Greek Data Protection Legal Framework and Main Rules

1.   Data Protection Laws

1.1.             Law specific to data protection

Greece is a member state of the Council of Europe, having therefore implemented the CoE 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data into Greek law (see Act no. 2068/1992).

According to article 9 of the Greek Constitution the privacy and family life are recognised as inviolable rights. In addition, article 9A of the Constitution stipulates that everybody in the jurisdiction of the Greek state has the right to be protected from the collection, processing and use of their personal data, especially by electronic means, as this protection is specified under the law.

In August 2019, the Greek Parliament passed national legislation supplementing Regulation (EC) 2016/679 (“GDPR”) and transposing Directive 2016/680/EC (“LED”) into Greek law. The Law no. 4624/2019, entitled “Data Protection Authority, Measures for Implementing Regulation (EC) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and transposition into national law of Directive 2016/680/EC of the European Parliament and of the Council of 27 April 2016 and other provisions”, came immediately in force and effect in August 29,2019 following its publication in the national Government Gazette[1].

The long-awaited law was enacted nearly fifteen months after the GDPR went into force and after the European Commission’s referral of Greece to the Court of Justice of the European Union for failing to transpose the Law Enforcement Directive[2] following expiration of the relevant term on 6 May 2018. The enactment of the law featured two prior public consultations with highly divergent texts, four reshuffles of the relevant legislative committee and several extensions of its service. Several provisions of the Law no. 4624/2019 were heavily criticized by the Hellenic Data Protection Authority (“HDPA”) in its Opinion no. 1/2020 for incompatibilities with the GDPR and for inadequate transposition of the LED[3].

Under Law 4624/2019, the Greek Supervisory Authority is re-established, provisions of the GDPR are supplemented by additional measures and the provisions of Directive (EU) 2016/680 are transposed into Greek law. The law repeals prior Law 2472/1997 excluding certain of its provisions regarding the public disclosure of a suspect’s data by law enforcement authorities in case of specific offenses, the use of video surveillance material from public gatherings and the opt-out register for commercial communications by post.

Utilizing the approximately 70 “opening clauses” of the GDPR , which allow member states to enact national statutory provisions, the new law supplements and specifies the provisions of the GDPR in three significant ways. First, it supplements the GDPR on general issues that are left to the discretion of member states. Second, it regulates special cases of processing, which are considered important for the national legislator. Third, the law imposes restrictions on the rights of data subjects when necessary and proportionate for purposes of public interest. Specifically, Part Α of the law stipulates its objective and scope, the definitions of public and private entities, and the role of the data protection officer in public bodies. Part B includes provisions regarding the organization and operation of the Hellenic Data Protection Authority. In Part C, supplemental measures for the application of the GDPR are implemented, whereas Part D transposes the Law Enforcement Directive into Greek law. Part E sets out the final and transitional provisions of the Law.

In April 2022, the European Commission launched infringement procedures against Greece on the grounds that the Law no. 4624/2019 is not in conformity with the LED. The case against Greece relates to a number of points, including, inter alia, the non-application of the national law transposing the LED to the processing of personal data by judicial-prosecutorial authorities and by authorities acting under their supervision for the majority of criminal offences, the transposition of provisions on data storage and review, the legal basis for data processing, and safeguards in the context of automated decision-making.

1.2.             Sector-specific legislation

Specific provisions related to the processing of personal data in electronic communications are incorporated in the Law no. 3471/2006 regarding the protection of personal data in electronic communications, which transposed Directives 2002/58/EC and 2009/136/EC[4].

The most important provisions of the Law no. 3471/2006 refer to the confidentiality, security and processing rules of personal data in electronic communications, to the processing of traffic and location data and to the regulation of unsolicited communications as follows:

  • Security – Providers shall take appropriate technical and organisational measures to safeguard security of services and networks. These measures shall ensure a level of security appropriate to the risk presented, taking into account state of the art technical capabilities and the cost of their application. In case of a data security breach, the provider shall notify the HDPA and the Confidentiality of Communications Authority of the breach without undue delay. When the data security breach may have unpropitious consequences to the personal data or the private life of the subscriber or third parties, the provider shall notify without undue delay the affected subscriber or the affected third party (article 12 of the Law no. 3471/2006).
  • Conditions of Lawful Processing – The processing of personal data by electronic communications network/service providers is only allowed if : (a) the subscriber or user has given consent upon notification as to the type of data, the purpose and extent of the processing, the recipients or categories of recipients, or (b) the processing is necessary for the implementation of the agreement to which the user or subscriber is a party, or the taking of measures during the stage of negotiations, following an application by the subscriber (see article 5 § 2 of the Law no. 3471/2006, see also the DPA Opinion no. 2/2011).
  • Consent – Whenever required, the subscriber’s or user’s consent shall be given in writing or by electronic means. In the latter case, the provider ensures that the subscriber or user acts in full awareness of the consequences of his/her statement, which is recorded in a secure manner, can be accessed by the user or subscriber at any time and can be withdrawn at any time (see article 5 § 3 of the Law no. 3471/2006, see also the DPA Opinion no. 2/2011).
  • Recording of Communications – Providers are permitted to record telephone communications and the related traffic data for the purpose of providing evidence of a commercial transaction or of any other business communication, under the condition that both parties have provided their consent upon prior notification as to the aim of the recording (see article 4 § 3 of the Law no. 3471/2006).
  • Anonymity – Providers have the duty to make available the use and the payment of services anonymously or by pseudonym, to the extent that this is technically feasible (see article 5 § 5 of the Law no. 3471/2006).
  • Traffic and Location Data – Providers are permitted to retain and process traffic and location data of their subscribers only for billing and payment purposes up to 12 months from the date of transmission of the communication, unless the relevant bill has been challenged or the payment has not been settled (see article 6 § 2 of the Law no. 3471/2006). Yet, the processing of data that indicate the geographic location of the terminal equipment of a subscriber or user of a value added service is permitted if these are rendered anonymous or with the explicit consent of the subscriber or user to the extent and for the duration necessary for the provision of an value added service (see article 6 § 4 of the Law no. 3471/2006).
  • Register on Unsolicited Telephone Calls – Providers shall keep a register of their subscribers that do not wish to accept unsolicited telephone calls (see article 11 § 2 of the Law no. 3471/2006).
  • Direct Marketing – For the commercial promotion of the electronic communications services or for the provision of value added services providers may process traffic data to the extent and the duration needed, only if the subscriber or user has previously given his/her consent after he/she has been informed about the type of traffic data that are subject to processing as well as the duration of processing (see article 6 § 3 of the Law no. 3471/2006).
  • Cookies – Providers are permitted to store personal data or gain access to information already stored in the terminal equipment of a subscriber or user, only if the specific subscriber or user has given his/her consent following clear and detailed information. The consent of the subscriber or user can be given by means of appropriate settings in the web browser or by means of another application (see article 4 § 5 of the Law no. 3471/2006, see also the DPA Opinion no. 7/2011).
  • Unsolicited Communications through Email – Providers may use email addresses that have been lawfully obtained in the context of the sale of a product or a service or other transaction for direct marketing of similar products or services by the supplier or the fulfilment of similar purposes, even when the recipient of the message has not given his/her prior consent. The recipient of the message shall be clearly and distinctly given the opportunity to object, in an easy manner and free of charge, to such collection and use of electronic contact details when they are collected and on the occasion of each message, in case he/she has not initially refused such use. Such email messages sent for direct marketing purposes shall include the identity of the sender in a clear and explicit manner (see article 11 § 3 and 4 of the Law no. 3471/2006).

In addition, the Law no. 3917/2011 regarding data retention, which transposed Directive 2006/24/EC[5], stipulates the conditions, under which publicly available electronic communication network/service providers (voice telephony, e-mail, internet access) are obliged to retain traffic and location data of their users’ communications and give access to such data to competent authorities under the legitimate procedure of lawful interception. Following the annulment of Directive 2006/24/EC by the Court of Justice of the EU[6], several provisions of the Law no. 3917/2011 should be considered as invalid and unenforceable.

Finally, providers of mobile telephony services are obliged under the Law no. 3783/2009[7] to collect and store identification data of their subscribers for national security reasons and for the investigation and prosecution of particularly serious crimes.

2.   Personal Vs Anonymized data

2.1.             Personal Data

According to article 2, Law 4624/2019 shall apply to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of such data, which form part of a filing system or are intended to form part of a filing system carried out by: (a) public bodies or (b) private bodies, unless the processing is carried out by a natural person in the course of a purely personal or household activity

According to article 4 § 1 GDPR “personal data” means any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The scope of the GDPR and Law 4624/2019 does not, therefore, cover the processing of personal data that concerns legal entities and deceased natural persons.

Law 4624/2019 and Greek data protection legislation in general do not incorporate specific provisions supplementing the definition of personal data under the GDPR.

2.2.             Anonymized & pseudonymized data

Anonymisation refers to the use of a set of techniques in order to remove the ability to link the data with an identified or identifiable natural person against any “reasonable” effort[8] (p. 5 of the EDPB Guidelines). Anonymous information is defined as information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (recital 26 of the GDPR). The principles of data protection do not apply to anonymous information (recital 26 of the GDPR).

In contrast, pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (article 4 § 5 of the GDPR). Pseudonymization can be described as a set of appropriate technical and organisational measures, which contributes both to the implementation of data protection by design and by default (recital 78 and article 25 of the GDPR) and the security of processing (article 32 § 1 of the GDPR).

Personal data, which have undergone pseudonymization and can, thus, be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person (recital 26 of the GDPR). The application of pseudonymisation to personal data can reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations (recital 28 of the GDPR).

According to recital 26 of the GDPR, to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. Hence, Court of Justice of the EU has ruled that anonymisation should be considered to have taken place in the case when re-identification is practically impossible, because it requires a disproportionate expenditure of time, cost and manpower[9].

In respect of the processing of special categories of personal data, article 22 § 3 of Law 4624/2019 provides that all appropriate and specific measures are required to be taken to safeguard the interests of the data subject. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying severity for rights and freedoms of natural persons posed by the processing, such measures may include, among others, the pseudonymisation of personal data.

