Data Protection Laws and Regulations in Greece

What are the main data protection-related pieces of legislation and other regulations in Greece?

The legislation governing the protection of personal data in Greece focuses initially on the implementation of the General Data Protection Regulation (EU) 2016/679 (GDPR). Greek Law 4624/2019 transposed measures for the adaptation of national data protection legislation to the GDPR. It also incorporated Directive 2016/680/EU on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data.

Furthermore, regarding the protection of personal data and privacy in the electronic communications sector, Greek Law 3471/2006 embodies Directive 2002/58/EC as amended by Directive 2009/136/EC. Regarding the air carriers’ obligations with respect to passenger records, Greek Law 4579/2018 transposes into national law Directive 2016/681/EU on the use of passenger name record (PNR) data for the prevention, detection, investigation, and prosecution of terrorist offenses and serious crime.

In addition, Greek Law 5002/2022 refers to the procedure for lifting the confidentiality of communications, cybersecurity, and protection of personal data of citizens, and Greek Law 4577/2018 transposing the NIS Directive (EU 2016/1148), imposes system and network security obligations on businesses in the fields of energy, transport, credit, financial infrastructure, health, water and digital infrastructure, e-commerce, and information society services.

What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)?

The definitions that prevail in the Greek jurisdiction are the public body, the private body, and the competent supervisory authority. The first definition refers to public authorities, independent and regulatory administrative authorities, legal persons governed by public law, first and second-tier local authorities and their legal persons and undertakings, state or public undertakings and bodies, legal persons governed by private law which are owned by the state or subsidized by at least 50% of their annual budget or whose management is determined by the state.

The second definition applies to a natural or legal person or association of persons without legal personality that does not fall within the concept of a public body, while the third definition identifies the Hellenic Data Protection Authority as the supervisory authority.

Other than the above, Greek Law 4624/2019 reflects the definitions referred to in the GDPR.

Which entities fall under the data privacy regulations in Greece?

The provisions of the Greek Law 4624/2019 apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data that form part of a filing system or are intended to form part of a filing system by public bodies or private bodies, unless the processing is carried out by a natural person in the course of an exclusively personal or domestic activity.

Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?

As mentioned above, there are distinct regulatory regimes for data in the sectors of electronic communications, cybersecurity, air carriers’ obligations regarding passenger records, energy, transport, credit, financial infrastructure, health, water and digital infrastructure, e-commerce, and information society services, and public works, as well as for the identification of owners and users of mobile telephony equipment and services in the Greek jurisdiction.  

What rights do data subjects have under the data protection regulations in Greece?

Strengthening and setting out in detail the rights of data subjects and the obligations of those who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements, leads to the effective protection of personal data. By virtue of articles 35, 52, and 53 et seq. of Greek Law 4624/2019, the data subjects have the following rights:

• The right to information/transparency, i.e., the right to know who is processing their data, what categories of data they are using, and why.
• The right to access, i.e., the right to request access to the personal data that an organization has about them.
• The right to rectification, i.e., the right to have the data rectified, if their data is inaccurate and/or incomplete.
• The right to erasure (“right to be forgotten”), i.e., the right to have their personal data erased under specific conditions, such as when their data is no longer necessary, they have withdrawn their consent, their data has been unlawfully processed, etc.
• The right to restriction of processing, i.e., the right to obtain restriction of processing where the accuracy of their personal data is contested, the processing is unlawful, the controller no longer needs the personal data for the purposes of the processing, they have objected to automated processing.
• The right to object, i.e., the right to object to the processing of their personal data by an organization, provided that it does not apply to a public body if there is an overriding public interest in the processing that overrides the interests of the data subject or if a provision of law requires the processing to be carried out.
• The right to non-automated individual decision-making, i.e., the right to object where a decision is based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them.
• The right to lodge a complaint with the Hellenic Data Protection Authority, if they believe that the processing of personal data concerning them by competent authorities for the purposes referred to in Article 43 infringes their rights.
• In the context of criminal investigations and proceedings, the right to information on the processing, access, correction or deletion, and restriction of personal data are exercised in accordance with the provisions of the Code of Criminal Procedure, special procedural provisions, and the Code on the Organization of Courts and the Status of Judicial Officers.

What is the territorial application of the data privacy regime in your jurisdiction?

The provisions of Article 3 of Greek Law 4624/2019 on the territorial application of the data privacy regime apply to public bodies. For private bodies, Greek Law 4624/2019 shall apply where the controller or processor processes personal data within the Greek territory, the personal data are processed in the context of the activities of an establishment of the controller or processor within the Greek territory, or where, although the controller or processor does not have an establishment in a Member State of the European Union or in another Contracting State of the European Union, the personal data are processed in the context of the activities of an establishment of the controller or processor within the Greek territory, or where the controller or processor does not have an establishment in a Member State of the European Union or in another Contracting State of the European Union.

What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?

Any processing of personal data should be carried out in accordance with the provisions of Greek Law 4624/2019 which, as mentioned above, transposes Regulation (EU) 2016/679 and Directive 2016/680/EU into Greek law. In particular, a controller and/or processor should comply with the key principles and factors such as transparency, the lawful basis for processing, purpose limitation, data minimization, proportionality, retention, accuracy, data security, and accountability.

