in Greece concerning open data and public sector information. The Greek Code on Access To Public Documents and Data implements EU legislation on the re-use of public sector information, establishing the principle of availability of public administration information, in accordance with which citizens have the right to immediately access and reuse public information. An amendment to national legislation is imminent, as a new Directive governing the topics of open data and the re-use of public sector information (Directive (EU) 2019/1024) is to be transposed into national legislation by 17 July 2021.
Artificial Intelligence (AI) and Machine Learning (ML)
Since AI systems analyse vast amounts of data in order to function and improve their performance, whenever personal data forms part of the large pools of data used in an AI system’s algorithmic decision-making process, this activity must be in compliance with Law 4624/2019 and the GDPR.
Data subjects have the right to object to decision-making based solely on automated processing, including profiling. Where such decision-making exists, meaningful information about the logic involved in the process, as well as its significance and its envisaged consequences ought to be provided to the data subjects.
The Greek Civil Code sets out five conditions that need to be fulfilled in order for tortious liability to be attributable to a party: (i) human behaviour, (ii) illegal action, (iii) fault, (iv) damage, (v) and causal link between the behaviour and the damage. It is apparent that where a system operating in the spectrum of autonomy causes damage, a number of these conditions are challenging, if not impossible, to substantiate, particularly the requirement of determining a party’s fault and the causal link between the human behaviour and the damage that occurred.
In addition, all AI technologies in Greece ought to meet the essential health and safety requirements laid down in the EU safety legislation, as it has been transposed into Greek law, such as Directive (EC) 2006/42 on machinery (the safety legislation applicable to robots), Directive 2014/53/EU on radio equipment (which applies to all products that use the radio frequency spectrum, including embedded software), and Directive 2001/95/EC on general product safety (which aims to ensure that only safe consumer products are placed on the market).
The EU product liability regime is complementary to that of product safety. It was introduced by the Product Liability Directive (D 85/374/EEC) and was implemented by amendments of the Greek Consumer Protection Law No 2251/1994. The existing framework regulates all types of products and is also applicable to new digital technologies. The Greek Consumer Protection Law establishes a strict liability regime under which producers of defective products are held liable when such products cause damage to natural persons or their property, while the injured consumers are not required to prove the fault of the producer.
So far, the current legal framework of extra-contractual liability can be applied to damages caused by robots or AI. However, as the new generation of AI edges closer to operational autonomy and behavioural unpredictability through their capacity to analyse and learn from their environments, the legal responsibility arising through their harmful actions is bound to present a point of contention across most jurisdictions, as the natural person at fault for damage caused by an AI system will become increasingly more difficult to be identified.
In the absence of a specific tortious liability regime covering advanced AI, it is recommended that businesses and organisations that aim to operate in the nascent AI scene in Greece act in a proactive manner through to contractually regulating liability for such systems and investing in insurance coverage.
Greek Copyright Law (Law No 2121/1993) is human-centric, as it is traversed by the “principle of truth” according to which only a natural person shall be considered as the author of a work.
As regard to computer programs, their copyrightability depends on whether they can be considered as the “author’s own intellectual creation” (in accordance with the criterion of originality that applies to all types of works under CJEU case law). This prerequisite is fulfilled where the author made “free and creative choices” while creating the work. Therefore, it is evident that devices cannot be recognised as “authors”, and subsequently any work they produce cannot be qualified as a copyright-protected content. Computer-generated and AI works may only be protected if the prerequisite of “human intervention” is fulfilled (ie through the selection of the data to be entered into a machine or of the parameters determining the objective of the machine’s activity); inversely, works autonomously and exclusively produced by information technology systems, are not copyrightable. Accordingly, non-humans are excluded from the relevant rationae personae.
There are two cases where the national legislator recognises legal persons as potential copyright holders over a work; the first concerns computer programs and the second refers to databases where it is clearly provided that the maker of a database enjoying the sui generis right over its content is either the natural or the legal person taking the initiative and bearing the risk of the “substantial investment”.
Moreover, computer programs are also excluded from patentability according to Law No 1733/1987. The legal definition of the invention for which patent protection may be sought (including inventions embodied in software), requires novelty, inventive activity and susceptibility of industrial application.
Finally, there is the copyright reform that has been recently established at EU level under Directive 2019/790/EU, providing the new exception concerning text and data mining is relevant to the issue at hand. However, the relevant implementation procedure in Greece has not yet been concluded.
For all these reasons, and on the basis of the absence of a tailor-made legal framework, it is highly recommended that the issues of ownership and transfer of rights in such work, as being specifically related to their further use and economic exploitation, are regulated by contract law by the means of appropriate and detailed contractual clauses.
