Data Protection Law in Greece

Greece is a member state of the Council of Europe, having therefore implemented the CoE 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data into Greek law (see Act no. 2068/1992).

According to article 9 of the Greek Constitution the privacy and family life are recognised as inviolable rights. In addition, article 9A of the Constitution stipulates that everybody in the jurisdiction of the Greek state has the right to be protected from the collection, processing and use of their personal data, especially by electronic means, as this protection is specified under the law.

The main law governing the general protection of personal data is the Act no. 2472/1997 (GG 50/A/10-04-1997), which transposed Directive 95/46/EC into Greek law. The Act stipulates the basic conditions, under which the collection and processing of personal data are legitimate. Relevant to electronic communications are the Act’s general provisions on the obligation of prior notification to the Data Protection Authority (DPA) by controllers of personal data, on the obligation to acquire a permit by the DPA when the collection and processing of sensitive data are involved, on the interconnection of data files, on transborder data flows, on the confidentiality and security of personal data processing and on the data subject’s rights to be informed, to access their personal data and to object on their collection and processing.

More specific legal provisions are included in the Act no. 3471/2006 regarding the protection of personal data in electronic communications, which transposed Directives 2002/58/EC and 2009/136/EC (GG 133/A/28-06-2006), and in the Act no. 3917/2011 regarding data retention, which transposed Directive 2006/24/EC (GG 22/A/21-02-2011). The most important provisions of the Act no. 3471/2006 refer to the confidentiality, security and processing rules of personal data in electronic communications, to traffic and location data and to unsolicited communications. In addition, the Act no. 3917/2011 stipulates the conditions, under which publicly available electronic communication network/service providers (voice telephony, e-mail, internet access) are obliged to retain traffic and location data of their users’ communications and give access to such data to competent authorities under the legitimate procedure of lawful interception.

Finally, providers of mobile telephony services are obliged under the Act no. 3783/2009 (GG 136/A/07-07-2009) to collect and store identification data of their subscribers for national security reasons and for the investigation and prosecution of particularly serious crimes.

Scope

Personal data is considered to be any piece of information relating to an identified or identifiable individual. Statistical data do not qualify as personal data, even if they include data relating to individuals, as long they are truly anonymised (see article 2α of the Act no. 2472/1997 or General Data Protection Act – GDPA, GG 50/A/10-04-1997). Sensitive personal data is any piece of information concerning racial or national origin, political ideology, religious or philosophical beliefs, participation in labor or trade unions, health condition, social care, sexual life, criminal charges and sanctions, participation in groups of people involved in the above matters (see article 2β of the GDPA).

Any processing of personal data, either by automatic means or by non – automatic means but through the formation of a structured file, accessible on the basis of certain criteria, such as collecting, recording, organising, preserving or storing, modifying, retrieving, using, disclosing by transmission, disseminating or otherwise making available, correlating or combining, interconnecting, blocking (locking), erasing or destructing, comes under the regulation of data protection law (see article 2δ and ε of the GDPA).

Data Controller / Data Processor Relationship

Any natural or legal person, public authority, agency or any other organisation, which either alone or jointly with others determines the purpose and means of the processing of personal data, shall be held responsible under the law as the controller of such data processing (see article 2ζ of the GDPA).

In addition, an independent party, which does not belong to the organization of the controller, but rather processes personal data on the latter’s behalf and under his instructions, is qualified as data processor and bears only the specific obligations stipulated under the law (see article 2η of the GDPA).

The contract between the controller and the processor of data must necessarily be in writing. The contract must provide that the processor carries out such data processing only on instructions from the controller and that the confidentiality and security obligations arising from the law shall also mutatis mutandis be borne by the processor (see article 10 παρ. 3 of the GDPA).

Conditions for the Lawful Processing

Personal data is lawfully processed by the controller, if the following conditions are observed :

  • The processing is proportional, i.e. (i) data is collected fairly and lawfully for specific, explicit and legitimate purposes and is processed fairly and lawfully in view of these purposes, (ii) is adequate, relevant and not excessive in relation to the purposes for which they are processed, (iii) is accurate and, where necessary, kept up to date, (iv) is kept in a form which allows the identification of data subjects for no longer than the period required given the purposes for which such data were collected or processed (see article 4 παρ. 1 of the GDPA).
  • The consent of the data subject has been lawfully obtained (see article 5 παρ. 1 of the GDPA). In order to be lawfully obtained, the consent must consist of a freely given, explicit and specific indication of will, whereby the data subject, being fully aware of the circumstances, signifies his/her informed agreement to the processing of his/her personal data. Such an agreement shall be considered as informed only in the case that it includes at least the information as to the purpose of processing, the data or data categories being processed, the recipient or categories of recipients of personal data, as well as the name, trade name and address of the controller and his/her representative, if any. Such consent may be revoked at any time without retroactive effect (see article 2ια of the GDPA).
  • The DPA has been served with a prior notice on the processing or, when it comes to sensitive personal data, has previously granted a permit (see articles 6 – 7 of the GDPA, see article 7A for exceptions as to this obligation).