Furthermore, article 30 § 1 of Law 4624/2019 lays down by way of derogation from Article 9(1) of the GDPR, that the processing of special categories of personal data within the meaning of Article 9(1) of the GDPR shall be allowed where it is necessary for archiving purposes in the public interest. The controller shall have the obligation to take suitable and specific measures to protect the data subject’s legitimate interests. Such measures may include, as far as possible, among others, the pseudonymisation of personal data.

Along these lines, article 30 § 1 of Law 4624/2019 stipulates by way of derogation from Article 9(1) of the GDPR, that the processing of special categories of personal data, within the meaning of Article 9(1) of the GDPR, shall be allowed without the consent of the data subject where the processing is necessary for scientific or historical research purposes, or for the collection and maintenance of statistical information, and the interest of the controller is overriding the interest of the data subject in not having his or her personal data processed. The controller shall have the obligation to take suitable and specific measures to protect the data subject’s legitimate interests. Such measures may include, among others, the pseudonymisation of personal data.

According to article 30 § 3 of Law 4624/2019, special categories of personal data, where processed for the purposes of paragraph 1 shall, unless it is contrary to the legitimate interest of the data subject, be anonymised as soon as the scientific or statistical purposes allow. Until then, the characteristics that can be used to match individual details associated with personal or real situations of an identified or identifiable person must be stored separately. These characteristics can only be combined with individual details if required for research or statistical purposes.

On 31 January 2022, by virtue of its Decision no. 4/2022 the Hellenic Data Protection Authority fined a major electronic communications service Group with 9.25 million euros for multiple violations of the EU General Data Protection Regulation. Among others, the Authority evaluated the lawfulness of the pseudonymization techniques of the Group. In this respect and regarding the data processing by the Group for data analytic purposes, the HDPA ruled such purpose could have also been pursued using anonymized data. Following the claim by Cosmote that it was indeed anonymized, the HDPA found the data in question constituted enriched datasets that were pseudonymized rather than anonymized. In addition, the extraction of statistics from the pseudonymized database was considered a further purpose of processing, which may be compatible with the original purposes but subject to the conditions of Article 89 of the GDPR. However, no notice was given to data subjects about such processing. Therefore, the HDPA ruled that data subjects were not adequately informed about the relevant processing and were also inaccurately given notice that their data had been processed in anonymized form.

3.   Lawful processing

3.1.             Legal bases for data processing

Article 5(1)(a) of the GDPR establishes the principle of lawfulness, fairness and transparency, by providing that personal data shall be processed lawfully, fairly and in a transparent manner vis-à-vis data subjects.

The GDPR lays down a numerus clausus of legal bases for the lawful processing of personal data. In particular, article 6(1) of the GDPR provides that processing of personal data shall be lawful only if and to the extent that at least one of the following applies :

  • the data subject’s consent;
  • the performance of a contract to which the data subject is party or taking steps at the request of the data subject prior to entering into a contract;
  • the compliance with a legal obligation to which the controller is subject;
  • the protection of the vital interests of the data subject or of another natural person;
  • the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Under article 9 GDRP, processing of special categories of data shall be prohibited, unless:

  • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  • processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph;
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; or
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

In respect of the lawfulness of processing, Law 4624/2019 provides that employees’ personal data may be processed for the purposes of the contract of employment where the processing is strictly necessary for deciding whether to enter into a contract of employment, or for the performance of a contract of employment once it has been concluded (article 27 § 1).

3.2.             The specificity of the consent

According to article 4 § 11 GDPR, ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

According to recital 32 GDPR, consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

In April 2018, the Art29WP adopted its Guidelines on consent under Regulation 2016/679, which were endorsed by the EDPB at its first Plenary meeting. On May 4th, 2020, the EDPB published its 05/2020 Guidelines regarding Consent under the GDPR, updating the ArtWP29 Guidelines.

According to the relevant provisions and recitals of the GDPR, as interpreted by the EDPB Guidelines no. 05/2020, the consent of the data subject ought to have the following characteristics in order to be valid:

  • Previous: To be obtained before each processing activity.
  • Informed: When obtaining consent, to provide lawfully information to the data subject, including information about the data subject’s right to withdraw the consent at any time and the consequences of any withdrawal.
  • Easily Comprehensible: The request for consent as well as the relevant information to be made in a comprehensible and easily accessible form using clear and simple language.
  • Explicit: The consent to be given by a statement which includes clear positive action (silence, pre-ticked boxes or inactivity of the subject will not be considered as lawful consent).
  • Specific: Where processing of personal data is carried out for more processing activities/ purposes, consent to be requested and given for each of these actions separately.
  • Clearly Distinguishable: To be submitted in such a way that is clearly distinct from other matters.
  • Free: The consent to be the result of true or free choice of the data subject, namely to make it possible for the data subject to refuse or withdraw his consent without being harmed. When there is a clear imbalance of power between the data subject and the data controller, as in the case of the Data controller’s employees, consent should be considered as free only exceptionally, when failure to obtain consent or its revocation does not have any implications to the data subject. Consent given in the context of performance of a contract, must not be a condition for the acceptance of terms or conditions for the performance of the contract or the provision of services related to it.
  • Recorded: To be provided either by written declaration (by electronic or digital means, provided that identification is possible) or by any oral recorded statement.
  • Freely Withdrawable: The data subject is free to withdraw consent anytime, in the same easy, simple and effective way as the way in which the consent was given. Regarding the consequences of the withdrawal for data processing which is strictly necessary for the performance of a contact, the data subject must be informed that consent withdrawal gives the data controller the right to terminate the contract. If the withdrawal of consent takes place pre-contractually, the Data controller has the right to refuse to conclude a contract.
  • Effectiveness of consent withdrawal: The data controller is required to implement appropriate measures to ensure that, in case of consent withdrawal, personal data processing ceases in real time and related systems immediately respond to it.

In respect of the consent of the data subject, Law 4624/2019 incorporates the following national statutory provisions:

  • In relation to the offering of information society services directly to a minor, the processing of the personal data of a minor shall be lawful where the minor is at least 15 years old and gives his or her consent. Where the minor is below the age of 15 years, the processing in relation to the offering of information society services shall be lawful only if consent is given by the legal representative of the minor (article 21).
  • Where an employee’s consent is, by way of exception, used as the legal basis for the processing of the employee’s personal data, the following should be taken into account in deciding whether consent was freely given, and in particular (article 27 2):

(a) the employee’s dependence, as set out in the contract of employment and

(b) the circumstances under which consent was given. Consent can be given either in writing or in electronic form and must be clearly distinguishable from the contract of employment.

The employer must inform the employee, either in writing or in electronic form, about the purpose of the processing of the employee’s personal data and his or her right to withdraw consent under Article 7(3) of the GDPR.

  • To the extent necessary to reconcile the right to the protection of personal data with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression, the processing of personal data is allowed where: (a) the data subject has given his or her explicit consent, (b) it relates to personal data which are manifestly made public by the data subject, (c) the right to freedom of expression and the right to information override the right to the protection of the data subject’s personal data, in particular on matters of general interest or where it relates to personal data of public figures, and (d) where it is limited to what is necessary to ensure freedom of expression and the right to information, in particular with regard to special categories of personal data, criminal proceedings, convictions and related security measures, taking into account the right of the data subject to his or her private and family life (article 28 1).
  • By way of derogation from Article 9(1) of the GDPR, the processing of special categories of personal data, within the meaning of Article 9(1) of the GDPR, shall be allowed without the consent of the data subject where the processing is necessary for scientific or historical research purposes, or for the collection and maintenance of statistical information, and the interest of the controller is overriding the interest of the data subject in not having his or her personal data processed […] The controller may publish personal data processed in the context of research, if the data subjects have given their consent in writing or the publication is necessary for the presentation of the results of the research. In the latter case, the results shall undergo pseudonymisation before being published (article 30 1 and 4).

The Greek DPA has issued its Guidelines no. 2/2011 on electronic consent in the framework of article 11 of L. 3471/2006[10]. In these Guidelines, the DPA provides for specific forms through which the data controller is required to acquire the consent of the data subject by electronic means.

4.   Sensitive personal data

4.1.             Special categories of data

Article 9 of the GDPR enlists a numerous clausus of categories of data as special categories of data, i.e. personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data used for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

In respect of the lawfulness of processing of special categories of data, Law 4624/2019 incorporates the following main national statutory provisions:

  • By way of derogation from Article 9(1) of the GDPR, the processing of special categories of personal data within the meaning of Article 9(1) of the GDPR by public and private bodies shall be allowed, if necessary: (a) for the purpose of exercising the rights arising from the right to social security and social protection, and for fulfilling the obligations arising therefrom; (b) for the purposes of preventive medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or the management of health or social care systems or pursuant to a contract with a health professional or other person who is subject to a duty of professional secrecy or supervised by him/her; or (c) for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, in addition to the measures referred to in the second subparagraph of paragraph 3, the provisions ensuring professional secrecy provided for in a law or code of conduct must in particular be complied with (article 22 1).
  • By way of derogation from Article 9(1) of the GDPR, the processing of special categories of personal data by public bodies within the meaning of Article 9(1) of the GDPR shall be allowed, where it is: (a) strictly necessary for reasons of essential public interest; (b) necessary for the prevention of major threats to national or public security; or (c) necessary for taking humanitarian action, in which case the interests in the processing override the interests of the data subject (article 22 2).
  • By way of derogation from Article 9(1) of the GDPR, processing of special categories of personal data within the meaning of Article 9(1) of the GDPR for the purposes of the contract of employment shall be permitted if it is necessary for the exercise of their rights or for compliance with legal obligations arising from employment, social security and social protection law, and there is no reason to believe that the data subject’s legitimate interests in relation to processing take precedence. Consent given for the processing of special categories of personal data should explicitly refer to such data. The processing of personal data, including special categories of the employees’ personal data, shall be permitted for the purposes of the contract of employment on the basis of collective labour agreements. The negotiating parties shall comply with Article 88(2) of the GDPR (article 27 3-4).

