Data privacy in Greece is mainly regulated by:
- the EU General Data Protection Regulation (Regulation 2016/679);
- Law 4624/2019, which sets out implementation measures on the GDPR and integrates EU Directive 2016/680 into Greek law; and
- Law 3471/2006, which integrates EU Directive 2002/58/EC into Greek law.
The GDPR and Law 4624/2019 are supplemented by a web of other national laws that:
- regulate specific sectoral data protection/privacy issues;
- include specific provisions which require data controllers to process personal data in a specific way, enabling them to use the legal bases of Articles 6.1.c and/or 6.1.e of the GDPR; or
- provide for specific additional technical/organisational measures which must be applied to specific types of personal data processing.
Additionally, while they constitute guidance instruments and do not directly have legally binding effects, the opinions and instructions of the Hellenic Data Protection Authority (HDPA) provide invaluable insight on how the legal framework will be enforced in specific situations. The following HDPA instructions bear increased significance in the implementation of privacy law in Greece:
- Instruction 115/2001 on Data Protection in the Context of Employment;
- Instruction 01/2011 on the Use of Closed-Circuit Television (CCTV) Systems;
- Instruction 02/2011 on the Provision of Digital Consent for Data Processing through Cookies and Similar Technologies; and
- Guidelines 02/2020 and 01/2021 on Data Protection in the Context of Remote Working.
Several special regimes apply in specific sectors. Perhaps the most influential of these regimes is Law 3471/2006, which:
- introduces specific requirements and obligations for personal data processing in the telecommunications sector; and
- specifies additional requirements for:
-
- the legal processing of data through cookies and similar technologies; and
- the processing of data for purposes of direct marketing communications through telephone, emails, and other digital means.
Additionally, in some cases, data processing rules in specific market sectors might be affected by sectoral codes of conduct which have been passed into law or special legal and regulatory regimes that apply to specific professions. Examples of specific sectors which are affected by such legislation include:
- banking;
- stock exchanges and brokers;
- insurance; and
- legal services.
Lastly, there are provisions in certain statutes which may provide for a special legal basis or additional data protection requirements for certain processing activities. For example, such provisions are included in:
- Law 3850/2010 for the Protection of Employees’ Health and Safety, which governs the competencies and obligations of occupational doctors;
- Law 4727/2020 on Digital Governance, which also contains provisions on access to open data; and
- Article 5 of the Code of Administrative Procedure (Law 2690/1999), which regulates access to public and private documents in the filing systems of Greek public bodies.
Greece is a signatory to the Council of Europe’s Convention 108+ for the protection of individuals with regard to the processing of personal data. Although most of the convention’s provisions are already deeply embedded in EU and Greek law, the convention itself still stands as the only legally binding international convention on data protection.
The Greek data privacy regime is also affected by any bilateral agreements which have been signed between the European Union and third countries, whose execution might require the processing of personal data. Examples of such bilateral agreements include:
- the passenger name record(PNR) bilateral agreements between the European Union and Australia, as well as between the European Union and the United States; and
- the bilateral mutual legal assistance agreements which the European Union has concluded with the United States, Japan, Iceland and Norway.
The following bodies are responsible for the enforcement of data privacy legislation in Greece:
- the HDPA;
- the administrative courts;
- the civil courts; and
- the criminal courts.
The competences and powers of each body, in terms of enforcement, are as follows.
HDPA: The HDPA is tasked, among other things, with:
- supervising and enforcing the application of national and EU personal data protection law in Greece;
- promoting public awareness of personal data protection and privacy;
- providing advice and guidance to Parliament and other public bodies about personal data protection;
- conducting investigations into potential breaches of data protection law;
- adopting and reviewing all relevant instruments which are provided for by the GDPR (standard contractual clauses, binding corporate rules, codes of conduct); and
- handling data protection complaints filed by data subjects.
It possesses both investigative, advisory and corrective powers. Its corrective powers include:
- issuing a warning or reprimand;
- ordering the data controller or processor to cease data processing within Greece; and
- imposing a ban or a fine of up to €20 million or, in the case of an undertaking, 4% of the data controller’s or processor’s total global worldwide annual turnover in the preceding financial year.
Administrative courts: The administrative courts are tasked with examining appeals against decisions of the HDPA.