Exceptions

As an exception to the condition of the compulsory obtainment of the data subject’s consent, the law provides that data may be lawfully processed even without such consent, only if (see article 5 παρ. 2 of the GDPA) :

  1. processing is necessary for the execution of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  2. processing is necessary for the compliance with a legal obligation to which the controller is subject.
  3. processing is necessary in order to protect the vital interests of the data subject, if s/he is physically or legally incapable of giving his/her consent.
  4. processing is necessary for the performance of a task carried out in the public interest or a project carried out in the exercise of public function by a public authority or assigned by it to the controller or a third party to whom such data are communicated.
  5. processing is absolutely necessary for the purposes of a legitimate interest pursued by the controller or third parties, to whom the data are communicated, and on condition that such a legitimate interest evidently prevails over the rights and interests of data subjects and that their fundamental freedoms are not affected.

Since the processing of personal data has a diminishing effect on the data subject’s fundamental rights, as a rule the DPA interprets the exceptions mentioned above in a narrow manner.

Data Subject’s Rights

The data subject has the following rights vis a vis the controller :

  1. Right to information – During the stage of collection the controller shall inform the data subject regarding (a) his/her identity and the identity of his/her representative, if any, (b) the purpose of data processing, (c) the recipients or the categories of recipients of such data, (d) the existence of a right to access. If the data are to be disclosed to third parties, the data subject will be kept informed of such disclosure before it is effected (see article 11 of the GDPA).
  2. Right to Access – At the data subject’s request, the controller shall provide in writing, without undue delay and in an intelligible and express manner, the following information : (a) all the personal data relating to the data subject, as well as their source, (b) the purposes of data processing, the recipient or the categories of recipients, (c) any developments as to such processing for the period since the data subject was last notified or advised, (d) the logic involved in the automated data processing, (e) the correction, deletion or locking of data, the processing of which is not in accordance with the provisions of the present law, especially due to the incomplete or inaccurate nature of data, and (f) the notification to third parties, to whom the data have been announced, of any correction, deletion or locking, which is carried out in accordance with case (e) (see article 12 of the GDPA).
  3. Right to object – The data subject shall be entitled to object at any time to the processing of data relating to him, by addressing in writing to the controller a relevant request for a specific action, such as correction, temporary non-use, locking, non-transfer or deletion. In case the objection is rejected, the relevant response shall be justified and also notified to the DPA (see article 13 of the GDPA).
  4. Right to provisional judicial protection (see article 14 of the GDPA).

Confidentiality & Security of Data Processing

The processing of personal data is strictly confidential (see article 10 παρ. 1 of the GDPA).

The processing shall be carried out solely and exclusively by the personnel of the controller or the processor upon the former’s instructions and shall have adequate professional qualifications in respect of technical expertise and personal integrity, in order to ensure such confidentiality (see article 10 παρ. 2 of the GDPA).

The controller must implement appropriate organisational and technical measures to secure the data under processing and protect them against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access as well as any other form of unlawful processing. Such measures must ensure a level of security appropriate to the risks presented by processing and the nature of the data subject to processing (see article 10 παρ. 3 of the GDPA). The controller must also bind its processor(s) to apply the same measures.

Interconnection of Files

Any possibility of co-relating the data from one file to the data from another file or files kept by another controller or controller or with data from a file or files kept by the same controller for another purpose falls under the definition of file interconnection (see article 2στ of the GDPA).

The interconnection of personal data files is subject to prior notification to the DPA (see article 8 παρ. 2 of the GDPA).