The European Commission’s High-Level Expert Group on AI has published a set of Ethics Guidelines for Trustworthy Artificial Intelligence, identifying the core characteristics of trustworthy AI (lawful, ethical, robust), as well as several principles that AI systems should meet in order to be deemed trustworthy. On 26 June 2019, the same group published its second paper on the subject, entitled Policy and Investment Recommendations. Greece and other OECD and partner countries formally adopted the OECD Principles on artificial intelligence in 2019, agreeing to uphold international standards that aim to ensure AI systems are designed to be robust, safe, fair and trustworthy.
The Internet of Things (IoT) – interconnecting people, devices, household appliances, mere objects and procedures – has been considered as the new digital revolution. The main areas of the IoT’s applicability relate to the notions of the "smart home", "smart cities" and "smart industry"; in all cases, the IoT entails two key actors, technology providers and end-users.
The two main areas in relation to which the establishment of high technical standards is considered as necessary are the protection of personal data and security. The first area of interest derives from the large amount of data generated, collected and combined by the IoT, while the second is related to applications that may be subject to severely damaging security threats.
The EU policy aims at addressing and eventually resolving the core issues of interoperability, ubiquity, end-to-end security and trust, exploring the possibility to introduce a certification standard for IoT and networked devices in accordance with the principle of net neutrality and integrity.
An extremely wide range of different devices are involved in IoT applications related to smart homes, smart cities, smart energy and mobility, health and the agricultural sector. This creates a number of implications and specific requirements in terms of the interoperability and security of IoT devices. In addition, privacy issues need to be taken into account due to the data collected by the sensors embodied in such devices.
In regard to the sale of IoT devices, and in the absence of a tailor-made regime, the traditional national rules on the seller’s liability, guarantees and other relevant issues are applicable. Accordingly, in Greece, end-users as consumers are protected under the consumer protection law. Of further relevance are the legal provisions concerning the import and distribution of products (covering, for instance, the interference of a commercial agent or the conclusion of an exclusive distribution contract).
The main objective pursued under the IoT technology is to offer end-users an enhanced control over differentiated devices by means of a connectivity network – ie, via the internet. As a result, the providers of the connectivity services (primarily, wireless networks) must comply with numerous rules provided by the EU and national law. In particular, electronic communications, networks and devices are covered by the European Electronic Communications Code (EECC), the roam-like-at-home rules established in 2017 under the respective regulation, and the 2002 e-Privacy Directive (implemented in Greece by Law 3471/2006) that introduced new rules for privacy in the digital age.
A number of initiatives at EU level has taken place, including the European Commission Staff Working Document on liability for emerging digital technologies, as well as the Digital Single Market Strategy under which the importance of legal certainty for the roll-out of the IoT had been addressed.
Data Privacy and Cybersecurity
The effective regulation of data privacy and cybersecurity issues is of great significance in the IoT realm. In this regard, the principle of data protection by design and by default constitutes a crucial aspect of the required compliance. Moreover, the techniques promoted by the GDPR and referring to the data’s anonymisation, pseudonymisation and encryption are considered to encourage the use of IoT in conjunction with the use of other, complementary, tools such as data protection certifications and data protection impact assessments as provided by the law.
The greatest challenge the IoT faces is its full compliance and compatibility with security, liability, privacy and data protection law, the objective of which lies in the enhancement of transparency, in the verification (and liability) of the data controller, in the restriction of indiscriminate collection, processing and overall use of personal data, in the rights afforded to data subjects, as well as in the periodical inspection of all the relevant procedures.
With respect to cybersecurity, the Ministerial Decision harmonising the Greek regulatory framework with Directive 2016/1148/EU (NIS Directive) was issued in October 2019, in execution of Law No 4577/2018 (implementing the NIS Directive into national law). According to the aforementioned instruments, new system security measures are required from industries operating in e-commerce and information society services, providing also for a number of sanctions in case of non-compliance.
Moreover, in terms of the relevant standards and guidelines, ETSI, the European Telecommunications Standards Institute, has released a cybersecurity standard for consumer IoT security.
According to the European Commission, the provision of data through an IoT system shall be considered as a service. Therefore, the standard rules governing product safety and liability in cases of infringement shall not be applicable in this field. On the other hand, the rules governing the information service providers liability may be applicable in the case at issue, especially as regard to electronic communications, protection of personal data and the confidentiality of information (covering, in addition, copyright infringement cases), as well as the traditional contract regime. At EU level, an amendment is currently being examined, aiming at the avoidance of fragmentation and at the fostering of interoperability.