Civil courts: The civil courts examine civil data protection lawsuits and claims, filed under Article 79 of the GDPR and Article 40 of Law 4624/2019.
Criminal courts: The criminal courts examine criminal data protection cases brought before them under Article 38 of Law 4624/2019
Best practices, as outlined in question 1.1, play an important role in the day-to-day application of data protection and privacy laws in Greece. These best practices usually come in the form of:
- instructions, guidance and opinions of the HDPA; and
- guidelines of the European Data Protection Board.
The HDPA, to date, has not approved any additional tools provided by the GDPR, such as codes of conduct, certification schemes or binding corporate rules. However, several sectoral codes of conduct – such as the code of conduct for the insurance sector and the code of conduct for personal data processing by attorneys and law firms – are currently under review by the HDPA.
Industry standards play a limited role in data protection compliance in Greece – mainly due to:
- confusion as to which specific standard would prove more effective in demonstrating a company’s or organisation’s compliance; and
- the lack of sufficient case law on this issue to date.
However, many players in the market adhere to the ISO 27000 family of standards and the BS 10012 standard as proof of compliance with the GDPR obligation to establish technical measures for the protection of personal data.
Lastly, on the 20th of October 2022, the Europrivacy Certification was the first Privacy Seal to be recognised by the European Data Protection Board pursuant to Article 42.5 GDPR. It is still too early to assess the impact of this Certification in Greece, but it is highly probable that it will play an influential role in terms of compliance.
Any entity – private or public – company and/or organisation which processes personal data within the Greek territory falls within the scope of the Greek data privacy/data protection framework. The material scope of the framework extends to:
- the processing of personal data wholly or partly by automated means; and
- the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
Since the term ‘filing system’ is interpreted extremely widely, most personal data processing activities in Greece fall within the scope of Greek data protection law.
Instances where the scope of the framework extends beyond the territory of Greece are discussed in question 2.3.
The following exemptions from the data protection/privacy regime apply in Greece.
Household exemption: Greek data protection law does not apply to the processing of personal data in the course of purely personal or household activities. However, both EU and Greek case law has adopted a narrow definition of ‘personal and/or household activities’; as such, this exemption may only be used exclusively in specific instances. For example, sharing or resharing a picture which was shot in a private setting on social media – especially publicly, but in some cases even within a private group – does not always fall within the exemption.
Partial exemptions for processing for journalistic, academic or artistic purposes: Article 28 of Law 4624/2019 introduces a partial exemption from some provisions of the data protection regime for specific processing activities which take place for journalistic, academic or artistic purposes. The exemption spans the application of Chapters II, III, IV, V, VII, and IX of the General Data Protection Regulation (GDPR), except for Articles 5, 28, 29, and 32. This exemption is valid only to the extent that the processing of a data subject’s personal data, and the violation of his or her corresponding rights to the protection of such data, is necessary to safeguard the rights of freedom of expression and access to information. As such, a strict proportionality assessment must be conducted, on an ad hoc basis, to ensure that this exemption applies to a specific processing activity.
The Greek data protection regime extends to controllers and processors of personal data globally, regardless of whether they are established within Greece or the European Union, where such controllers or processors carry out processing activities related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to data subjects in Greece; or
- the monitoring of data subjects’ behaviour, insofar as their behaviour takes place in Greece.
(a) Personal Data processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(b) Data processor
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
(c) Data controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
(d) Data subject
The natural person to whom the personal data relates.
(e) Personal data
Information relating to an identified or identifiable natural person. An ‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(f) Special categories of personal data
- Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- Genetic data;
- Biometric data;
- Data concerning health; and
- Data concerning sex life or sexual orientation.
(g) Consent
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, through a statement or through a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Personal data breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed.
Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or dactyloscopic data.
Profiling: Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Data protection impact assessment (DPIA): An assessment of the impact of the envisaged processing operations on the protection of personal data, which must be carried out by the data controller when a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
Employee: Any person occupied, under any employment relationship or work contract or contract for the provision of services, by public and/or private sector entities, regardless of the integrity of any such contracts, as well as candidate employees and ex-employees.
Transfers to third countries or international organisations: Any transfer of personal data whose recipient is located or established outside the European Economic Area.
No such obligation exists under Greek law.
No such obligation exists under Greek law.
No such obligation exists under Greek law.