Transborder Data Flows

The transborder transfer of personal data qualifies as processing. It is permitted only in the following circumstances (see article 9 of the GDPA) :

  1. When the transfer is directed to one of the 27 EU member – states or the additional three member – states of the EEA (Norway, Liechtenstein and Iceland).
  2. When the transfer is directed to a country recognised by a decision of the Commission that it ensures an adequate level of data protection. The relevant list of countries recognised as such can be found here : http://ec.europa.eu/justice/data-protection/document/international-transfers/adequacy/index_en.htm.
  3. When the transfer is directed to a controller/processor seated in the United States and enlisted under the EU – US Safe Harbour Agreement. The relevant list can be found here : https://safeharbor.export.gov/list.aspx.
  4. When the transfer is directed to a controller/processor in a third country, having signed and applied a private contract containing the EU Standard Contractual Clauses, which are included in the Commission Decisions 2002/16/EC and 2010/87/EC.
  5. In all other cases only by acquiring a prior special permit by the DPA.

Applicable Law

Greek data protection law applies in all cases that the processing of personal data is carried out (see article 3 παρ. 3 of the GDPA) :

  • by a Controller or a Processor established in the territory of the Greek state.
  • by a Controller, who is not established in the territory of a member-state of the European Union or of a member of the European Economic Area (EEA) but in a third country and who, for the purposes of processing personal data, makes use of equipment, automated or otherwise, situated in the Greek territory, unless such equipment is used only for purposes of transit through such territory.

Sanctions

In cases of violation of data protection law the DPA may impose the following administrative sanctions on the controllers or on their representatives (see article 21 of the GDPA) :

  1. a warning with an order for the violation to cease within a specified time limit.
  2. a fine amounting up to 145.000 €.
  3. a temporary revocation of the awarded permit.
  4. a permanent revocation of the awarded permit.
  5. the destruction of the relevant data file or a ban of the processing and the destruction, return or locking of the relevant data.

Article 22 of the GDPA enacts inter alia the following criminal sanctions :

  • Failure to notify the DPA for the establishment and/or the operation of a data file or any change in the terms and conditions regarding the granting of the permit on the processing of sensitive personal data, will be punished by imprisonment for up to three (3) years and a fine amounting up to 145.000 €.
  • Keeping a data file without permit or in breach of the terms and conditions referred to in the DPA’s permit, will be punished by imprisonment for a period of at least one (1) year and a fine amounting up to 145.000 €.
  • The interconnection of files without notifying the DPA will be punished by imprisonment for up to three (3) years and a fine amounting up to 145.000 €.
  • The interconnection of files without taking a permit by the DPA, wherever such permit is required, or in breach of the terms of the permit granted to him, will be punished by imprisonment for a period of at least one (1) year and a fine amounting up to 145.000 €.
  • If the perpetrator of the acts referred to above purported to gain unlawful benefit on his/her behalf or on behalf of another person or to cause harm to a third party, then s/he shall be punished with confinement in a penitentiary for a period of up to ten (10) years and a fine amounting up to 290.000 €.

Compensation for damages per data subject may not be less than 5.870 €, following a relevant court decision (see article 23 of the GDPA).

Specific Obligations for Electronic Communications Network/Service Providers

Specific obligations for electronic communications network/service providers regarding data protection are contained in the Act no. 3471/2006 regarding the protection of personal data in electronic communications, which transposed Directives 2002/58/EC and 2009/136/EC into Greek law (GG 133/A/28-06-2006).

As far as the security of data processing is concerned, article 12 of the Act enacts the following obligations :

  • Providers shall take appropriate technical and organisational measures to safeguard security of services and networks. These measures shall ensure a level of security appropriate to the risk presented, taking into account state of the art technical capabilities and the cost of their application.
  • In case of a particular risk of breach of the network’s security, the provider must inform its subscribers. If the risk lies outside the scope of the measures to be taken by the provider, the latter must also inform its subscribers of any possible remedies, including an indication of the likely costs involved.
  • Only authorized personnel shall have access to personal data for legitimate purposes. Furthermore, the personal data stored or transferred shall be protected against accidental or unlawful destruction, accidental loss or alteration and unauthorized or unlawful processing, including storage, access or disclosure.
  • In case of a data security breach, the provider shall notify the CCA and the DPA of the breach without undue delay. The notification to the competent authorities shall at least include (a) a description of the nature of the personal data breach, (b) the contact points, from which further information can be obtained, (c) the consequences of the breach and (d) the measures, which were suggested or taken by the provider to deal with the breach.
  • When the data security breach may have unpropitious consequences to the personal data or the private life of the subscriber or third parties, the provider shall notify without undue delay the affected subscriber or the affected third party. The notification shall at least include (a) a description of the nature of the personal data breach, (b) the contact points, from which further information can be obtained, as well as (c) recommendations that can limit potentially unfavourable effects from the breach. The notification of the affected subscriber or third party is not necessary, if the provider has proved to the competent authorities in a satisfactory manner that he/she has applied the appropriate technical security measures and that these measures were applied for the data related to the security breach. These measures shall at least include secure data encryption, so that unauthorized access is not possible.
  • Providers keep a record of data security breaches, which includes the description of relevant incidents, their results and the corrective actions that they undertook.
  • The processing of the users’ and subscribers’ personal data, as well as the relevant traffic, location and billing data, must be assigned to persons acting under the authority of providers, which handle billing or traffic management, customer enquiries, fraud detection, marketing of the provider’s electronic communications services or the provision of a value added service, and must be restricted to what is necessary for the purposes of such activities.
  • Apart from the data security obligations mentioned above, for the integrity and security of their electronic communications networks/services providers bear the additional obligations described in chapter 5.4.1.