4.2.             Sensitive Data

Pursuant to article 10 GDPR, the processing of personal data relating to criminal convictions and offences, or related security measures shall be carried out only under the control of official authority or when the processing is authorized by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

Furthermore, according to article 23 of Law 4624/2019, the processing of genetic data for health and life insurance purposes shall be prohibited under Article 9(4) of the GDPR.

5.   Responsibility for Data processing

5.1.             Data controller & Joint controllers

The protection of the rights and freedoms of data subjects as well as the responsibility and liability of controllers and processors, also in relation to the monitoring by and measures of supervisory authorities, requires a clear allocation of the responsibilities under the GDPR, including where a controller determines the purposes and means of the processing jointly with other controllers or where a processing operation is carried out on behalf of a controller (recital 79 of the GDPR).

According to article 4 § 7 GDPR, Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

The EDPB has issued its Guidelines 07/2020 on the concepts of controller and processor in the GDPR. According to these Guidelines, a controller is defined as a body that decides certain key elements of the processing. Controllership may be defined by law or may stem from an analysis of the factual elements or circumstances of the case. Certain processing activities can be seen as naturally attached to the role of an entity (an employer to employees, a publisher to subscribers or an association to its members). In many cases, the terms of a contract can help identify the controller, although they are not decisive in all circumstances. A controller determines the purposes and means of the processing, i.e. the why and how of the processing. The controller must decide on both purposes and means. However, some more practical aspects of implementation (“non-essential means”) can be left to the processor. It is not necessary that the controller actually has access to the data that is being processed to be qualified as a controller.

The EDPB Guidelines also clarify that the qualification as joint controllers may arise where more than one actor is involved in the processing. In this respect, the overarching criterion for joint controllership to exist is the joint participation of two or more entities in the determination of the purposes and means of a processing operation. Joint participation can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing. An important criterion is that the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked. The joint participation needs to include the determination of purposes on the one hand and the determination of means on the other hand.

In Greek law, there are not any national provisions further specifying the notion of data controller or joint controller.

5.2.             The data processor

According to article 4 § 8 of the GDPR, processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recital 81 of the GDPR provides that, to ensure compliance with the requirements of this Regulation in respect of the processing to be carried out by the processor on behalf of the controller, when entrusting a processor with processing activities, the controller should use only processors providing sufficient guarantees, in particular in terms of expert knowledge, reliability and resources, to implement technical and organisational measures which will meet the requirements of this Regulation, including for the security of processing. The adherence of the processor to an approved code of conduct or an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller. The carrying-out of processing by a processor should be governed by a contract or other legal act under Union or Member State law, binding the processor to the controller, setting out the subject-matter and duration of the processing, the nature and purposes of the processing, the type of personal data and categories of data subjects, taking into account the specific tasks and responsibilities of the processor in the context of the processing to be carried out and the risk to the rights and freedoms of the data subject. The controller and processor may choose to use an individual contract or standard contractual clauses which are adopted either directly by the Commission or by a supervisory authority in accordance with the consistency mechanism and then adopted by the Commission. After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data, unless there is a requirement to store the personal data under Union or Member State law to which the processor is subject.

In Greek law, there are not any national provisions further specifying the notion of data controller or joint controller.

5.3.             Liability of the processor and controller

GDPR Article 5 indicates that the data controller is responsible to ensure and demonstrate data privacy compliance (“accountability”). The data controller shall be liable for the damage caused by processing which infringes GDPR requirements.

The processor is subject to the following relevant GDPR provisions directly applicable to data processors:

  • The obligations imposed on processors under Article 28 (2), (3), (4), (5) and (6), on the duty to enter into a data processing agreement, with the exception of those relating to the assistance to the data controller in complying with its (the controller’s) own obligations under the GDPR.
  • The processor and any person acting under the authority of the controller or of the processor, who has access to personal data, shall not process those data except on instructions from the controller, unless required to do so by Union or Member State law, as per Article 29 and Article 32(4) GDPR.
  • Where applicable, the processor shall maintain a record of all categories of processing carried out on behalf of a controller, as per Article 30(2) GDPR.
  • Where applicable, the processor shall, upon request, cooperate with the supervisory authority in the performance of its tasks, as per Article 31 GDPR.
  • The processor shall implement technical and organisational measures to ensure a level of security appropriate to the risk, as per Article 32 GDPR.
  • The processor shall notify the controller without undue delay after becoming aware of a personal data breach, as per Article 33 GDPR.
  • Where applicable, the processor shall designate a data protection officer as per Articles 37 and 38 GDPR.
  • The provisions on transfers of personal data to third countries or international organisations, as per Chapter V of the GDPR.

Under Article 79 of the GDPR, data subjects can bring direct claims against both the controller and the processor.

According to article 82 of the GDPR, where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage to ensure effective compensation of the data subject. Where a controller or processor has paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.

According to article 41 GDPR, Actions brought by a data subject against a controller or processor for breach of data protection provisions within the scope of the GDPR or the rights of the data subject referred to therein shall be brought before the civil courts in whose district the controller or processor has his or her establishment. The actions referred to in the previous subparagraph may also be brought before the civil courts in whose district the data subject has his or her habitual residence. The previous paragraph shall not apply to actions brought against public authorities, where such authorities exercise sovereign power conferred on them. Where the controller or processor has designated a representative in accordance with Article 27(1) of the GDPR, the representative in question shall be considered to be a procedural representative for the serving of all documents carried out in the framework of civil proceedings pursuant to paragraph 1.

6.   Transparent processing

6.1.             Right to information

According to article 13 of the GDPR the controller collecting data from the data subject shall, at the time when personal data are obtained, provide the data subject with all the following information:

  • the identity and the contact details of the controller and, where applicable, of the controller’s representative;
  • the contact details of the data protection officer, where applicable;
  • the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
  • where applicable, the legitimate interests pursued by the controller or by a third party;
  • the recipients or categories of recipients of the personal data, if any;
  • where applicable, the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
  • the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • where applicable, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  • the right to lodge a complaint with a supervisory authority;
  • whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and
  • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Pursuant to Article 14 of the GDPR, where personal data have not been obtained from the data subject, the controller must provide additional categories of information to the data subject, among others, information about the categories of data collected and processed.

6.2.             Derogations to this obligation

Article 31 of Law 4624/2019 provides that the obligation to inform the data subject pursuant to Article 13(3) of the GDPR shall not apply, with the exception of the exemption referred to in Article 13(4) of the GDPR where the information to be provided on further processing:

  • concerns further processing of data stored in a written form in which the controller directly addresses the data subject, the purpose is compatible with the original purpose of collection in accordance with the GDPR, communication with the data subject is not in digital form and the interest of the data subject in being informed according to the circumstances of the case, in particular as regards the context in which the data have been collected, is not deemed to be high;
  • in the case of a public body, would compromise the proper performance of the controller’s tasks within the meaning of points (a) to (e) of Article 23(1) of the GDPR, and the interest of the controller in not providing information overrides the data subject’s interest;
  • would compromise national or public security, and the interest of the controller in not providing information overrides the data subject’s interest;
  • would prevent the establishment, exercise or defence of legal claims, and the interest of the controller in not providing information overrides the interest of the data subject;
  • would compromise the confidentiality of the data transfer to public bodies.

Where no information is given to the data subject in accordance with the above paragraph, the controller shall take appropriate measures to protect the data subject’s legitimate interests, including the provision to the public of the information referred to in Article 13(1) and (2) of the GDPR in an accurate, transparent, intelligible and easily accessible form, in clear and plain language. The controller shall state in writing the reasons for forgoing the provision of information. The above subparagraphs shall not apply to indents (d) and (e) of the previous paragraph.

Where no notification is given in the cases referred to in the above paragraphs due to a temporary obstacle, the controller, taking into account the specific conditions of the processing, should comply with the obligation to provide information within a reasonable period of time after the obstacle has been removed, but not later than a period of two (2) weeks.

If, at the start of a mandate or in the course of a mandate, the customer disclosed data of third parties to an entity bound by an obligation of professional secrecy, the transmitting entity shall not be required to provide information to the data subject in accordance with Article 13(3) of the GDPR, unless the interest of the data subject in obtaining the information is overriding.

In cases in which the personal data have not been obtained from the data subject, article 31 of Law 4624/2019 provides that the obligation to inform the data subject in accordance with Article 14(1), (2) and (4) of the GDPR shall not apply where the provision of information:

  • in the case of public bodies: (aa) would compromise the proper performance of the controller’s tasks within the meaning of points (a) to (e) of Article 23(1) of the GDPR, or (bb) would compromise national or public security; and, therefore, the data subject’s interest in obtaining the information recedes,
  • in the case of private bodies: (aa) would prejudice the establishment, exercise or defence of legal claims, or the processing includes personal data resulting from contracts established under private law and is aimed at preventing damages caused by criminal offences, unless the data subject has an overriding legitimate interest in obtaining the information; or (bb) the competent public authority has specified to the controller that the publication of the data would compromise national defence, national security and public security, while in the case of data processing for law enforcement purposes, specification pursuant to the first subparagraph is not required.

Where no information is provided to the data subject in accordance with the above paragraph, the controller shall take appropriate measures to protect the data subject’s legitimate interests, including the provision to the public of the information referred to in Article 14(1) and (2) of the GDPR in an accurate, transparent, intelligible and easily accessible form, in clear and plain language. The controller shall state in writing the reasons for which he or she has refrained from providing information.

The obligation to provide information to the data subject in accordance with Article 14(1) to (4) of the GDPR, with the exception of exemptions referred to in Article 14(5) of the GDPR, shall not apply insofar as, by fulfilling this obligation, information would be disclosed which by its nature, in particular due to overriding legitimate interests of third parties, should remain confidential

7.   Processing for a specified purpose

7.1.             Purpose limitation principle

Under the principle of purpose limitation, personal data must be collected for specified, explicit, and legitimate purposes, and not be processed further in a manner incompatible with those purposes.