Most categories of personal data can be processed under the following legal bases:
- The data subject has consented to the specific processing purposes;
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- The processing is necessary for compliance with a legal obligation to which the data controller is subject. This basis may be used only if the legal obligation derives from EU or member state law;
- The processing is necessary to protect the vital interests of the data subject or of another natural person;
- The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, which derives directly from EU or member state law; or
- The processing is necessary to safeguard a specific legitimate interest of the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
The processing of special categories of personal data is generally prohibited. Such data can only be processed if the data controller establishes the co-existence of:
- at least one of the abovementioned legal bases; and
- one of the derogations established by Article 9.2 of the EU General Data Protection Regulation (GDPR) (eg, explicit consent, execution of employment or social security legal obligations, exercise/defence of legal claims, substantial public interest, preventive and occupational medicine).
The key principles of EU law apply directly in Greece. As such, the following principles will apply to any personal data processing within Greece:
- Lawfulness, fairness and transparency: Personal data must be processed lawfully, fairly and transparently in relation to the data subject. To this end, obligations for the provision of information to the data subjects are in place.
- Purpose limitation: Personal data must be collected for specified, explicit and legitimate purposes, and must not be processed further in a manner that is incompatible with those purposes.
- Data minimisation: The personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: Personal data must be accurate and, where necessary, kept up to date; and every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
- Storage limitation: Personal data must be kept in a form which permits the identification of the data subjects for no longer than is necessary for the purposes for which the personal data is processed.
- Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organisational measures.
- Accountability: It is the data controller’s responsibility to be able to demonstrate compliance with the above principles. To this end, several optional and obligatory record-keeping and accountability tools are in place (eg, records of processing activities, data protection impact assessments).
- Increased importance will be given to compliance with the principles of data protection by design and by default (Article 25 of the GDPR). This requires controllers to ensure that, both during the design and during the implementation phase of any processing activity, technical and organisational measures are in place that are designed to practically implement data protection principles and to ensure that – by default – only personal data necessary for each specific purpose of the processing is processed. To this end, it is imperative – especially when designing new products, services and software – for controllers to ensure that data protection advice is available and data protection by design and by default is taken into account.
- As a continual increase in personal data breaches has been observed in the last few years, it is important for data controllers and processors to constantly update and evaluate their technical and organisational measures in accordance with Article 32 of the GDPR.
- Valid consent from minors for the processing of their personal data by information society services can be obtained directly from them only when they are at least 15 years old.
- Greek law completely prohibits the processing of genetic data for life and health insurance purposes.
- Under Greek law, the processing of employees’ personal data falls within the scope of the data protection rules, even when the processed data is not a part of, or intended to form a part of, a filing system. In such cases, Greek law is stricter than EU law, since it even extends to oral communications.
The basic requirement for a transfer of data to a third party to take place is that the transfer is completed in a way which respects all the data protection principles, mentioned in question 5.2.
Where the third party is located in Greece or the European Union, the main requirements are as follows:
- A legal basis for the transfer was identified before the data was collected by the disclosing party; and
- The data subjects were informed of the transfer, as per Articles 12–14 of the General Data Protection Regulation (GDPR).
However, if a transfer was not foreseen or intended when the data was initially collected, an assessment of whether such a transfer is allowed must be made against the criteria set out in Article 6.4 of the GDPR.
Where the third party is located or established in a third country or in an international organisation, additional restrictions apply to the transfer (see question 6.2).
If the transfer’s recipient is located or established outside the European Economic Area or is an international organisation, additional requirements apply on top of those mentioned in question 6.1).
More specifically, such transfers may only be legal:
- if at least one of the transfer tools, described in Articles 45–49 of the GDPR, is in place; and
- in specific transfer scenarios, if additional safeguards have been introduced to ensure that the transferred personal data will be subject to an equivalent level of protection once the data transfer is concluded.
The fastest route to ensure that a third country data transfer is legal is to use an existing adequacy decision of the European Commission for the specific destination country. However, since such adequacy decisions have currently been issued only for 14 countries, most data controllers will need to use other transfer mechanisms to ensure the legality of the transfer.
It may be inferred from the above that the requirements and options available to the disclosing entity may vary greatly, depending on the transfer’s destination. After the Schrems II decision of the Court of Justice of the European Union (C-311/18), especially strict restrictions apply to data transfers from Greece/the European Union to the United States.