Furthermore, the Act stipulates the following obligations :

  1. Conditions of Lawful Processing – The processing of personal data by electronic communications network/service providers is only allowed if : (a) the subscriber or user has given consent upon notification as to the type of data, the purpose and extent of the processing, the recipients or categories of recipients, or (b) the processing is necessary for the implementation of the agreement to which the user or subscriber is a party, or the taking of measures during the stage of negotiations, following an application by the subscriber (see article 5 παρ. 2 of the Act no. 3471/2006, see also the DPA Opinion no. 2/2011).
  2. Consent – Whenever required, the subscriber’s or user’s consent shall be given in writing or by electronic means. In the latter case, the provider ensures that the subscriber or user acts in full awareness of the consequences of his/her statement, which is recorded in a secure manner, can be accessed by the user or subscriber at any time and can be withdrawn at any time (see article 5 παρ. 3 of the Act no. 3471/2006, see also the DPA Opinion no. 2/2011).
  3. Data Transfer – The transfer of traffic data is permitted in the following two cases : (a) to another provider for the purpose of billing the services provided, under the condition that the subscriber or user is informed in an appropriate and express manner in writing or by electronic means in the agreement stage or before the transfer, and (b) to third parties for the collection of payments under the condition that the subscriber or user is informed in an appropriate and express manner in writing or by electronic means in the agreement stage or before the transfer (see article 6 παρ. 2 of the Act no. 3471/2006).
  4. Anonymity – Providers have the duty to make available the use and the payment of services anonymously or by pseudonym, to the extent that this is technically feasible (see article 5 παρ. 5 of the Act no. 3471/2006).
  5. Retention of Data for Billing Purposes – For the purposes of billing and payment the processing of traffic data may be retained up to 12 months from the date of transmission of the communication, unless the relevant bill has been challenged or the payment has not been settled (see article 6 παρ. 2 of the Act no. 3471/2006).
  6. Register on Unsolicited Telephone Calls – Providers shall keep a register of their subscribers that do not wish to accept unsolicited telephone calls (see article 11 παρ. 2 of the Act no. 3471/2006).
  7. Direct Marketing – For the commercial promotion of the electronic communications services or for the provision of value added services providers may process traffic data to the extent and the duration needed, only if the subscriber or user has previously given his/her consent after he/she has been informed about the type of traffic data that are subject to processing as well as the duration of processing (see article 6 παρ. 3 of the Act no. 3471/2006).
  8. Recording of Communications – Providers are permitted to record communications and the related traffic data for the purpose of providing evidence of a commercial transaction or of any other business communication, under the condition that both parties have provided their consent upon prior notification as to the aim of the recording (see article 4 παρ. 3 of the Act no. 3471/2006).
  9. Geographical Data – The processing of data that indicate the geographic location of the terminal equipment of a subscriber or user of a value added service is only permitted if these are rendered anonymous or with the explicit consent of the subscriber or user to the extent and for the duration necessary for the provision of an value added service (see article 6 παρ. 4 of the Act no. 3471/2006).
  10. Non Itemised Bills – Providers shall have the obligation to issue non-itemised bills to their subscribers upon request(see article 7 of the Act no. 3471/2006).
  11. Cookies – Providers are permitted to store personal data or gain access to information already stored in the terminal equipment of a subscriber or user, only if the specific subscriber or user has given his/her consent following clear and detailed information. The consent of the subscriber or user can be given by means of appropriate settings in the web browser or by means of another application (see article 4 παρ. 5 of the Act no. 3471/2006, see also the DPA Opinion no. 7/2011).
  12. Unsolicited Communications through Email – Providers may use email addresses that have been lawfully obtained in the context of the sale of a product or a service or other transaction for direct marketing of similar products or services by the supplier or the fulfilment of similar purposes, even when the recipient of the message has not given his/her prior consent. The recipient of the message shall be clearly and distinctly given the opportunity to object, in an easy manner and free of charge, to such collection and use of electronic contact details when they are collected and on the occasion of each message, in case he/she has not initially refused such use. Such email messages sent for direct marketing purposes shall include the identity of the sender in a clear and explicit manner (see article 11 παρ. 3 and 4 of the Act no. 3471/2006).