What are the regulations and best practices concerning the retention and deletion of personal data in Greece?

The provisions of Greek Law 4624/2019 stipulate that personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be retained for longer periods of time if they have been stored for the purposes of scientific or historical research or for statistical purposes in the public’s interest and provided that the appropriate technical and organizational measures are applied.

Additionally, data subjects have the right to erasure in situations where: (i) the data are no longer needed for their original purpose; (ii) the data subject has withdrawn its consent for processing, and no other lawful ground exists; (iii) the data subject exercises the right to object, and the Controller has no overriding grounds for continuing the processing; (iv) the data have been processed unlawfully; or (v) erasure is necessary for compliance with EU or national data protection law. Additionally, Article 33 of the Greek Law 4624/2019 stipulates that, if certain conditions are met, the erasure of the data may be replaced by the mere restriction of their processing.

Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?Top of FormBottom of Form

The Hellenic Data Protection Authority (HDPA) is the Greek supervisory authority responsible for monitoring the application of Greek Law 4624/2019 and, more generally, the GDPR. It ensures compliance with data protection laws and regulations and publishes from time-to-time guidance, opinions, and decisions on information rights and data protection in Greece.

Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in Greece, and under what conditions?

According to the provisions of Greek Law 4624/2019 and, in particular, Article 37, which fully implements the General Data Protection Regulation (EU) 2016/679, controllers and processors must appoint a Data Protection Officer (DPO), when:

• The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• The core activities of the controller of the processor consist of (a) processing operations requiring regular and systematic monitoring of data subjects on a large scale and (b) processing on a large scale of special categories of data (such as health data or data revealing ethnic origin) or personal data relating to criminal convictions and offenses.

The mandatory appointment of a DPO for public authorities or bodies is also provided for in Article 6 of Greek Law 4624/2019. Businesses are free to appoint a DPO in cases where they are not legally obliged to do so. If an organization voluntarily appoints a DPO, the same requirements of the GDPR concerning their designation, position, and tasks apply as if the organization were required to appoint a DPO.

The DPO is responsible for advising the controller or processor on their obligations under the GDPR, monitoring compliance with the GDPR and the policies of the organization in relation to the protection of personal data, including assignment of responsibilities, awareness-raising, and training of relevant staff as well as acting as a point of contact for data subjects and the supervisory authority (HDPA).

How should data breaches be handled in your jurisdiction?

In Greek jurisdiction, the handling of data breaches follows specific procedures outlined by the country’s alignment with the GDPR. When a data breach occurs, namely a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, organizations should take immediate action to mitigate its impact and comply with legal obligations.

Firstly, the organization must assess the nature and extent of the incident. This involves determining what data was compromised, how it happened, and the potential consequences for the individuals affected.

Then, the controller must, without undue delay and no later than 72 hours after having become aware of the breach, notify the HDPA providing detailed information about the incident, including its causes, the types of data involved, and the number of individuals affected. This obligation also applies to the processor, who must notify the controller promptly after becoming aware of the data breach. The notification should be clear and concise, detailing the nature of the breach, the categories of persons affected, the potential consequences, and any actions taken to address and mitigate the breach.

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to the data subject without undue delay and in accordance with Article 34 of GDPR. However, in certain circumstances and by virtue of Article 33(5) of Greek Law 4624/2019, the above obligation shall not apply to the extent that the notification would entail the disclosure of information that, according to the law or by reason of its nature, due to overriding legitimate interests of third parties, should remain confidential.

It is an indisputable fact that the handling of data breaches in Greek jurisdiction requires swift action, transparency, and compliance with GDPR requirements and national data protection laws. All organizations affected must take immediate steps to contain the breach and prevent further unauthorized access to or disclosure of personal data. This may include implementing security measures, such as modification of passwords, encryption data, or temporarily shutting down affected systems. A thorough investigation might be also necessary to understand the root causes of the breach and identify any weaknesses in the company’s data protection practices.

What are the potential penalties and fines for non-compliance with data protection regulations in Greece?

According to the accountability principle, failure to demonstrate compliance with the data protection regulations in Greece is considered a breach of the obligations set forth by the GDPR. According to Article 83 of the GDPR, failure of the organization to comply with the requirements provided in the data protection regulations in Greece may expose it to administrative fines of up to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Such administrative fines may be imposed, in particular, for any breach of the basic principles of data processing, pursuant to Article 5 (Principles relating to processing of personal data), 6 (Lawfulness of processing), and 9 (Processing of special categories of personal data) of the GDPR, as well as of the data subjects’ rights pursuant to Articles 12 to 22 of the GDPR.

Moreover, failure to comply with the obligations under Articles 25 to 39 of the GDPR (on the Role and obligations of Controllers and Processors, Security of Personal Data, and Data Processing Impact Assessment) may expose the organization to administrative fines of up to EUR 10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Fines on public entities are limited by Article 39 of Greek Law 4624/2019 to up to EUR 10 million depending on the severity and duration of the breach.