An organisation entering into an IT agreement with a local organisation in Greece currently faces various challenges deriving from the fast-paced evolution of technology, the constant changes in market needs and the continuously increasing level of expertise that industries are called to demonstrate in order to maintain a high-level technology profile.
In Greece, IT service agreements are mainly ruled by the provisions set out in the Civil Code and Commercial Code, as those may be amended from time to time. Over and above the domestic legislation, Greece, as a member of the EU, follows closely the lines set out by EU legislation, whether this may be through the adoption of directives or the implementation of regulations.
The majority of organisations, in their effort to reduce cost and mitigate related risks, turn to innovative licensing models involving cloud computing services, such as:
The common denominator of all these licensing models is the importance of the internet and the absence of, respectively, a centrally/locally hosted software, platform and infrastructure.
Scope of the agreement
Although most IT service agreements take the form of software licences, some of them tend to be a lot more complex. In many cases, the organisation procuring the IT services provides a solution including multiple components. This is important to bear in mind when drafting an IT service agreement so as to avoid any ambiguity, to make explicit description of the parties’ obligations, to include charges covering all the components and to foresee all possible risks that may lead to a breach of contract or exposure to liabilities.
The ability to customise an IT solution gives to the procurer an important advantage in comparison to its competitors. Some companies prefer a customised IT solution not through a licensing model but, instead, through a software development agreement. Other companies prefer the licensing agreement with the customisation it offers; this customisation, alongside the integration that may be required, creates a new set of provisions that need to be included in the agreement, especially those referring to timelines, failures, rectifications and quality controls.
Recipient of the IT service (B2B –B2C)
A significant factor that an organisation procuring IT solutions must take into consideration when entering into agreement with an organisation in Greece is whether this solution will be ultimately addressed to other businesses (B2B) or to consumers and individuals (B2C). In the first case, contracts between professionals are generally ruled by the parties’ freedom in agreeing the content and extent of their rights and obligations under the agreement. In the second case, however, and apart from the Greek applicable law, there is in place a rather elaborate body of consumer laws, primarily driven by EU initiatives and instruments, aiming for the protection of the weaker party, which is considered to be the consumer, and prohibiting unfair terms, abusive clauses and clauses that have not been negotiated between the parties.
Service Level Agreements (SLAs) must be carefully drafted to include such items as the availability uptime, back-ups, disaster recovery, schedules of maintenance, and support means and response times, while taking into account the continuity of the business and the possibility of termination of the agreement.
Dispute resolution mechanism
In Greece, alternative dispute resolution mechanisms (mediation, arbitration) have not hitherto been dominant , but they now appear to be gaining ground against court proceedings, with new legislations reinforcing the role of mediation by rendering it mandatory in many cases before the initiation of court proceedings.
IPR warranty and indemnities
One of the clauses that has been traditionally included in almost all software and IT-related agreements, which refers to the IPR warranty and the provision of indemnity from the original provider, remains a necessity today, even in cloud computing agreements. The risk of a third party claiming ownership of software licensed to the organisation and thus prohibiting use of the licensed software and interrupting the business continuity is still present and should be taken into account for indemnity provisions.
All software and IT services or IT-related agreements include clauses that limit extensively the liability of the provider. Drafting an IT service agreement must therefore include back-to-back provisions, which fully cover intermediary parties (in cases of B2B) and end-customers (in cases of B2C) against the original provider of the IT service. A clause of major importance is the one setting a liability cap for the provider – this cap is usually a multiple of the contract value.
From a judicial point of view, in B2C agreements, where the aim is the protection of the individual consumer, clauses that may limit extensively the liability of the professional against the consumer – especially if the terms have not been part of a negotiation – are usually considered as abusive and, thus, null and void. On the other hand, in B2B agreements, whereby the parties usually demonstrate similar bargaining powers, the freedom of the parties supersedes, unless one party has acted maliciously or in a grossly negligent manner, or has acted without previous experience and knowledge on these kind of agreements, thus demonstrating a disadvantage while bargaining with its counterparty.
This section focuses on the analysis of the key principles of the legal framework for the protection of personal data in Greece. It refers to data of natural persons and does not apply to corporate data. However, there is one exception related to unsolicited communications, as the e-Privacy law stipulates that provisions on unsolicited communications also apply to communications addressed to legal entities.
The Greek Data Protection Regime
In Greece, the data protection regime is primarily set out in the General Data Protection Regulation 2016/679 (EU) (GDPR) and Law 4624/2019, incorporating the Regulation 2016/679 (EU) (GDPR) and the Directive 2016/680 implementing into national law. Moreover, while the e-Privacy Law (Law 3471/2006) applies mainly to the electronic communications sector, certain provisions are not sector-specific, such as the provisions on unsolicited communications.