Due to the abovementioned framework – and in line with the Schrems II decision, the latest European Data Protection Board guidelines on the subject and the principle of accountability – it is imperative for data controllers to carry out a transfer impact assessment (TIA) to assess the legality of a transfer to third countries without an active adequacy decision.
- Consider informing data subjects, at the time of data collection, of all foreseeable data transfers that your company or organisation usually performs during its day-to-day functioning. This approach will allow you to comply with transparency obligations and saves time which would otherwise be spent informing data subjects about ad hoc data transfers.
- Always examine ad hoc/unforeseen data transfer requests under the scope of the principle of proportionality. If the purposes for which the transfer is sought can be achieved by transferring less data or anonymised/statistical data, this is the type of data that should be transferred.
- Even where the legality of a transfer has been examined and ascertained, do not forget to ensure the application of technical and organisational measures (eg, encryption) to ensure that the transferred personal data will exclusively reach the intended recipient.
- When designing new tech projects or global projects, or contemplating the possibility of expanding your activities to new jurisdictions outside Greece and the European Union which would require regular transfers of personal data to those jurisdictions, ensure that a TIA containing an assessment of the data protection regimes of the target jurisdictions has been carried out before you finalise your decisions on the issue. This approach both ensures the protection of your organisation’s personal data and potentially drastically reduces compliance expenses for your organisation down the line.
- Right to be informed: Data subjects must be informed about the processing information, listed in Articles 12–14 of the EU General Data Protection Regulation (GDPR).
- Right to access personal data: Data subjects may:
-
- request confirmation as to whether data concerning them is being processed;
- access information about the related processing activities; and
- access a copy of the data.
- Right to the rectification of inaccurate or outdated data.
- Right to erasure/right to be forgotten: Data subjects may, under specific circumstances, request that their data be irrevocably erased.
- Right to restriction of processing.
- Right to object to the processing of personal data: This may be invoked only if:
-
- the data processing takes place under the legal basis of pursuance of legitimate or public interest; and
- the request is based on grounds relating to the data subject’s particular situation.
- Right to portability: This can only be validly exercised for automatic processing activities which take place under the legal basis of consent or the execution of a contract.
- Right to withdraw consent.
- Right not to be subject to automated decision making.
All restrictions of the abovementioned rights, which are provided by the GDPR, also apply in Greece. Law 4624/2019 provides for some additional ‘national’ restrictions; however, the Hellenic Data Protection Authority (HDPA), through Opinion 01/2020, has expressed its doubts as to the legality and applicability of these national restrictions.
Unlike in other jurisdictions, the HDPA’s recent case law establishes that, in Greece, requests may not be deemed excessive solely on the basis that the real purpose behind the data subject’s request was not exclusively data privacy related.
Data subjects may choose to exercise their rights in Greece through their preferred channel and/or communication methods. This means that data controllers may choose to establish official channels to attempt to streamline data subject requests; but this does not release the controller from its responsibility to establish efficient organisational measures which will allow it to monitor all incoming communication channels for such requests.
Recently, a large Greek retail group and a Greek bank were fined by the HDPA for their lack of such organisational measures (Decision 36/2021).
Data subjects may:
- lodge a complaint with the HDPA; or
- file legal proceedings in the civil courts to request the imposition of judicial remedies against the controller and/or compensation for material and/or non-material damages which the data subject has suffered.
Denial, delayed response and mishandling of various types of data subject right requests are among the most common reasons for the imposition of administrative fines by the HDPA.
- For public authorities and public bodies in Greece, the appointment of a data protection officer (DPO) is mandatory.
- The appointment of a DPO is mandatory for private entities only where the requirements of Article 37 of the General Data Protection Regulation (GDPR) are met – that is, where:
-
- the core activities of the data controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the data controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
- Failure to appoint a DPO, where the relevant legal obligation exists, constitutes an independent infringement of data protection legislation and may lead to administrative fines of up to €10 million or, in case of an undertaking, up to 2% of its total worldwide annual turnover. The data controller/processor may also be liable to compensate, following a civil law procedure, the data subjects for any material or non-material damages that they suffered due to the data controller’s/processor’s failure to appoint a DPO.