According to article 24 of Law 4624/2019, the processing of personal data by public bodies for a purpose other than that for which they were collected shall be permitted where such processing is necessary for the performance of the tasks assigned to them and provided that it is necessary:

  • for the verification of the information provided by the data subject because there are reasonable grounds for believing that such information is incorrect;
  • for the prevention of risks to national security, defence or public security, or for securing tax and customs revenue;
  • for the prosecution of criminal offences;
  • for the prevention of serious harm to the rights of another person;
  • for the production of official statistics.

The processing of special categories of personal data, as referred to in Article 9(1) of the GDPR, for a purpose other than that for which they have been collected, shall be permitted provided that the conditions set out in the previous paragraph are fulfilled and one of the exemptions provided for in Article 9(2) of the GDPR or Article 22 of this Law applies

According to article 25 of Law 4624/2019, the processing of personal data by private bodies for a purpose other than that for which they have been collected shall be permitted, where necessary:

  • for the prevention of threats to national or public security at the request of a public body; or
  • for the prosecution of criminal offences; or
  • for the establishment, exercise or defence of legal claims, unless the interests of the data subject override the grounds for the processing of those data.

The processing of special categories of personal data, as referred to in Article 9(1) of the GDPR, for a purpose other than that for which they have been collected, shall be permitted, provided that the conditions set out in the previous paragraph are fulfilled and one of the exemptions provided for in Article 9(2) of the GDPR or Article 22 of this Law applies

8.   Data Retention & Deletion requirements

8.1.             Storage limitation principle

Pursuant to Article 5 of the GDPR data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed and must therefore be deleted as soon as it is no longer necessary for these purposes. However, the regulation does not stipulate a concrete retention period.

Greek data protection legislation lacks more specific rules for the determination of data retention periods, let alone a coherent list of retention periods per category of personal data. Nevertheless, statutory provisions in several laws provide for retention periods for certain categories of data, such as tax-related data, social security – related data, health data and penal records.

8.2.             Data Erasure

Article 34 of Law 4624/2019 stipulates that, if, in the case of non-automated processing, erasure is not possible due to the particular nature of storage or is only possible with disproportionate effort, and the interest of the data subject in erasure is not considered significant, the data subject’s right and the controller’s obligation to erase personal data in accordance with Article 17(1) of the GDPR, shall not apply, with the exception of the exemptions referred to in Article 17(3) of the GDPR. In this case, erasure shall be replaced by restriction of processing in accordance with Article 18 of the GDPR. The above subparagraphs shall not apply if the personal data have been unlawfully processed.

In addition to points (b) and (c) of Article 18(1) of the GDPR, the first and second subparagraphs of the previous paragraph shall apply accordingly in the case of points (a) and (d) of Article 17(1) of the GDPR, to the extent that the controller has reason to believe that the erasure would be prejudicial to the legitimate interests of the data subject. The controller shall inform the data subject of the restriction of processing where such information is not impossible or does not involve a disproportionate effort.

In addition to point (b) of Article 17(3) of the GDPR, paragraph 1 shall apply accordingly in the case of point (a) of Article 17(1) of the GDPR, if erasure would be in conflict with statutory or contractual retention periods.

9.   Data minimization & Accuracy

9.1.             Data minimization

Pursuant to Article 5(c) of the GDPR, the data processed must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

9.2.             Data accuracy

In Greek law, there are not any national provisions further specifying the data minimisation principle.

10.Privacy by Design

10.1.         Data protection by design

Article 25 of the GDPR sets out the data protection by design requirements for data controllers, according to which the controller must (1) implement appropriate technical and organisational measures which are designed to implement the data protection principles and (2) integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects. Both appropriate measures and necessary safeguards are meant to serve the same purpose of protecting the rights of data subjects and ensuring that the protection of their personal data is built into the processing.

According to Recital 78 GDPR, when developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.

Furthermore, according to the EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default:

  • Data protection by design must be implemented at the time of determination of the means for processing.
  • Controllers must take into consideration factors such as the nature, scope, context and purpose of processing when determining the appropriate technical and organisational measures that effectively implement the principles into the processing.
  • The requirement to implement the principles in an effective manner means that controllers must be able to demonstrate that they have implemented dedicated measures to protect these principles, and that they have integrated specific safeguards that are necessary to secure the rights and freedoms of data subjects.

Greek data protection legislation lacks more specific rules in relation to data protection by design.

10.2.         Data protection by default

Pursuant to Article 25 of the GDPR, privacy by default means that the controller shall implement appropriate technical and organizational measures for ensuring:

  • that, by default, only personal data which are necessary for each specific purpose of the processing are processed (e.g., the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility), and
  • that the principles of transparency, lawfulness, fairness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality are followed throughout the life-cycle of processing personal data within the data controller’s organisation.

According to Recital 78 GDPR, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.

Greek data protection legislation lacks more specific rules in relation to data protection by default.

11.Security & Data Breach

11.1.         Principle of data security

Article 5 of the GDPR provides that data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.

To comply with the integrity and confidentiality principle, article 32 of the GDPR provides that the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data (including the encryption of networks and transport channels such as the sue of VPN;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services via measures implemented to:
    • protect the physical access to personal data (e.g., alarm, key or badge access system;
    • secure terminals (e.g., automatic lock system, firewalls, antivirus),
    • manage authentication (e.g., login/password, SSO, certificate),
    • manage access to the personal data (e.g., provisioning/deprovisioning process, role-based access control), and
    • monitor access logs is performed (e.g., monitoring of login/logout, database query, wrong authentication)
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (e.g., via a specific business continuity plan / disaster recovery plan and backup, replication of data), and
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (e.g., regular penetration tests and security audits etc.)

11.2.         Data breach management

In accordance with GDPR Article 4, a “personal data breach” means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Under Article 33, the GDPR requires controllers to handle every personal data breach in the context of the controllers’ obligations regarding the security of processing. In case the breach is likely to result in a risk to the rights and freedoms of the persons concerned, the controllers must notify the breach in question to the HDPA.

Such notification must be made without undue delay and, where feasible, not later than 72 hours after the controller has become aware of it. The notification must contain specific information (e.g. nature/scope of the breach, categories of persons affected, cause and consequences of the breach, measures taken to address it, etc.). Even if all the above information is not available at the time of submitting the notification, the latter should be submitted as an initial notification to be subsequently updated without undue delay (by submitting a supplementary notification).

In addition, under Article 34 GDPR, when the data breach is likely to result in a high risk to the rights and freedoms of natural persons concerned, the controller must communicate the breach to those persons too without undue delay. Such communication is made regardless of the above mentioned notification to the HDPA (which must be submitted even if the relevant risk is not considered high). The communication to the natural persons should be made in the most appropriate and effective manner, in the form of personalised information and not by a communication of a general nature, insofar as this is possible.

Article 33 § 5 of Law 4624/2019 provides that the obligation to notify under Article 34 of the GDPR, with the exception of the exemption referred to in Article 34(3) of the GDPR, shall not apply to the extent that the obligation to notify would entail the disclosure of information which, according to the law or by reason of its nature, in particular due to overriding legitimate interests of third parties, should remain confidential. By way of derogation from the previous subparagraph, the data subject must be informed, in accordance with Article 34 of the GDPR, where his or her interests, in particular taking into account imminent damage, override the interest relating to maintaining confidentiality.

According to the online guidance of the HDPA, even if the data breach is unlikely to result in a risk to the natural persons concerned, and therefore it is not required to submit the above notification to the HDPA, the controller must record the data breach and keep his or her own internal record.

The HDPA may in any case order the controller to communicate the data breach to the natural persons (Article 58 (2) (e) GDPR).

To notify a data breach to the HDPA the obligated entity must first log in to the HDPA online portal by filling in and submitting the relevant electronic form provided. To log in to the online portal the notifying entity must use the tax registry credentials available to controllers established in Greece.

The HDPA allows the submission of data breach notifications in English either in cases of breach in the context of cross-border processing or when Article 3 (2) or (3) GDPR applies. In case the controllers are not established in Greece, and therefore they cannot log in to the online portal by using tax registry credentials, the relevant notification can be submitted via email.

Following notification of a major data breach, on 31 January 2022, the HDPA imposed its highest ever fine to an incumbent telecommunications Group amounting to 9.25 million euros. The fines were the outcome of an investigation by the HDPA on a major data breach that occurred in 2020 after a successful cyberattack on the group’s information systems. The breach, which was notified to the DPA in time, affected more than 10 million OTE Group and non-OTE Group subscribers and concerned large sets of personal data per subscriber, including financial and telecommunications traffic data. The leaked databases were processed by Cosmote for network fault management and general data analytic purposes. The HDPA examined both the data breach and the lawfulness of the data processing in question. Among others, the DPA reviewed the data security measures implemented by OTE and Cosmote on the affected databases and identified six significant vulnerabilities in their level of security. It also found that OTE and Cosmote did not have procedures to regularly test, assess and evaluate the effectiveness of their measures in order to ensure the security of the processing. Taking its findings into account, the HDPA issued Decision no. 4/2022, ruling among others that the investigated entities of the Group infringed article 32 GDPR due to inadequate security measures in relation to the infrastructure used in the context of the incident.

12.Data Subject Rights

Data subjects have the following rights with regard to their personal data vis-à-vis data controllers and data processors:

  1. The right to be informed with regard to processing of his / her personal data (GDPR Articles 13 and 14)
  2. The right to have access to said personal data (GDPR Article 15)
  3. The right to get inaccurate or incomplete personal data rectified (GDPR Article 16)
  4. The right get his or her personal data erased (“Right to be forgotten”) under certain conditions (GDPR Article 17)
  5. The right to request the restriction of the processing of his / her personal data under certain conditions (GDPR Article 18)
  6. The right to request that the controller communicates to any recipient to whom the personal data have been disclosed any rectification, erasure or restriction of the personal data, unless this proves impossible or involves a disproportionate effort ( GDPR Article 19)
  7. The right to receive communication of his/her personal data which he/she has provided to the controller, in a structured, commonly used and machine-readable format, and to transmit this data to another controller, when the Processing is based on consent or on a contract and the processing is carried out by automated means (“Right to portability”) (GDPR Article 20)
  8. The right to object for compelling legitimate grounds relating to the data subject’s particular situation to the processing of personal data based on the legitimate interest of the controller (GDPR Article 21 § 1)
  9. The right to object, at any time of the processing, free of charge and without having to state legitimate grounds, to the processing of personal data for the purposes of direct marketing (including Profiling to the extent that it is related to such direct marketing) (GDPR Article 21 § 2)

Under article 29 § 2-4 of Law 4624/2019, the right of access, the right to rectification, the right to restriction of processing, the right to data portability and the right to object of the data subject may be limited provided their exercise could make impossible highly prevent the achievement of the above-mentioned purposes and its exercise would require undue effort.