Application and Scope
The provisions of Law 4624/2019 apply to the automated processing of personal data, in whole or in part, as well as to the automated processing of such data, which is or will be included in a filing system by: (i) public bodies or (ii) private bodies, unless the processing is carried out by a natural person in the context of a solely personal or domestic activity.
The provisions of Law 4624/2019 apply to public bodies. Ιt applies to private entities provided that: (i) the controller or processor processes personal data within the Greek Territory; (ii) the personal data are processed as part of the activities of a controller or processor within the Greek territory; or if (iii) a controller or processor not established in the European Union or in the EEA performs processing activities that fall within the scope of the GDPR (as defined in Article 3 of the GDPR).
Distinction between public and private
Law 4624/2019, as opposed to GDPR, makes a distinction between public bodies and private entities. The majority of its GDPR-implementation provisions refer to public entities, which include public authorities, independent and regulatory authorities, public law legal entities, local administration bodies, their legal entities, private legal entities owned, controlled or subsidised by the state to the extent of at least 50% of their annual budget.
Principles of Data Processing
Processing of personal data must meet the following fundamental data protection principles.
The legal basis for the legitimate processing of personal data, according to the GDPR, might be consent, performance of a contract with the data subject, compliance with a legal obligation, protection of the individual’s vital interests, performance of a task carried out in the public interest or protection of the controller’s or a third party’s legitimate interest. For special categories of data (eg, data related to health, race, political or religious beliefs) processing is prohibited, unless one of the conditions defined in Article 9 paragraph 2 of the GDPR apply (eg, explicit consent, processing necessary for preventive or occupational medicine, etc).
Αccording to Article 21 of Law 4624/2019, minors over 15 years old can provide consent for the processing of their data on their own, whereas processing of data of minors under 15 years old requires consent of the legal representative, most commonly a parent.
In its recent Decision No 26/2019, the HDPA imposed a fine on a controller for invoking consent as the legal basis for processing personal data of employees, thus giving them a false impression that processing of their data depends on their consent.
Transparency and fairness
Processing of personal data must be carried out in a fair and transparent manner. Controllers must provide data subjects with clear information concerning the processing of their data (eg, which data is processed, how, why, by whom, the recipients of the data). This information must be provided in a brief, easily accessible, comprehensible, clear and simple manner.
Collection and processing of personal data by controllers must be based on specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes shall not be considered to be incompatible with the initial purposes.
Article 24 of Law 4624/2019 provides that the authorities may process personal data for different purposes when such processing is necessary for them to exercise their duties. When it comes to private entities, processing of data for different purposes is allowed following a request from the authorities for reasons of national and public security, if it is necessary for the prosecution of criminal offences, or for the establishment, exercise or defence of legal claims, which are not overridden by the interests of data subjects (Article 25 of Law 4624/2019).
Controllers must only process as much data as necessary. Data processed should be adequate, relevant and limited to what is necessary for the purposes of processing.
Indicatively, the HDPA has issued Opinion 4/2013 and relevant official decisions restricting the processing of criminal records and providing that, if not required by law, these should be replaced by solemn declarations of employees which would only refer to convictions for specific crimes related to the main activity of the controller.
Personal data must be accurate and kept up-to-date. In this context, an immediate erasure or rectification of inaccurate data is mandatory for controllers.
Personal data should be retained for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, for scientific or historical research or statistical purposes subject to implementation of the appropriate technical and organisational measures.
The HDPA has defined specific retention periods (eg, Opinion 1/2011 on CCTV defining a retention period of 15 working days, without prejudice to sector-specific provisions) in certain cases where no statutory retention period is defined.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Any breach of confidentiality, integrity or availability by "accidental or deliberate action" constitutes a data breach.
According to the principle of accountability, controllers and processors must design their processes and technical and organisational systems in such a way that they can prove before the supervisory authorities or courts that they are fully compliant with the applicable framework for personal data (Law 4624/2019, GDPR). The introduction of the principle of accountability shifts the "burden of proof" of compliance from the data protection authorities to controllers and processors. The GDPR provides controllers and processors with a range of regulatory methods and tools for this purpose, such as:
International Data Transfers
The applicable personal data protection legal framework imposes restrictions on the transfer of personal data outside the European Economic Area (EEA), to third countries or international organisations. Personal data may be transferred outside the EEA, where the recipient of the personal data has provided adequate safeguards (eg, model clauses and/or binding corporate rules) or if the Commission has made an “adequacy decision” – in other words, if it has decided the country has an adequate level of data protection. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.
In addition, according to Article 75 and following Law 4624/2019 (implementing Directive 680/2016), if the requirements are met then data transfers to countries outside the EEA authorities or to international organisations are also allowed in the context of prosecution of criminal offences.