The DPO should possess all necessary professional qualities to fulfil the tasks and responsibilities mentioned in Article 39 of the GDPR (and question 8.3).
In practice, the DPO should, at minimum, have expert and specific knowledge of the GDPR, Law 4624/2019 and all the supportive and complementary Greek data privacy laws. Additionally, knowledge of other Greek and EU laws which may affect the data controller’s implementation of the data protection legislation must be considered a strong asset.
Knowledge of and experience with the state of the art and international standards/best practices for information security, as well as tech savviness and experience with the data controller’s/processor’s market sector, may also be considered to be qualifications of a good DPO.
Once appointed, data controllers/processors must ensure that the DPO is:
- involved properly and in a timely manner in all data protection issues;
- able to operate independently, without receiving any instruction regarding the exercise of his or her tasks;
- provided with all resources necessary to carry out his or her tasks; and
- available to data subjects.
- To inform and advise the data controller or processor and employees who carry out processing of their obligations pursuant to the Greek and EU data protection legal Framework;
- To monitor compliance with the GDPR, Law 4624/2019 and other data protection provisions, and with the policies/procedures of the controller or processor in relation to the protection of personal data, including:
-
- the assignment of responsibilities;
- awareness raising and training of staff involved in processing operations; and
- the performance of related audits;
- To advise on data protection impact assessments (DPIAs) and monitor their performance, pursuant to Article 35 of the GDPR;
- To cooperate with the supervisory authority (the Hellenic Data Protection Authority (HDPA));
- To act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36 of the GDPR, and to consult, where appropriate, with regard to any other matter; and
- To act as a contact point with data subjects.
Yes, the role of the DPO can be outsourced in Greece. There are no official requirements for the outsourcing of this role.
However, the proper documentation on the appointment and the signing of a written outsourcing agreement, which will also regulate data processing issues, are de facto mandatory.
To ensure the data controller or processor’s compliance with its obligations to provide the DPO with independence and not to dismiss or penalise him or her for performing his or her tasks, the contract period of the external DPO contract cannot be too short. To this end, it is suggested that the initial term of an external DPO contract should be a minimum of one or two years; if the contract is extended, it is suggested that the term of the extended contract –and all further extensions – be three years at minimum.
Due to the prevalence of the principle of accountability within the Greek data protection regime, several formal and informal recordkeeping and documentation requirements are in place. More specifically, data controllers and processors are often required, among other things, to:
- develop and maintain a record of processing activities;
- document and keep updated versions of DPIAs;
- document a comprehensive list of the technical and organisational measures applicable in the organisation;
- keep records of data breach notifications to the HDPA and communications to the data subjects;
- maintain internal reports for the handling of potential data breaches;
- develop a system of written data protection policies/procedures; and
- store copies of all data protection notices and consent forms used, as well as older versions of such documents which were used by the data controller or processor in the past.
The DPO should be free of conflicts of interest in the performance of his or her tasks – especially in light of other roles or responsibilities that he or she might be performing on behalf of the data controller or processor. This means, in particular, that the DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data. Due to the specific organisational structure in each organisation, this must be considered on a case-by-case basis.
This restriction should be seriously considered by data controllers and processors, since non-compliance has already led to the imposition of several fines by European data protection authorities. For example:
- the Belgian DPA imposed a €75,000 fine on a bank because its appointed DPO was also acting as head of risk management, information risk management departments and special investigation unit; and
- Berlin’s data protection authority imposed a €525,000 fine on the subsidiary of a Berlin-based retail group because the appointed DPO was monitoring decisions he had made in his capacity as the managing director of two service companies under the same group, which processed personal data on behalf of the company for which he was a DPO.
In general, the positions that typically conflict with the role of the DPO include:
- senior management positions;
- chief executive officer;
- chief operating officer;
- chief financial officer;
- chief medical officer.
- heads of departments; and
- other roles lower down in the organisational structure which determine the purposes and means of data processing.
Article 32 of the General Data Protection Regulation (GDPR) oblige data controllers and processors to:
- implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented to the rights and freedoms of the data subjects by the data processing; and
- protect against the accidental or unlawful destruction, loss or alteration of, and unauthorised disclosure of or access to, personal data.