Furthermore, article 33 of Law 4624/2019 provides that the right of access by the data subject in accordance with Article 15 of the GDPR shall not apply, where:

  • the data subject is not informed in accordance with point (bb) of indents (a) and (b) of paragraph 1 of the Article 32 of the Law; or
  • the data (aa) were recorded only because they cannot be erased due to retention requirements provided for in legal or regulatory provisions, or (bb) only serve purposes of protection or control of data, and the provision of information would require a disproportionate effort, and the necessary technical and organisational measures render impossible their processing for other purposes.

The grounds for refusing to provide information to the data subject should be documented. Refusal to provide information should be justified to the data subject unless the disclosure of the factual or legal reasons on which the refusal is based would compromise the purpose pursued by the refusal to provide information. Data stored for the purpose of providing information to the data subject and for the preparation of such provision may be processed solely for that purpose and for purposes of data protection; the processing for other purposes shall be limited in accordance with Article 18 of the GDPR.

According to the same article, the right of access by the data subject to personal data that are neither subject to automated nor to non-automated processing by a public authority, and stored in a filing system, shall only apply if the data subject provides information allowing the retrieval of data and the effort required to provide the information is not disproportionate to the interest of the data subject in being informed.

The data subject’s right to be informed under Article 15 of the GDPR shall not apply to the extent that the provision of information would entail the disclosure of information which, according to the law or by reason of its nature, in particular due to overriding legitimate interests of third parties, should remain confidential.

Finally, the obligation to notify under Article 34 of the GDPR, with the exception of the exemption referred to in Article 34(3) of the GDPR, shall not apply to the extent that the obligation to notify would entail the disclosure of information which, according to the law or by reason of its nature, in particular due to overriding legitimate interests of third parties, should remain confidential. By way of derogation from the previous subparagraph, the data subject must be informed, in accordance with Article 34 of the GDPR, where his or her interests, in particular taking into account imminent damage, override the interest relating to maintaining confidentiality.

As far as the right to erasure is concerned, article 34 of Law 4624/2019 stipulates that, if, in the case of non-automated processing, erasure is not possible due to the particular nature of storage or is only possible with disproportionate effort, and the interest of the data subject in erasure is not considered significant, the data subject’s right and the controller’s obligation to erase personal data in accordance with Article 17(1) of the GDPR, shall not apply, with the exception of the exemptions referred to in Article 17(3) of the GDPR. In this case, erasure shall be replaced by restriction of processing in accordance with Article 18 of the GDPR. The above subparagraphs shall not apply if the personal data have been unlawfully processed.

In addition to points (b) and (c) of Article 18(1) of the GDPR, the first and second subparagraphs of the previous paragraph shall apply accordingly in the case of points (a) and (d) of Article 17(1) of the GDPR, to the extent that the controller has reason to believe that the erasure would be prejudicial to the legitimate interests of the data subject. The controller shall inform the data subject of the restriction of processing where such information is not impossible or does not involve a disproportionate effort.

In addition to point (b) of Article 17(3) of the GDPR, paragraph 1 shall apply accordingly in the case of point (a) of Article 17(1) of the GDPR, if erasure would be in conflict with statutory or contractual retention periods.

Article 35 of the Law also provides that the right to object under Article 21(1) of the GDPR shall not be applicable where a public body is concerned, if there is a compelling public interest in the processing which overrides the interests of the data subject or if processing is mandatory by law.

13.Transfer of personal data

13.1.         International data transfers

The operation of having personal data transferred from a Member State to a third country constitutes, in itself, processing of personal data (C-311/18 (Schrems II), paragraph 83).

Articles 44-50 of the GDPR provide the conditions for the transfer of data to third countries, with the aim to ensure that the level of protection of natural persons guaranteed by the Regulation is not undermined (recital 101 and article 44 of the GDPR).

In specific, a level of protection of natural persons essentially equivalent to that guaranteed within the European Union by the GDPR, read in the light of the Charter, must be guaranteed (C-311/18 (Schrems II), paragraphs 92 and 93).

The European Commission has the power to determine, on the basis of article 45 of the GDPR whether a country outside the EU offers an adequate level of data protection.

The adoption of an adequacy decision involves:

  • A proposal from the European Commission;
  • An opinion of the European Data Protection Board;
  • An approval from representatives of EU countries;
  • The adoption of the decision by the European Commission.

The European Commission has so far recognised the following countries as providing adequate protection[11]:

  • Andorra;
  • Argentina;
  • Canada (commercial organisations);
  • Faroe Islands;
  • Guernsey;
  • Israel;
  • Isle of Man;
  • Japan;
  • Jersey;
  • New Zealand;
  • Switzerland;
  • Uruguay;
  • United Kingdom;
  • South Korea (forthcoming).

13.2.         Data transfer requirements

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided the following appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (article 46 of the GDPR):

  • Binding corporate rules;
  • EC or Supervisory Authority standard data protection clauses (“SCCs”);
  • Codes of conduct; or
  • Certification mechanisms.

These safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default (recital 108 of the GDPR).

The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses (recital 109 of the GDPR).

When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information (recital 116 of the GDPR). The controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards (recital 114 of the GDPR).

In the absence of an adequacy decision or of appropriate safeguards data transfers to third countries shall take place only on one of the following conditions (article 49 § 1 of the GDPR):

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims;
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
  • the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

Even if a derogation is not applicable, a transfer to a third country or an international organisation may take place only if the following conditions are fulfilled (article 49 § 1 of the GDPR):

  • the transfer is not repetitive,
  • concerns only a limited number of data subjects,
  • is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and
  • the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
  • The controller shall inform the supervisory authority of the transfer.
  • The controller shall inform the data subject of the transfer and on the compelling legitimate interests pursued.

Greek data protection legislation lacks more specific rules in relation to data transfers to third countries or international organisations.

14.Data Protection Officer

Article 37 § 1 GDPR provides that the data controller and the data processor have the statutory obligation to designate a data protection officer in any case where:

  • Public Authorities – The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • Regular and Systematic Monitoring of Data Subjects – The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • Sensitive Data on a Large Scale – The core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

According to Art29 WP Guidelines on DPOs[12], “core activities” can be considered as the key operations necessary to achieve the controller’s or processor’s goals. For example, the core activity of a hospital is to provide health care. However, a hospital could not provide healthcare safely and effectively without processing health data, such as patients’ health records. Therefore, processing these data should be considered to be one of any hospital’s core activities and hospitals must therefore designate DPOs. On the other hand, all organisations carry out certain activities, for example, paying their employees or having standard IT support activities. These are examples of necessary support functions for the organisation’s core activity or main business. Even though these activities are necessary or essential, they are usually considered ancillary functions rather than the core activity (p. 7 of the ART29WP Guidelines).

Recital 91 of the GDPR lays down that large-scale processing operations aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk. Nevertheless, the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer.

According to the ART29WP Guidelines, the following factors should, in particular, be considered when determining whether the processing is carried out on a large scale: (i) The number of data subjects concerned – either as a specific number or as a proportion of the relevant population; (ii) The volume of data and/or the range of different data items being processed; (ii) The duration, or permanence, of the data processing activity; (iii) The geographical extent of the processing activity. Examples of large-scale processing include: (a) processing of patient data in the regular course of business by a hospital; (b) processing of travel data of individuals using a city’s public transport system (e.g. tracking via travel cards); (c) processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in providing these services; (d) processing of customer data in the regular course of business by an insurance company or a bank; (e) processing of personal data for behavioural advertising by a search engine; (f) processing of data (content, traffic, location) by telephone or internet service providers. Examples that do not constitute large-scale processing include: (1) processing of patient data by an individual physician; (2) processing of personal data relating to criminal convictions and offences by an individual lawyer.

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, the Guidelines provide that it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes (recital 24 of the GDPR). Thus, the concept of ‘monitoring of the behaviour of data subjects’ includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. Examples of activities that may constitute a regular and systematic monitoring of data subjects: operating a telecommunications network; providing telecommunications services; email retargeting; data-driven marketing activities; profiling and scoring for purposes of risk assessment (e.g. for purposes of credit scoring, establishment of insurance premiums, fraud prevention, detection of money-laundering); location tracking, for example, by mobile apps; loyalty programs; behavioural advertising; monitoring of wellness, fitness and health data via wearable devices; closed circuit television; connected devices e.g. smart meters, smart cars, home automation, etc.

Under article 6 of Law 4624/2019, public bodies are required to designate a data protection officer. A single DPO may be appointed for several public bodies, taking into account their organisational structure and size. The DPO shall be selected on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices, and the ability to fulfil the tasks referred to in the Law. The DPO may be an employee of the public body in any capacity, or fulfil his or her tasks on the basis of a service contract. The public body shall publish the contact details of the DPO and communicate them to the Authority, unless this is not permitted for reasons of national security or for the purposes of maintaining confidentiality, as provided for by law.