The Hellenic Data Protection Authority has issued several decisions on cases related to employee monitoring, involving surveillance cameras, monitoring the employees’ phone calls, installing GPS systems on vehicles or portable corporate devices and on monitoring employee use of computer resources – for example, by gaining access to their documents, their emails or their web browsing history.
The core of the assessment rests at the balance between the legitimate interests of the employer and the rights and freedoms of data subjects. On one hand, there is the right of economic and business freedom (Article 5 paragraph 1 of the Greek Constitution) and the employer’s managerial right; on the other hand, there is the right of protection of an individual's personal data (Article 9A of the Greek Constitution) and of an individual’s private life and correspondence in general (Article 8 of the European Convention on Human Rights).
The General Data Protection Regulation 2016/679 (GDPR) defines the main provisions on processing of personal data in general, which also apply to employment relationships. The Greek Law (Law 4624/2019) on data protection includes specific provisions regarding processing of personal data by employers. In particular, Article 27 paragraph 1 provides that personal data of employees may be processed for the purposes of the decision making of an employment contract or for the execution of the contract, provided that this processing is absolutely necessary. As per paragraph 5, the employer takes the appropriate measures in order to make sure that the data processing is undertaken in light of the principles of Article 5 of the GDPR, outlined below.
Employee consent should not be used as a legal basis for monitoring computer resources, considering that such consent can be revoked at any time and is highly unlikely to be valid and meet the criteria of being freely given, due to the unequal nature of the employment relationship. This was emphasised in the 115/2001 Guidelines of the Hellenic DPA, regarding processing of employee data, and has also been confirmed in the recent HDPA decision 26/2019, which imposed a fine of EUR150,000 to an employer for requesting employees’ consent to this end, whereas it had been made clear that the consent of employees would not be freely given, but also taking into account that monitoring or review of employees’ use of computer resources would have occurred even if employees had not given their consent.
For employers to monitor the use of computer resources by employees, they need to demonstrate that such processing is necessary and proportionate in order to pursue their legitimate interests. Recent decisions by the Hellenic DPA (43/2019 and 44/2019) contain very useful analysis on the conditions that need to be fulfilled for such processing to be legitimate. Both cases referred to targeted investigations of employees’ computer resources triggered by suspicions of illegal conduct. However, in the first case the HDPA found that processing of personal data was lawful, whereas in the second case it was not. One of the key factors that differentiated the outcome was the fact that, in the first case, clear policies were in place informing employees that private use of corporate computer resources was prohibited and that the contents of their communication and other records could be accessed by the employer; also, actions were taken by the employer to minimise processed data. In the second case, no such policies and privacy notices were in place, and the employer had not taken actions to comply with the GDPR.
As pointed out in the HDPA Decision No 34/2018 and at the Bărbulescu v Romania Case by ECHR, the difference between constant monitoring of an employee and general control over his or her personal data, in contrast to a specific and targeted investigation, due to suspicion of illegal conduct, is critical when evaluating the legitimacy of an employer’s monitoring actions. The use of the employer’s computer resources is not by itself adequate to justify the right of the employer to access or monitor the use of such resources by the employee. A clear policy is required, informing employees on whether use of computer resources for personal reasons is permitted or not and also clarifying if any monitoring takes place, the purposes of such monitoring or access by the employer and the relevant processes followed to ensure compliance with the principles applicable to data processing. However, even when the employee has been informed that personal use is not allowed, this is not in itself a legitimate reason to justify constant monitoring, without reasonable suspicions for misconduct. Knowledge of the employee is required, as was held by the ECHR in Bărbulescu where the court opined that the employee has to be informed in advance “of the extent and nature of his employer’s monitoring activities, or of the possibility that the employer might have access to the actual contents of his communications”. The legal context differs when there are reasonable suspicions for an illegal conduct by the employee. In such case monitoring is not general and constant. Instead, it comes as a result of the reasonable suspicions of illegal actions by the employee.
Regarding the surveillance of an employee's computer use, the Hellenic DPA has stated that the employer's interest is best served by preventing the misuse of the internet rather than detecting it. The employer shall inform the employee of the presence, use and purpose of any misuse detected, unless there are important reasons that justify the continuation of secret surveillance, which is not something common. Instant notification to inform the employee can be easily achieved using software, such as warning windows, that open and alert the employee that the system has detected unauthorised use of the network and/or has taken steps to prevent it. As far as monitoring an employee’s email, the Hellenic DPA seems more reluctant. Continuous monitoring of employees’ emails can only be considered necessary in exceptional cases, as opposed to targeted investigations.