The GDPR provides examples of some such measures, such as:
- the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability of, and access to, personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
However, this list is not exhaustive and there is no ‘one size fits all’ approach to compliance with these obligations. Technical and organisational measures can vary widely and must be determined on an ad hoc basis, in cooperation with the DPO and other expert consultants.
Data controllers and processors are also under an obligation to constantly assess and re-evaluate the effectiveness of the implemented measures. To comply with these obligations, and with the principle of accountability, organisations may choose to implement methods such as recurring audits and awareness trainings, as well as the drafting of ad hoc legal and technical opinions on new processing activities.
A data controller must notify the Hellenic Data Protection Authority (HDPA) of a data breach when the breach is likely to present any level of risk for the rights and freedoms of natural persons.
Notification must be provided within 72 hours of the controller becoming aware of the data breach. If a data processor becomes aware of a breach, it is under a legal obligation to notify the controller without delay.
Notifications to the HDPA must at minimum:
- describe the nature of the personal data breach, including, where possible:
-
- the categories and approximate number of data subjects concerned; and
- the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer (DPO) or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The data controller must communicate, without undue delay, with the affected data subjects about a data breach if the breach is likely to result in a high risk to their rights and freedoms.
Such communications aim to provide the data subjects with knowledge and information that will allow them to reduce the potential risks and implications that the breach could have on their rights and freedoms.
Such communications must be drafted in a clear and precise language and must, at minimum:
- describe the nature of the personal data breach;
- communicate the name and contact details of the DPO or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the data controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects; and
- describe any additional proposed measures which could be taken by the data subjects to further contain the risks created by the breach.
Communications to the data subjects are not required if:
- the data controller has implemented appropriate measures to render the affected personal data unintelligible to any person not authorised to access it;
- the data controller has already taken subsequent measures to ensure that the high risk of the breach is no longer likely to materialise; or
- it would involve disproportionate effort to issue individual communications. In this case, the data controller can inform the data subjects through a public communication.
- Providers of publicly available communication services are subject to more specific/stricter notification and communication obligations under Law 3471/2006.
- The 72-hour deadline to notify the HDPA begins from the moment that the data controller becomes aware of the breach. According to WP29’s guidelines on data breaches, the controller becomes ‘aware’ of the breach when the controller “has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”.
- The handling of all security incidents, regardless of whether they were personal data breaches or not, must be documented by the controller, in compliance with the principle of accountability.
- Data controllers are obliged to have technical and organisational measures in place to ensure the timely detection and management of data breaches. Thus, it is recommended that internal policies and procedures for the identification and management of potential data breaches be introduced and that a data breach response team – comprised of the DPO and legal, cybersecurity and forensic experts – be established.
In general, the Hellenic Data Protection Authority (HDPA) and the Greek courts take a strict approach to the implementation of data protection rules in the workplace environment. This is mostly explained by the increased need for protection of employees’ rights and freedoms in the workspace due to:
- the power imbalance between employees and employers; and
- the fact that new technologies allow employers to access increasingly invasive tools for the surveillance of employees.
The specific rules applicable to employment relationships are extensive and cannot be completely covered within this Q&A. However, the main compliance issues include the following:
- The legal basis of employee consent should be avoided if possible, since it usually cannot be considered to be freely given and valid, due to the imbalance of power between employer and employee.
- Under Greek law, the legal basis of the performance of the employment contract can only be used for tasks which are absolutely necessary for the performance of the contract. Data processing for auxiliary tasks which are not a core part of the employment contract should be performed under a different legal basis.
- Special rules on closed-circuit television (CCTV) are in place (see also question 10.2).
- Data loss prevention systems (DLP) may only be used once a data protection impact assessment (DPIA) has been carried out to assess whether the system involves disproportionate surveillance.
- Candidate employee data may only be retained for short periods (eg, six months under the original legal basis and a further year with the consent of the data subject).
The surveillance of employees is strictly forbidden in Greece. To this end, rules governing specific processing activities have been introduced through the HDPA’s opinions and guidance and the case law of the courts. Examples include the following:
- CCTV: CCTV systems may only be used in the workplace for the purpose of protecting people and property. CCTV surveillance of workstations, corridors, eating spaces and toilets is strictly prohibited. If an employer believes that there are special circumstances allowing it to circumvent these rules, a strict proportionality analysis must be carried out, as part of a DPIA, before the CCTV system is used.