Article 7 of the Law further specifies the rules about the position of the DPO in public bodies. According to its provisions, the public body shall ensure that the DPO is involved, properly and in a timely manner, in all issues relating to the protection of personal data. The public body shall support the DPO in performing the tasks referred to in Article 8 by providing resources necessary to carry out those tasks, ensuring access to personal data, to processing operations, and to maintain his or her expert knowledge. The public body shall ensure that the DPO does not receive any instructions regarding the exercise of his or her tasks, reports directly to the highest management level of the public body, and is not dismissed or penalised by the controller for performing his or her tasks. Termination of the employment contract of the DPO, or revocation of the duties assigned to him or her, where the DPO is also an employee of the public body, shall only be allowed for good reason. After the expiry of his or her employment contract as a DPO, he or she shall not be dismissed for one (1) year, unless the public body has good reason to terminate his or her contract. The data subjects may consult the DPO on any matter relating to the processing of personal data and the exercise of their rights under the GDPR, this Law and any other legislation on the protection of personal data. The DPO shall be bound by secrecy or confidentiality concerning the identity of data subjects and the circumstances in which conclusions can be drawn as to the data subject, unless the identity of the data subject is disclosed by the subject itself. If the DPO, in performing his or her tasks, becomes aware of personal data for which the head of the public body has the right to refuse to give evidence as a witness for professional reasons, that right shall also apply to the DPO and his or her assistants.

Finally, article 8 of Law 4624/2019 lays down the tasks of the DPO in public bodies. It provides that, in addition to his or her tasks under the GDPR, the DPO shall have at least the following tasks:

  • to inform and advise the public body and the employees, who carry out the processing, of their obligations under the provisions of this Law and any other legislation on the protection of personal data;
  • to monitor compliance with the provisions of this Law and any other legislation on the protection of personal data, and with the personal data protection policies of the public body, including accountability and the related audits;
  • to provide advice as regards the data protection impact assessment and monitor its implementation;
  • to cooperate with the Authority;
  • to act as the contact point with the Authority on issues relating to processing, including the prior consultation, and to consult the Authority, where appropriate, with regard to any other matter.

Article 8 of Law 4624/2019 also provides that the tasks of the DPO, who may be designated by judicial and prosecutorial authorities, shall not concern the processing operations carried out by judicial and prosecutorial authorities acting in their judicial capacity.

According to the Law, the DPO may also fulfil other tasks and duties. The controller or processor shall ensure that the exercise of any such tasks and duties does not result in a conflict of interests. The DPO shall, in the performance of his or her tasks, have due regard to the risk associated with processing, the nature, scope, context and purposes of processing.

15.Data Protection Authority & Enforcement

15.1.         HDPA contact details

According to article 9 of Law 4624/2019, the Supervisory Authority for the application of the provision of the GDPR, Law 4624/2019 and other regulations relating to the protection of natural persons with regard to the processing of their personal data on the Greek territory is the “ Hellenic Data Protection Authority” (« HDPA”) The Authority is an independent public authority under Article 9a of the Constitution and has its seat in Athens

The contact details of the HDPA are as follows:

Hellenic Data Protection Authority

Kifissias 1-3, PC 115 23, Athens, Greece

Telephone: +30-210 6475600

Ε-mail: contact@dpa.gr

Website: https://www.dpa.gr/

15.2.         Powers of the DPA

Chapter 6 of the GDPR provides information about the competencies and tasks of DPAs: the DPAs are responsible for monitoring the application of this Regulation, to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union.

In addition to its tasks under Article 57 GDPR, the HDPA is empowered by article 14 of Law 4624/2019 to:

  • be competent for the monitoring and enforcement of Law 4624/2019and other regulations relating to the protection of individuals with regard to the processing of personal data,
  • take appropriate action to promote public awareness and understanding of the risks, safeguards and rights in relation to the processing of personal data,
  • provide an opinion on any provision to be included in a law or regulatory act relating to the processing of personal data. The consultation shall take place at the drafting stage of the regulation at a time and in a manner that allows for a timely opinion by the Authority and the relevant consultation on the content of the draft regulation,
  • issue guidelines and make recommendations on any matter concerning the processing of personal data, without prejudice to the tasks of the EDPB in accordance with Article 70 of the GDPR,
  • upon submission of a specific request, inform the data subject of the exercise of his or her rights in accordance with this Law and other regulations for the protection of individuals with regard to the processing of personal data. For that purpose, it shall cooperate with the supervisory authorities of other Member States of the European Union,
  • issue standard documents and complaint forms,
  • handle complaints lodged by the data subject, or by a body, organisation or association, and inform the complainant of the progress and the outcome of the investigation or inspection within a reasonable period,
  • conduct, ex officio or following a complaint, investigations or inspections regarding the application of this Law and other regulations relating to the protection of individuals with regard to the processing of personal data, including on the basis of information received from another public authority,
  • monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular developments in information and communication technologies and commercial practices,
  • contribute to the activities of the EDPB.

In exercising its powers, the Authority shall file without further action any requests, questions or complaints which are manifestly vague, unfounded or understated, or are submitted abusively or anonymously. The Authority shall inform the data subjects and the applicants of its actions. Without prejudice to the time limits set out in the GDPR, the priority for examining requests, questions and complaints shall be assessed by the Authority on the basis of the relevance and general interest of the matter.

In addition to the powers laid down in Article 58 of the GDPR, article 15 of Law 4624/2019 lays down the Investigative and corrective powers of the HDPA. According to its provisions, the Authority shall conduct, ex officio or following a complaint, investigations and audits relating to the compliance with this Law during which the technological infrastructure and other automated or non-automated means supporting the processing of personal data are subject to controls. In carrying out such investigations and inspections, the Authority shall have the power to obtain, from the controller and the processor, access to all personal data processed and to all information necessary for the purposes of such audits and the performance of its tasks, and no type of confidentiality may be relied upon against it. The Authority shall, by way of exception, not have access to data identifying associates or staff employed in entities contained in records held for national security purposes or for the purpose of investigating particularly serious crimes.

The audits shall be carried out by a member or members of the Authority, or employees of the Secretariat’s department of scientific staff who are specially authorised to that effect by the President of the Authority. The President and the members of the Authority, as well as the Secretariat’s specially mandated officials shall be deemed as special investigating officers having all the rights provided for in the Code of Criminal Procedure. They shall be entitled to carry out a preliminary investigation, even without an order by the Public Prosecutor, in case of an act caught in flagrante delicto, or a misdemeanor, or if there is a risk as a result of any delay. The public authorities shall assist the Authority in carrying out the audit. The President of the Authority may grant the power to carry out audits to members and staff of a supervisory authority of another Member State of the European Union (‘seconding supervisory authority’) in the framework of joint operations carried out under Article 62 of the GDPR and Article 79 of this Law.

The Authority shall, for the purposes of this Law: (a) issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Law; (b) order the controller or processor to comply with the provisions of this Law in a specified manner and within a specified period, in particular by ordering the rectification or erasure of personal data; (c) order and impose a temporary or definitive limitation, or even a ban on the processing of personal data; (d) order and impose that documents, filing systems, equipment or means for processing personal data be delivered to it, as well as their content in the case provided for in subparagraph (c) of this paragraph; (e) seize documents, information, filing systems for each piece of equipment and means of personal data breach, and their content which becomes known to the Authority in the exercise of its supervisory powers. The Authority shall be the sequestrator of the above material until a decision has been reached by the competent judicial and prosecutorial authorities.

In addition to the corrective powers provided for in Article 58(2) of the GDPR, the HDPA shall order the controller or processor, or a recipient, or a third party, to discontinue the processing of personal data or to return or lock (block) the relevant data or to destroy the filing system or the relevant data.

The HDPA has the powers to impose the administrative penalties provided for in Article 83 of the GDPR and article 39 of Law 4624/2019. Where the protection of the individual against the processing of personal data concerning him or her requires immediate decision-making, the President may, at the request of the person concerned or ex officio, issue a temporary order for immediate temporary limitation, in whole or in part, of the processing or the operation of the file. The order shall apply until the Authority reaches its final decision. 9. In order to ensure compliance with the provisions of the GDPR, this Law and other regulations relating to the protection of the data subject with regard to the processing of personal data, the Authority, without prejudice to Chapter VII of the GDPR, shall adopt administrative regulatory acts to regulate specific, technical and detailed matters referred to in those acts. 10. The regulatory acts of the Authority, which shall not be published in the Government Gazette, shall be published on the Authority’s website

15.3.         Notification requirements to the DPA

The GDPR and Law 4624/2019 do not incorporate provisions which require the prior authorization of data processing activities before the HDPA.

Under Article 33, the GDPR requires controllers to handle every personal data breach in the context of the controllers’ obligations regarding the security of processing. In case the breach is likely to result in a risk to the rights and freedoms of the persons concerned, the controllers must notify the breach in question to the HDPA.

Such notification must be made without undue delay and, where feasible, not later than 72 hours after the controller has become aware of it. The notification must contain specific information (e.g. nature/scope of the breach, categories of persons affected, cause and consequences of the breach, measures taken to address it, etc.). Even if all the above information is not available at the time of submitting the notification, the latter should be submitted as an initial notification to be subsequently updated without undue delay (by submitting a supplementary notification).

Prior consultation with the HDPA is set out in Article 36(1) GDPR, where a data protection impact assessment (hereafter DPIA) (Article 35 GDPR) indicates that processing operations involve a high risk which the controller cannot adequately mitigate by appropriate measures (Recitals 84 and 94 GDPR).

The controller can submit a prior consultation request to the HDPA provided that the controller has verified that the necessary formal criteria for completeness of the DPIA relating to the request for consultation are met under the relevant framework included in section “Data protection impact assessment”.

The prior consultation request must include at least a detailed description of residual high risks and their potential consequences as well as a detailed documentation of the reasons for which:

  • measures to reduce the high risk involved to an acceptable level cannot be adopted, especially in terms of available technologies and costs of implementation (Recitals 84 and 94 GDPR), and
  • it is necessary to perform the processing despite the residual high risks. It must also include what is set out in Article 36(3) GDPR and have the DPIA attached to it.

15.4.         Notification requirements to other governmental bodies

Article 12 of Law 3471/2006 provides that, in case of a personal data breach, the provider of publicly available electronic communications services is required to notify both the HDPA and the Confidentiality of Communications Authority (“CCA”)of the breach without undue delay. The notification to the competent authorities includes at least a description of the nature of the personal data breach and the contact points from which further information can be obtained. Moreover, the consequences of the breach are described and the measures that were suggested or taken by the provider to deal with the breach.