It is assumed that employees have a legitimate expectation of some degree of privacy in the workplace, regardless of whether they use equipment and resources owned by the employer. However, it is important that the balance between the employer’s right to operate his and her business effectively and the employee’s right of privacy is established.
Technology neutrality is one of the key principles of the EU framework for electronic communications which is fully implemented and applicable in Greece. Regulations are not drafted in technological silos, as a means to push the market toward a particular structure that the regulators consider optimal; regulatory principles apply regardless of the technology used. Regulations may impose a given technological solution only as a means to limit harmful externalities, such as radio interferences. Consequently, legal requirements in relation to network/services, devices/equipment depend on the nature of the activities undertaken and not the technology used.
Regardless of the specific technologies used to provide a network or a service, the applicability of electronic communication regulatory framework depends on whether it falls within the scope of electronic communication network (ECN) and/or electronic communication service (ECS). ECNs encompass any transmission system used to convey signals, operated for public or private use, including wireless networks (eg, mobile, WiFi) and cable (eg, IP broadband network). ECS encompass any service consisting in the conveyance of signals by means of an ECN, but excludes content services, as well as information society services.
In the EU’s new telecom code (Directive 2018/1972), the definition of “electronic communications service” has been expanded to include any interpersonal communications services provided over the internet, including VoIP services, messaging apps and email services that do not use telephone numbers. This code must be transposed to national legislation by the end of December 2020. However, in June 2019 the ECJ made a preliminary ruling in Case C-142/18, Skype Communications Sàrl, on whether VoIP-calling apps fit within the definition of an ECS under EU law. In its decision, the ECJ found that SkypeOut was a regulated communications service because Skype assumes responsibility for transmitting calls to telephone numbers: it charges customers for making calls and enters into agreements with telecom service providers to terminate calls.
Product/Service Prior Requirements
All electronic communication services/network providers must obtain a general authorisation for their services in the form of a declaration statement to the EETT, submitted through the online application system for electronic communication providers. Electronic communications activities may commence immediately upon filing a complete registration declaration and paying the applicable administrative fees.
Radio equipment is regulated in Greece by Presidential Decree 98/2017, transposing Directive 2014/53/EC RED. Radio equipment includes all electrical or electronic product which deliberately broadcasts and/or receives radio waves for radio-communication and/or radio-tracking purposes or the electrical or electronic product that has to be completed with a component (ie, an antenna) so as to broadcast and/or receive radio waves for radio-communication and/or radio-tracking purposes.
According to Law 4070/2012, as amended, the National Telecommunications & Post Commission (EETT) is the competent authority for issues concerning conditions of use and placing on the market of terminal and radio equipment. The provisions of PD 98/2017 are not applicable to radio equipment that is used exclusively for activities related to public security, defence, and state security.
Radio equipment has to be labelled according to PD 98/2017 – RED 2014/53/EE and must be constructed to meet the following essential requirements:
Restrictions on putting into service and authorisation of use requirements must be presented according to EU Regulation (EU) 2017/1354. No regulatory fees apply to this procedure.
Network and Service Provider Obligations
Regardless of the technology used if an entity is operating a communication connectivity network or providing electronic communication services, the following legal framework is applicable.
All electronic communication services/networks
The main legal framework setting the obligations of ECN/ECS providers consists of Law 4070/2012 and secondary regulatory decisions issued by EETT, decisions of the Hellenic Authority for Communication Security and Privacy (ADAE), Law 3471/2006 on data processing and privacy in the electronic communications sector and decisions of the Hellenic Data Protection Authority (HDPA), as well as Law 4002/2011 on games of chance. Obligations under the above framework include, indicatively: interconnection, access to networks and local loop, terminal equipment, consumer protection, collection and sharing of facilities, e-privacy, lawful interception, protection of public and national security and IP access-blocking obligations (eg, for illegal gambling websites, as identified in the blacklist regularly updated by the Hellenic Gaming Commission).
All telecoms operators are obliged to obtain individual rights to use frequencies or numbers and the appropriate licences for every antenna they use. The relevant framework has been reviewed in 2019 with Law 4635/2019 and EETT’s new Regulation 919/26/2019 on licencing of antennas and base stations.
With the exception of free spectrum bands for all wireless services, an individual right to use frequencies is required and is granted by the competent authorities upon a relevant request. In cases of limited number of rights of use of frequencies, the EETT usually awards them through auctions.
Spectrum licences and applicable secondary legislation specify the permitted use and the technical characteristics of equipment that may be used, taking into account the principle of proportionality and technological neutrality.
Licence fees: ECNS providers pay annually fees for general authorisations and for rights of use of spectrum and numbering resources.