Besides the above, civil claims against the entity and or criminal sanctions against the entity’s legal representative may also apply.

Are there any noticeable patterns or trends in how enforcement is carried out in Greece?

In Greece, the enforcement of data protection regulations has followed a pattern that aligns closely with the GDPR. Emphasis is given to transparency and accountability. Organizations operating in Greece are required to be transparent about their data processing activities and inform individuals about how they collect and use their personal data.

The HDPA is empowered to advise the controllers/processors on data protection matters, issue opinions, guidelines, recommendations, template documents, and complaint forms, ensuring adherence to the data protection legislation. It also has investigative powers to conduct investigations and audits on compliance with the data protection legislation, to request and receive from controllers/processors all necessary information, and to have access to their premises and data processing equipment. Another trend is the increasing focus on data security measures. With the increasing number of data breaches globally, including in Greece, the HDPA has been vigilant in enforcing measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. Companies and organizations implement appropriate technical and organizational measures to safeguard the confidentiality, integrity, and availability of personal data. Moreover, there is a trend toward collaboration and cooperation with other EU data protection authorities. Given the cross-border nature of data flows, especially within the EU, the Greek authorities work closely with their counterparts in other member states to ensure consistent enforcement of the data protection laws and to address the challenges posed by international data transfers.

Overall, data protection enforcement in Greece reflects a commitment to upholding individuals' privacy rights and holding organizations accountable for the protection of personal data. The trends suggest a proactive approach aimed at promoting compliance, enhancing data security, and fostering trust in the digital economy.

How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in Greece?

Emerging technologies have significant implications for data protection considerations in Greece. For instance, AI technologies offer innovative ways to collect, process, and utilize data, but they also introduce new challenges and risks in ensuring the privacy and security of individuals’ personal information.

On July 27, 2022, the Greek Government introduced Greek Law 4961/2022 “on emerging information and communication technologies, the reinforcing of digital governance and other provisions”. Pending any changes due to the adoption of the AI Act by the European Union, the new law introduces the first coherent legislative framework for emerging technologies, setting obligations for public bodies as well as natural persons and private entities that produce, distribute, utilize, and make use of these technologies.

In order to regulate the use of emerging technologies, each public body must maintain a register of the AI systems it uses and has the right to use AI systems only by virtue of a specific provision by law, except for the Ministries of National Defense and Citizen Protections. Additionally, before using an AI system, each public body has the obligation to execute an algorithmic impact assessment to assess the risks that may arise for the rights, freedoms, and legitimate interests of the persons affected by such an AI system. Each public body publicly discloses information, inter alia, about the commencement of operation and the operating parameters of the AI system under consideration as well as the decisions taken or supported by it.

As regards private entities, Greek Law 4961/2022 sets the conditions for the use of AI in the employment context. In particular, prior to the initial use of an AI system, which affects the decision-making process concerning employees, existing or prospective, and has an impact on their conditions of employment, selection, recruitment, or evaluation, each company shall provide the employee with the relevant information. The relevant obligation also applies to digital platforms with respect to natural persons linked to them by employment contracts independent service provisions or project agreements. Any violation of this obligation is subject to penalties imposed by the Labor Inspectorate.

Moreover, Greek Law 4961/2022 imposes legal obligations on manufacturers, importers/distributors, and operators of IoT devices. More specifically, manufacturers should accompany IoT devices with a declaration of compliance with the technical safety specifications, indicated in the law, as well as instructions for use and safety information. Importers and distributors should verify that the IoT devices they import or distribute are accompanied by a relevant declaration of compliance, while IoT operators should appoint an IoT security officer to monitor the security measures of IoT technology devices and maintain a register of IoT devices, updated on an annual basis. Lastly, each IoT operator should conduct an impact assessment of the planned personal data processing operations related to the operation of the IoT technology device.

It should be clearly stated that the provisions of Greek Law 4961/2022 on emerging technologies do not affect the rights and obligations provided for in the GDPR and Greek Law 4624/2019 on the protection of personal data. Therefore, a relevant reference has been included in Article 3, ensuring that the proposed provisions do not affect, in any way, the rights and obligations deriving from the GDPR and Greek Law 4624/2019 for the protection of personal data and privacy. In an effort to monitor compliance with the new technologies, the new law also establishes the National Cybersecurity Certification Authority in accordance with Article 58 of Regulation (EU) 2019/881. 

Overall, Greece can harness the potential of emerging technologies while safeguarding individuals' rights to data privacy and security. Greek Law 4961/2022 boosts the digital transformation of the country’s public and private sectors, while new regulations are expected upon adoption of the EU AI Act.

Are there any expected changes in data protection on the horizon in the next 12 months in Greece?

While there might not be imminent legislative changes specific to the Greek data protection landscape in the next 12 months, ongoing developments at the EU level, particularly with the adoption of the AI Act, are likely to have an impact on Greece as well. The importance of maintaining a proactive approach to data protection compliance should remain a key priority for businesses and stakeholders in Greece.