When the personal data breach may have unpropitious consequences to the personal data or the private life of the subscriber or other person, the provider notifies without undue delay the affected subscriber or the affected person. The notification of the previous section includes at least description of the nature of the personal data breach and the contact points from which further information can be obtained as well as recommendations that can limit potential unfavourable results from the personal data breach.

The notification of the affected subscriber or affected person of the personal data breach is not necessary if the provider has proved to the competent authorities in a satisfactory manner that he/she has applied the appropriate technical security measures and that these measures were applied for the data related to the security breach. These measures for technological protection must at least include secure data encryption so that unauthorized access is not possible. If the provider has not provided notification, according to paragraph 6 of present article, the competent authorities after examining the possible unpropitious consequences from the breach can ask him/her to do so.

The HDPA and the CCA have issued the Joint Act on the Obligations of Telecommunications Operators regarding art. 7 of Law 3917/2011 on the data protection and data security measures, which sets out the requirements about the notification of personal data breaches, the format of this notification and the way according to which this notification must be executed.

The providers that provide publicly available electronic communications services are required to keep a file with personal data breaches that includes the description of relevant incidents, their results, corrective actions which they undertook, with sufficient data so that the competent authorities will be able to verify that they have complied with the provisions of the present article. This file includes only information that is necessary for this purpose.

In addition, Law 4577/2018, which transposes Directive 2016/1148 / EU of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union into Greek law (“NIS Directive”), imposes important obligations for system and network security on businesses in the fields of energy, transport, credit, financial infrastructure, health, water and digital infrastructure, e-commerce and information society services. Among others, the Law imposes the obligation to businesses falling within its scope to notify the National Cybersecurity Authority and the CSIRT of incidents with a serious impact on business continuity. The notification must be made without undue delay and be accompanied by additional information to the Authority regarding the severity of the relevant incident.

Furthermore, financial institutions are required to notify and report major security incidents to the Bank of Greece and the Hellenic Capital Markets Commission, which act as supervisory authorities of the financial sector.

16.Enforcement measures

16.1.         Administrative sanctions

Articles 15 and 39 of Law 4624/2019 provide the following investigative and corrective powers of the HDPA:

  • The Authority shall conduct, ex officio or following a complaint, investigations and audits relating to the compliance with this Law during which the technological infrastructure and other automated or non-automated means supporting the processing of personal data are subject to controls. In carrying out such investigations and inspections, the Authority shall have the power to obtain, from the controller and the processor, access to all personal data processed and to all information necessary for the purposes of such audits and the performance of its tasks, and no type of confidentiality may be relied upon against it. The Authority shall, by way of exception, not have access to data identifying associates or staff employed in entities contained in records held for national security purposes or for the purpose of investigating particularly serious crimes
  • The Authority shall, for the purposes of this Law: (a) issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of this Law; (b) order the controller or processor to comply with the provisions of this Law in a specified manner and within a specified period, in particular by ordering the rectification or erasure of personal data; (c) order and impose a temporary or definitive limitation, or even a ban on the processing of personal data; (d) order and impose that documents, filing systems, equipment or means for processing personal data be delivered to it, as well as their content in the case provided for in subparagraph (c) of this paragraph; (e) seize documents, information, filing systems for each piece of equipment and means of personal data breach, and their content which becomes known to the Authority in the exercise of its supervisory powers. The Authority shall be the sequestrator of the above material until a decision has been reached by the competent judicial and prosecutorial authorities.
  • In accordance with Article 58(2) of the GDPR, the Authority may, in a specific reasoned decision and following a previous notice summoning the interested parties to provide explanations, impose to bodies of the public sector, as this is defined in indent (a) of Article 14(1) of Law 4270/2014 (Government Gazette A’ 143), with the exception of public undertakings and bodies referred to in Chapter A of Law 3429/2005 (Government Gazette A’ 314), in their capacity as data controllers, for infringements relating to: (a) indent (a) of Article 83(4) of the GDPR, with the exception of Articles 8, 27, 29, 42, 43 of the GDPR, (b) Article 83(5) and (6) of the GDPR, with the exception of Articles 17, 20, 47, 90 and 91 of the GDPR, (c) Articles 5, 6, 7, 22, 24, 26, 27 (with the exception of paragraph 7 thereof), Articles 28 to 31, and indent (a) of Article 32(1), Articles 33 to 35 of this Law, an administrative fine of up to ten million euros (EUR 10,000,000). 2. When deciding whether to impose an administrative fine and determining its amount, in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them, (b) any action taken by the body of the public sector to mitigate the damage suffered by data subjects, (c) any relevant previous infringements by the body of the public sector, (d) the categories of personal data affected by the infringement, (e) the manner in which the infringement became known to the Authority, in particular whether, and if so to what extent, the body of the public sector notified the infringement and (f) where measures referred to in Article 58(2) of the GDPR have previously been ordered against the body of the public sector, with regard to the same infringement, the degree of compliance with those measures. 3. If a body of the public sector, for the same or linked processing operations, infringes several provisions of the GDPR or of this Law, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
  • In addition to the corrective powers provided for in Article 58(2) of the GDPR, the Authority shall order the controller or processor, or a recipient, or a third party, to discontinue the processing of personal data or to return or lock (block) the relevant data or to destroy the filing system or the relevant data.
  • The Authority shall impose the administrative penalties provided for in Articles 82-83 of the GDPR.
  • Where the protection of the individual against the processing of personal data concerning him or her requires immediate decision-making, the President may, at the request of the person concerned or ex officio, issue a temporary order for immediate temporary limitation, in whole or in part, of the processing or the operation of the file. The order shall apply until the Authority reaches its final decision.

To date, the highest administrative fine by the HDPA amounted to EUR 9,150,000, was imposed on an incumbent electronic communications group of companies and concerned multiple violations of the GDPR.

16.2.         Criminal Sanctions

Article 38 of Law 4624/2019 provides for the following criminal sanctions:

  • Anyone who, without legal grounds: (a) interferes in any way with a data filing system and in so doing is made aware of such data; (b) copies, removes, alters, harms, collects, registers, organises, structures, stores, adapts, modifies, recovers, seeks information, correlates, combines, restricts, erases, destroys, shall be punished with imprisonment of up to one (1) year, unless the act is punishable with a more severe penalty under another provision.
  • Anyone who uses, transmits, disseminates, discloses by transmission, makes available, announces or makes accessible to unauthorised persons personal data acquired pursuant to indent (a) of paragraph 1, or allows unauthorised persons to become aware of such data, shall be punished with imprisonment, unless the act is punishable with a more severe penalty under another provision.
  • If the act referred to in the previous paragraph relates to special categories of personal data referred to in Article 9(1) of the GDPR or data relating to criminal convictions and offences or relevant security measures referred to in Article 10 GDPR, the offender shall be punished with imprisonment of at least one (1) year and a fine of up to one hundred thousand euros (EUR 100,000), unless the act is punishable with a more severe penalty under another provision.
  • The person who has committed the acts referred to in the previous paragraphs shall be punished with incarceration of up to ten (10) years, if he or she intended to secure for himself or herself or others an unjust profit, or cause financial loss to another person, or cause damage to another person, and the total profit or total loss exceeds the amount of one hundred and twenty thousand euros (EUR 120,000).
  • If the acts referred to in paragraphs 1 to 3 have resulted in a risk to the free functioning of democracy or national security, they shall be punishable with imprisonment and a fine of up to three hundred thousand euros (EUR 300,000).
  • The felonies provided for in this Article shall fall within the jurisdiction of the three-member court of appeal for felonies.

16.3.         Right to claim damages

Pursuant to GDPR Article 82, material or nonmaterial damage suffered as a result of an infringement of the GDPR can be claimed.

In this respect, article 40 of Law 4624/2019 provides for the following judicial remedies of data subjects against data controllers and / or data processors:

  • Actions brought by a data subject against a controller or processor for breach of data protection provisions within the scope of the GDPR or the rights of the data subject referred to therein shall be brought before the civil courts in whose district the controller or processor has his or her establishment. The actions referred to in the previous subparagraph may also be brought before the civil courts in whose district the data subject has his or her habitual residence.
  • The previous paragraph shall not apply to actions brought against public authorities, where such authorities exercise sovereign power conferred on them.
  • Where the controller or processor has designated a representative in accordance with Article 27(1) of the GDPR, the representative in question shall be considered to be a procedural representative for the serving of all documents carried out in the framework of civil proceedings pursuant to these provisions.

According to article 80 GDPR, data subjects shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78 and 79 GDPR on his or her behalf, and to exercise the right to receive compensation referred to in Article 82 GDPR on his or her behalf where provided for by Member State law.

In this light, article 41 of Law 4624/2019 provides that, where the data subject considers that the processing of personal data relating to him or her infringes the provisions of the GDPR or Chapter III of this Law, he or she shall have the right to mandate a not-for-profit body, organisation, association or a not-for-profit group of persons without legal personality which has been properly constituted and is legally established in the Greek territory, has statutory objectives which are in the public interest and is active in the area of protection of data subjects’ rights and freedoms with regard to the protection of their personal data, to lodge a complaint on his or her behalf with the Authority in accordance with Article 77 of the GDPR, and to exercise on his or her behalf the rights referred to in Article 78 of the GDPR and Article 20 of this Law. The representation mandate referred to above shall be made by means of a specific written authorisation validated for the signature authenticity of the contracting party in accordance with Article 11(1)(a) of the Code of Administrative Procedure (Law 2690/1999, Government Gazette A’ 45). The mandate may be revoked at any time, in whole or in part.

17.Principle of accountability & Data Protection compliance actions

17.1.         Accountability obligation and compliance actions

Article 5(2) in conjunction with Articles 24 and 32 GDPR establishes the accountability principle as the cornerstone of compliance with data protection law.

In accordance with the accountability principle, the controller is responsible for, and must be able to demonstrate compliance with, the personal data processing principles established in Article 5(1) of the GDPR.