Data Retention Requirements

The Act no. 3917/2011 (GG 22/A/21-02-2011), which transposed Directive 2006/24/EC into Greek law, establishes specific obligations for publicly available electronic communication network/service providers (voice telephony, e-mail, internet access) to retain certain data generated or processed by them. Such obligations do not burden information society service providers.

The providers mentioned above are obliged to retain specific types of communications traffic and location data along with related data necessary to identify the subscriber or registered user, as described in detail in article 5 of the Act, including data about unsuccessful telephone call attempts. Any type of communications content is explicitly excluded from retention.

In Greece, the period of the aforementioned retention has been set at twelve (12) months after the generation of the data. During this period the providers grant to law enforcement authorities within just five (5) days access to the retained data under the legitimate procedure of access to communications data and lawful interception (see para. 5.4.2 below). After expiry, the providers automatically destroy the retained data, except for data having been accessed by law enforcement authorities. In terms of security, the providers take all appropriate technical and organisational measures to ensure that retained data are accessed only by specially authorised personnel. In addition, the providers have to put in place and comply with a legitimate security policy for the retained data and appoint a person (“security officer”) responsible under the law for its execution (see article 7 παρ. 2 of the Act). Finally, it should be mentioned that no costs arising from the regulation are reimbursed by the State and, therefore, the total cost of data retention burdens exclusively the providers.

Article 6 of the Act, which compels providers to store the retained data exclusively in the territory of the Greek state, should be considered as invalid, since it directly violates the European Union law core principle of the free movement of services within the internal market (see article 56 TFEU).

In case of data leakage, the publicly available electronic communications network/service provider may be held liable upon court order to pay compensation to data subjects of at least 10.000 € per case.

In cases of violation of the Act the CCA is the competent public authority to impose fines, having, inter alia, the powers to order the suspension or revocation of the operation of the undertaking under investigation and impose fines of up to 5.000.000 €.

Collection of Mobile Subscribers’ Identification Data

Under the Act no. 3783/2009 (GG 136/A/07-07-2009) providers of mobile telephony services in Greece are imposed with the obligation to collect and store identification data of their subscribers for national security reasons and for the investigation and prosecution of particularly serious crimes.

In particular, providers of mobile telephony services are not permitted to connect end users with their networks, unless specific identification data of the latter along with identification data of their mobile handsets are collected and retained, as such data are listed in detail in article 2 παρ. 4 and 7 of the Act no. 3783/2009. Retention of the data mentioned above shall last for one (1) year after the termination of the relevant mobile telephony services contract (see article 5 παρ. 1 of the Act no. 3783/2009). During this period the providers of mobile telephony services shall grant to law enforcement authorities access to the retained data under the legitimate procedure of access to communications data and lawful interception (see para. 5.4.2 below). No costs arising from the regulation are reimbursed by the State (see article 3 παρ. 5 of the Act no. 3783/2009).

The public authority assigned to supervise the lawful application of the Act no. 3783/2009 is the NTPC, which has the powers to impose administrative fines of up to 3.000.000 Euros or, in serious cases of violation of the Act, revoke the general authorisation of undertakings.

Provision of Subscribers’ Data to Tax Authorities

By March 31st of each year, mobile & fixed network and services operators are obliged to provide by electronic means certain personal and financial data of their subscribers to the Ministry of Finance for tax evasion prevention purposes (see article 82 παρ. 2 of the Act no. 2238/1994, as amended by article 32 παρ. 2 of the Act 3986/2011, see also article 7 of Minister of Finance Decision 1077/2012). Operators are not obliged to give prior notice to data subjects for the disclosure of their personal data. Violation of the obligation mentioned above may be fined up to 100.000 €.