ECNS providers are obliged to use radio equipment that allows efficient exploitation of the spectrum allocated in order to avoid harmful interference and to comply with the equipment standards established by the National and European Authorities and ETSI.
Lawful interception: the right of communications privacy is established by Article 19 of the Greek Constitution. The lifting of privacy for specific crimes and subject to defined procedures and conditions is governed by Law 2225/1994 (as amended by Law 3115/2003 and in force) and by Presidential Decree 47/2005 which sets out procedures as well as technical and organisational safeguards. Special provisions on the lifting of privacy are also found in Law 3471/2006 on Data Protection in the Electronic Communications Sector, Law 3674/2008 on the enhancement of the framework on privacy of telephony services, Law 3917/2011 on Data Retention and the Electronic Communications Law 4070/2012, as well as the Regulation on General Authorisations. Operators are required to assist the Greek authorities to lawfully intercept telecommunications messages after the intervention of the public prosecutor by issuance of a written order, when a major crime is investigated and under the supervision of the ADAE.
Internet access providers
Internet access providers must also comply with Regulation (EU) 2015/2120, concerning open internet access and directly applicable Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the EU, as in force, and any relevant EETT delegated decision issued under this Regulation.
They have also certain obligations to set up named servers and, in particular, the "time to life" (TTL) parameter according to RFCs.
In case of non-compliance to the aforementioned obligations, administrative sanctions can be imposed with a reasoned decision of EETT including fines up to EUR3 million and/or suspension or revocation of their authorisation or rights of use.
The provision of television and radio services via terrestrial digital technology (using radio frequencies allocated for broadcast television and radio digital signal) requires a network provider of electronic communications and a content provider. The EETT completed the procedure for the first licence for digital television network, which was awarded to Digital Provider Inc (Digea). The main activity of Digea is to serve all licensed programmes under the same conditions (ie, non-discriminatory treatment), providing networking and multiplexing, as well as network broadcasting for any legitimate TV station wishing to use its services. In essence, Digea creates the network and transfers the content of the channels, as delivered to its systems.
According to national legislation, in order to obtain a licence for pay-TV via cable or satellite, the filing of a petition by any company in the EU having the form of a société anonyme is required. There is no limit on the number of licences granted and there is an obligatory period within which the licence must be either granted jointly by the National Broadcasting Council (ESR) and the relevant Minister or refused.
Licensing for terrestrial pay-TV and free-to-air TV takes place on the basis of a tender/auction. Law No 4339/2015, as in force, defines the process and key conditions for the award of licences to digital terrestrial TV content providers. It specifies the extent of the investment, financial reliability, experience and existing position in the market in order to avoid concentration, as well as the kind of programmes that will be transmitted.
According to the applicable legislation (Law No 3592/2007), controlling more than one licence holder in the television or radio sector is prohibited. Everyone is allowed to participate in the ownership structure of more than one licence holder in television or radio to the extent that they do not control more than one; control over a licence holder is established when an entity can substantially influence the decision-making process or has the power to appoint at least one member of the board of directors or an administrator in another operator). Foreign investors have the opportunity to participate in broadcasting activities in Greece, subject to the generally applicable restrictions.
The concentration of media is prohibited. Concentration in media is considered to occur if an undertaking acquires a dominant position that is defined in Law No 3592/2007, which provides also for complementary application of Competition Law No 3959/2011. The Hellenic Competition Commission is the competent authority to consider competition law issues in the media sector, including issues of concentration.
Nevertheless, Law No 4339/2015 (as amended by Law No 4487/2017) sets the following restrictions on shareholders holding more than 1%, board members and legal representatives of entities that participate in tenders for digital terrestrial TV content providers: (i) no convictions by irrevocable court decision for specific crimes; and (ii) no participation in any manner in companies conducting research in the radio or TV market and in advertising companies, as well as in companies conducting telemarketing. The law also refers to the general prohibition of participation in companies that execute public contracts and require licence applicants to submit evidence proving how the applicant acquired the financial means used or intended to be used for the operation of the content provider.
Regarding digital radio free broadcasting (DAB), an auction was launched by EETT for the awarding of rights to use radio frequencies of terrestrial digital radio free broadcasting of national and regional coverage in 2018. No licence was awarded through this process, resulting in analogue radio FM stations in Greece still operating under a temporary licensing regime.
Radio and television content must adhere to the general principles of the Constitution and there are further obligations concerning minors, rating of the programmes, advertising, pluralism and non-discrimination, etc. The Directives for Television without Frontiers were transposed into national legislation by PD109/2010.