- Access to emails of former employees: Access to emails of former employees is allowed only when absolutely necessary for reasons of business continuity or for the support and defence of the data controller’s legal claims. Even then, a proportionality assessment of whether such access is necessary must be carried out based on the specific role or position of the employees. A strict requirement for the legality of former employee email access is the prior notification of the employee about the possibility of the abovementioned email access by the employer and the reasoning behind it; this notification must take place before the employee begins using his or her corporate account.
- DLP: The use of DLP systems for employee surveillance purposes is strictly prohibited.
- In general, increased transparency is expected by the employer in terms of data processing activities at work.
- Health data must almost exclusively be handled by the occupational doctor.
- Given the sensitive nature of data subjects/employees, the employer is often obliged to conduct a DPIA whenever new technological or organisational measures and procedures that affect employees will be introduced in its day-to-day functioning. Examples of such processing purposes/activities may include:
-
- remote working
- a change in corporate electronic infrastructure used by employees; or
- the implementation of COVID-19-related policies
- Greek labour law provides for the notification of, and discussion with, employee councils in relation to several employment issues which may have data protection implications.
- Due to the sensitive nature of the relationship, it is recommended that employers – and their data protection officers – thoroughly document the decision-making process behind data protection decisions that affect employees, for accountability reasons.
The use of cookies and similar technologies is allowed, regardless of whether cookies process personal data, only once the user has provided his or her explicit consent to their use.
The sole exception to this rule is the use of cookies which are strictly necessary for the operation of the website and its main functions. According to the guidance of the Hellenic Data Protection Authority, the following categories of cookies constitute ‘strictly necessary’ cookies:
- security cookies used for the protection of users;
- cookies used for load balancing;
- cookies used to recognise and store the user’s choices during a specific session and provide a smooth session user experience;
- cookies used for authentication; and
- cookies which store a user’s interface choices (ie, choice of language).
Analytics, advertising and marketing cookies do not constitute strictly necessary cookies and explicit user consent is required for their use.
In general, transparent and coherent information about each cookie must be provided to the user before he or she decides to accept or decline the use of specific cookies. The user’s consent must be given by a positive action of the user. ‘Pre-ticked’ consent boxes and UI choices which attempt to prejudice the user towards accepting the use of all or some cookies are considered ‘dark patterns’ and non-compliant.
No specific restrictions apply to cloud computing services in Greece.
However, some basic requirements to use such services include the following:
- As most cloud service providers will be functioning as data processors on behalf of your organisation (the data controller), it is important for a proper data processing agreement, containing at minimum the terms mentioned in Article 28 of the General Data Protection Regulation, to be in place between the two parties.
- It is also common for cloud providers to have increased negotiation power compared to the data controller. This does not release the controller from its obligation to ensure that its chosen data processors comply with their data protection obligations. To achieve compliance, the controller must always attempt to conduct due diligence between competing cloud service providers and only choose those that offer appropriate technical and contractual guarantees for the protection of personal data.
- Since most cloud service providers are established outside the European Union (primarily in the United States) and strict restrictions apply to the transfer of data to US-based cloud providers (see question 6.2), it is advisable to perform a transfer impact assessment before choosing to use a non-EU cloud service provider.
- The use of cloud services which integrate advanced and pioneering technologies in combination with large-scale data processing or the processing of sensitive or special categories of personal data may require the data controller to conduct a data protection impact assessment.
Additional rules apply to the transmission of marketing messages through SMS, email and similar communication methods (eg, over-the-top communications apps such as Viber and WhatsApp). More specifically, marketing communications cannot be sent to a user’s email, phone or communication app, unless:
- the data controller has obtained the user’s prior consent to receive such marketing communications; or
- the recipient’s contact information was obtained legally in the context of a previous similar transaction between the sender and the recipient (ie, a previous sale of similar products/services).
Additionally, all marketing communications must be accompanied by:
- information on the identity and contact details of the sender; and
- a mechanism which allows the recipient to easily and efficiently object to receiving further communications by the sender after each message is in place.
Most data privacy disputes are typically heard before the Hellenic Data Protection Authority (HDPA). The second relevant forum is the civil courts.
Disputes may involve any data privacy issue. However, in recent years, there has been a considerable increase in disputes relating to:
- the mishandling of personal data of employees;
- denial or mishandling of data subject rights requests;
- the processing of data without or with an incorrect legal basis; and
- data breach incidents.
The use of alternative/extra-judicial dispute resolution methods is not that common in Greece. As a result, most data protection disputes in Greece are resolved by decision of the HDPA or the competent courts.
Several decisions of note have been issued during the last 12 months. The following examples made headlines in Greece due to the size of the fines imposed.
Hellenic Data Protection Authority (HDPA) Decision 4/2022: A €9 million fine was imposed on one of the biggest telecommunications groups in the Greek market. Interestingly, the HDPA’s investigation in this case began as a result of a data breach notification. The HDPA considered the group’s response to the data breach sufficient. However, the HDPA decided to investigate further into the internal decisions, policies and procedures that had led to the data breach and identified multiple violations of data privacy law which took place during the telecommunications group’s handling of location and traffic data from user devices.
The HDPA found violations such as:
- the lack of a sufficient legal basis for the data processing;
- failure to conduct a data protection impact assessment;
- failure to provide sufficiently transparent information to data subjects; and
- insufficient anonymisation and technical measures in general.
The HDPA considered that the lack of sufficient organisational and contractual measures to ensure that the data processing roles within the corporate group were transparent led to uncertainty as to the extent of each company’s liability for the violations. As a result, the HDPA imposed fines on both companies for their respective involvement.
HDPA Decision 35/2022: In a case brought by a civil society organisation, the HDPA imposed a €20 million fine on Clearview AI, a US-based company offering face recognition identification services based on more than 20 billion scraped pictures from the Internet. In addition to the fine, the HDPA banned Clearview from collecting and processing personal data in Greece and ordered it to delete all personal data of Greek data subjects.
With each passing year, we have noticed both:
- heightened enforcement action on the part of the Hellenic Data Protection Authority (HDPA); and
- an increase in the number of data protection civil lawsuits being filed by individuals, mostly due to growing awareness of personal data protection rights within Greek society.
We believe that this trend will continue and an increasing number of decisions will be issued, by the regulator and the courts, in 2022 and 2023.
The HDPA has issued several decisions based around the mishandling of data subject requests. We foresee that this trend will continue to gain traction and we strongly recommend that data controllers and processors must ensure that proper communication channels and training, for the handling of such requests, are in place.
Another key issue is the lack of HDPA decisions on violations relating to international data transfers. Although this has been the centre of attention for several data protection authorities across the European Union, since the Schrems II decision, the HDPA has de facto given controllers and processors a grace period on this issue until today. This approach might be explained by the complexities involved with complying with the Schrems II ruling. However, we believe that in the next 12 months, the HDPA will change this approach and decisions on international transfer violations will begin to emerge. Thus, it is imperative for organisations to ensure that their international data transfers are compliant.
- Trap: Data controllers that plan to carry out processing activities in Greece must be conscious of the fact that the Hellenic Data Protection Authority (HDPA) expects them to use only one legal basis for each processing purpose. This means that – contrary to what may apply in other EU countries – a controller may not legally use more than one legal basis (ie, both execution of an agreement and his/her legal interest) for the same processing purpose.
- Tip: Proper response to data subjects’ requests is currently one of the most active enforcement areas for the HDPA. Data controllers must ensure that proper communication channels and employee training are in place to ensure proper management of data subjects’ requests. Timely response to such requests (ie, within one month of receipt) also falls within the definition of ‘proper management’.
- Tip: Controllers must be especially careful when using the legal basis of consent or legitimate interest in situations where there is an imbalance of power between them and the data subject (eg, employment relationships, public authorities interacting with citizens or even companies with significant market power when interacting with their users). In most such situations, consent will not be considered to be freely given and the use of legitimate interest may not be proportionate; a legitimate interest assessment (LIA) may thus need to be carried out.
- Tip: Accountability, accountability, accountability! Make sure that all your assessments (eg, data protection impact assessments, LIAs, transfer impact assessments), policies, audits, investigations and the reasoning behind tough privacy decisions are fully documented and available to you. By following this approach, you can both:
-
- ensure the continuity of your privacy/data protection programme, regardless of who is currently running it; and
- be in a position to constantly prove your compliance with the relevant legislation to the competent authorities.