There are no regulations specifying a basic package of programmes that must be carried by operators’ broadcasting distribution networks, the only exception being the obligation to broadcast a certain amount of "social" content. In Greek legislation in particular, there is an obligation for radio and television content providers to broadcast free of charge "social content" spots (messages) for a specific period of time, calculated on a daily basis; such are considered messages that inform the public on: public health, facilitation of people with disabilities and of population groups in need of social protection, equal treatment, the fight against violence against women, eliminating gender stereotypes and generally removing all forms discrimination on the grounds of sex, racial or ethnic origin, religion or other beliefs, etc.
In the case of pay-TV, the agreements between programme administrators and the holders of a licence (the platform operator) must be approved by the National Broadcasting Council (ESR). Agreements on programmes already transmitted in public from a licensed free-to-air station in Greece or in another country are only notified and do not require approval.
Broadcast media advertising is regulated in accordance Presidential Decree No 109/2010 and the Open Frontiers Directives, fully implemented, which are not applicable to online advertising. The latter is regulated by general provisions in the legislation concerning e-commerce and consumer protection. Furthermore, the recently established Electronic Media Business Register aims towards the registration of all online media on the website of the Ministry of Digital Policy. Only online media providers that are registered are eligible to receive state advertising.
The EU's current Audiovisual Media Services Directive 2010/13/EU (AMS Directive), as transposed in Greece by PD 109/2010, governs EU-wide co-ordination of national legislation on all audio-visual media, both traditional TV broadcasts and on-demand services. The aforementioned framework has already been amended by Directive (EU) 2018/1808, Audiovisual Media Services Directive (AVMSD), in view of changing market realities.
The new Directive that is in force should be transposed to all member states by 19 September 2020.
Encryption is defined as the process of encoding a message or information in such a way that only authorised parties can access it and those who are not authorised cannot. Encryption does not itself prevent interference but denies the intelligible content to a would-be interceptor.
The European Commission published a series of official communications in 2017 on technical measures aimed at supporting the activities of member states on encryption and legislative proposals addressing encryption and access to data during criminal investigations, including a proposal for a Regulation on European Production and Preservation Orders for electronic evidence (“e-evidence”) in criminal matters and a proposal for a directive laying down harmonised rules on the appointment of legal representatives when gathering evidence in criminal proceedings.
Encryption is deemed to be best way to protect data during transfer and one way to secure stored personal data, reducing the risk of abuse within a company, as access is limited only to authorised people with the right key. The GDPR recognises these risks when processing personal data and places the responsibility on the controller and the processor in Article 32(1) to implement appropriate technical and organisational measures to secure personal data.
The GDPR does not mention explicit encryption methods, but definitions set out in information security standards like ISO/IEC 27001 or other national IT-security guidelines are very useful in that respect. Encryption of personal data has additional benefits for controllers and/or order processors. For example, the loss of a state-of-the-art encrypted mobile storage medium which holds personal data is not necessarily considered a data breach, which must be reported to the data protection authorities. In addition, if there is a data breach, the authorities must positively consider the use of encryption in their decision on whether (and what amount) a fine is imposed as per Article 83(2)(c) of the GDPR.
In Greece, encryption is required as a technical measure to enhance the protection of electronic communications operators against security incidents and violation of communications privacy (eg, Presidential Decree 39/2011 transposing into Greek legislation Directive 2008/114/EC).
Law 3674/2008 (on reinforcement of the institutional framework for the assurance of confidentiality in telephone communications and other provisions) foresees the possibility to impose on telephony service providers, the obligation to encrypt voice signals transmitted via physical means other than these within their surveillance, such as, in particular, fibre optic, cable lines and links.
ADAE Decision 165/2011 sets out the purpose, scope and general requirements of encryption policy (EP).
There are also specific obligations of encryption applying to certain (regulated) industries (eg, banking and insurance). When assessing a credit institution licence application submitted for authorisation to the European Central Bank (ECB), Regulation (EU) No 575/2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 is applied, governing also “fintech bank” licence applications. Regulation 575/2013 is directly applicable in all EU member states and fintech bank applicants are obliged to ensure that information is protected against disclosure to unauthorised users (data confidentiality), improper modification (data integrity) and accessibility when needed (data availability), as data risk may materialise in the event of the unauthorised alteration or loss of sensitive information or the disruption of services.
The Greek Independent Authority for Public Revenue (AADE) has set encryption requirements for the file to be encrypted with a public key algorithm based on a PGP certificate, recommending also, when encrypting, to complete the data to facilitate the file transfer process, in specifications of the Greek Government Bond Interest Record and Interest of Foreign Securities.
The use of encryption does not exempt legal entities from applicable rules. It is specifically noted that the provider's compliance with the provisions of the preceding paragraphs may not impede the application of the existing legislation on confidentiality.