Hence, the controller is obliged to design, implement and generally take the necessary measures and adopt policies to ensure that data are processed in accordance with the relevant legislative provisions. In addition, the controller is charged with a further task of proving at any time compliance with the principles of Article 5(1) GDPR.

Accountability is, therefore, a mechanism that ensures compliance with the principles relating to processing of personal data. Furthermore, the controller is obliged, according to the accountability principle, to choose the appropriate legal basis and to legally substantiate a processing carried out in accordance with the legal bases provided for by the GDPR and national data protection law.

Thus, it is the obligation of the controller to take the necessary measures in order to comply with the requirements of the GDPR, as well as to be able to demonstrate such compliance at any time, without the need for the supervisory authority to make specific enquiries and requests to assess conformity, while exercising its powers.

The introduction of the accountability principle shifts the “burden of proof”, in terms of lawfulness of the processing and compliance with the GDPR, from the supervisory authorities to the controllers or processors themselves.

In its relevant online guidance note, the HDPA sets out the following indicative methods and tools as appropriate for the compliance of data controllers and data processors with the principle of accountability:

  • record-keeping of processing activities
  • implementation of security measures
  • data protection impact assessment
  • prior consultation and cooperation with the supervisory authority
  • designation of a data protection officer
  • compliance with the data breach notification obligation
  • adoption of codes of conduct and certification mechanisms, seals and marks.

The Authority also explicitly states that appropriate technical and organisational measures implemented by the controller/processor for the purposes of accountability shall be taken into account in case that an administrative fine is imposed, as well as on the amount thereof.

II. Entrusting personal data to third parties including for cloud services

1.   Relationships with third parties

1.1.             Relations between separate controllers

The relationship between two or more separate controllers is not regulated neither by the GDPR nor by Law 4624/2019.

Members of a controller-to-controller relationship share the same general obligations as any other controllers. In this respect, both controllers always have a duty to ensure that they both have a legal basis for the processing they conduct on the shared data. As a matter of accountability, each controller has the duty to ensure that the data are not further processed in a manner that is incompatible with the purposes for which they were originally collected by the controller sharing the data.

However, they do not have the statutory obligation to conclude an agreement between themselves as joint controllers do (see below).

1.2.             Relations between joint controllers

Joint controllers must establish a joint controller agreement in compliance with article 26 of the GDPR. More precisely, article 26 uses the term “arrangement” to describe the relationship between the parties.

The legal form of the arrangement among joint controllers is not specified by the GDPR. However, the EDPB recommends that such arrangement be made in the form of a binding document such as a contract or other legal binding act under EU or Member State law to which the controllers are subject.

The arrangement shall at least address the following topics:

  • the respective responsibilities between the parties for compliance with the obligations under the GDPR, in particular as regards the exercising of the rights of the data subjects (unless their respective responsibilities are determined by Union or Member State law to which the controllers are subject);
  • their respective duties to provide the information necessary to data subjects; and
  • the respective roles and relationships of the joint controllers vis-à-vis the data subjects.

The arrangement may designate a contact point for data subjects. The essence of this arrangement shall be made available to the data subject.

1.3.             Relations between data controllers and data processors

Article 28 of the GDPR stipulates that, where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.

Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller (article 28 § 3 of the GDPR).

The data controller / processor contract or other legal act shall stipulate, in particular, that the processor (article 28 § 3 of the GDPR):

  • processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • has implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
  • respects the legal obligations regarding possible sub-processors;
  • taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights;
  • assists the controller in ensuring compliance with the obligations regarding the security of personal data pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the processor;
  • at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
  • makes available to the controller all information necessary to demonstrate compliance with the processor’s obligations under the law and allows for and contributes to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Article 28 § 2 of the GDPR further provides that the processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

Article 28 § 4 of the GDPR further provides that, where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the controller / processor contract or other legal act between the controller and the processor shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations.

There are not any Greek statutory provisions or administrative acts establishing more specific rules in relation to the relation between controllers and processors.

2.   Data transfers

2.1.             Data localization requirements

Neither the GDPR nor Law 4624/2019 provide for specific requirements regarding the location of the data, except for the restrictions relating to data transfers.

Article 6 of Law 3917/2011, which compels electronic communication service providers to store retained telecommunication traffic data exclusively in the territory of the Greek state, should be considered as invalid, since it directly violates the European Union law core principle of the free movement of services within the internal market (see article 56 TFEU).

2.2.             Conditions for valid transfer to third countries

Transfers of personal data outside the EU must fulfill additional requirements according to GDPR Articles 44 to 49.

In particular, flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by the GDPR should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with the GDPR. A transfer could take place only if, subject to the other provisions of the GDPR, the conditions laid down in the provisions of the GDPR relating to the transfer of personal data to third countries or international organisations are complied with by the processor (recital 101 of the GDPR).

Hence, any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only after certain conditions are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation (article 44 of the GDPR).

In the absence of an adequacy decision adopted by the European Commission, a processor may transfer personal data to a third country or an international organisation only if the processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (article 46 § 1 of the GDPR).

Such appropriate safeguards may be provided for, without requiring any specific authorisation from a supervisory authority, by (article 46 § 2 of the GDPR) :

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules;
  • standard data protection clauses adopted by the Commission;
  • standard data protection clauses adopted by a supervisory authority and approved by the Commission;
  • an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
  • an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding (recital 108 of the GDPR).

Subject to the authorisation from the competent supervisory authority, the appropriate safeguards may also be provided for, in particular, by (article 46 § 3 of the GDPR) :

  • contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards (recital 114 of the GDPR).

3.   Cloud computing services

3.1.             Role of the parties to the cloud service contract

Neither the GDPR nor Law 4624/2019 nor any HPDA Administrative acts or jurisprudence stipulate additional rules for determining the roles of the parties to a cloud contract. Therefore, the general GDPR rules in this regard shall apply. For the most part, the cloud service provider is considered as the data processor (see relevant obligations in the section above).

3.2.             Cloud regulations and cloud related obligations

Although no specific rule exists on this matter, whatever the qualification of the service provider, it is the client’s responsibility to choose a service provider that ensures a sufficient level of protection for the data it is entrusted with.

The Cloud service agreement will have to clearly indicate the countries where the data centers are localized, to ensure adequate protection abroad (e.g., through the enforcement of standard contractual clauses or binding corporate rules). In the event of a negotiable agreement, the client could also decide to limit the data transfers to the European Economic Area (EEA) and third countries recognized as providing an adequate level of protection by decision of the European Commission.

As any other data processor, the Cloud service provider will have to provide sufficient guarantees that appropriate technical and organizational measures have been implemented so that the processing operation complies with the GDPR requirements and ensures the protection of the data subject’s rights. Although no specific technical or organizational measures are set as mandatory, a certified provider will offer its clients enhanced data protection guarantees.

4.   Certifications and codes of conduct for data sharing

4.1               Codes of conduct

A code of conduct may be adhered to and used by controllers or processors not subject to the GDPR located in third countries for the purpose of providing appropriate safeguards to data transferred to third countries in accordance with Article 46 par 2(e) of the GDPR. Such controllers and processors are required to make binding and enforceable commitments, via contractual or other legally binding instruments, to apply the appropriate safeguards provided by the code including regarding the rights of data subjects as required by Article 40(3) GDPR.

In terms of content, the following elements need to be addressed in the code of conduct used as a transfer tool:

  • A description of transfers to be covered by the code (nature of data transferred, categories of data subjects, countries);
  • Essential principles, rights (mainly third-party beneficiary rights) and obligations arising under the GDPR for controllers/processors including appropriate data governance and data protection training and audits;
  • Guarantees that are specific to the context of transfers (such as with respect to the issue of onward transfers, conflict of laws in the third country), and
  • Other technical details (e.g., changes of the code, withdrawal of a member etc.)

Pursuant to Article 40 of the GDPR, codes of conduct may be developed by associations and other bodies representing categories of controllers or processors and may be approved by the competent supervisory authority. The monitoring of compliance with the code of conduct may be carried out by a body which has an appropriate level of expertise in relation to the subject matter of the code and which is accredited for that purpose by the competent supervisory authority.

In accordance with Articles 40-7 and 64-1-b, the EDPB will be asked to provide an opinion on the draft decision of a supervisory authority aiming to approve a code intended for transfers, whereas according to Article 40-9, the Commission may decide by adopting an implementing act that a code intended for transfers and approved by a supervisory authority has general validity within the Union. Only those codes having been granted general validity within the Union may be relied upon for framing transfers.

4.2               Certifications

Establishing data protection certification mechanisms and data protection seals and marks is provided for in Article 42 GDPR for the purpose of demonstrating:

  • compliance with the GDPR of processing operations by controllers and processors subject to it (Article 42(1)),
  • provision of appropriate safeguards within the framework of personal data transfers to third countries or international organisations (Article 46(2)(f)) by controllers and processors that are not subject to the GDPR (Article 42(2)).

The Hellenic Data Protection Authority (HDPA) encourages the adoption of certifications as they enhance transparency by allowing data subjects to quickly assess the level of data protection of relevant products and services (Recital 100 GDPR).

In particular, adherence to an approved certification mechanism may be used as an element to demonstrate compliance with the obligations of the controller (Article 24(3) GDPR) or as an element to demonstrate that the processor provides sufficient assurance in accordance with Article 28(1) and (4) (Article 28(5) GDPR). Adherence to an approved certification mechanism may also be used as an element to demonstrate compliance with the requirements set out in paragraph 1 of Article 32 on the security of processing (Article 32(3) GDPR). It is also taken into consideration when deciding whether to impose an administrative fine and deciding on the amount of the administrative fine (Article 83(2)(j) GDPR).

 

 

Certification can be issued to a controller or processor before the HDPA based on the certification criteria approved by the European Data Protection Board (EDPB). Where the criteria are approved by the EDPB, this may result in a common certification, the European Data Protection Seal. Certification shall be issued by certification bodies that have previously been granted relevant accreditation (for more information see the section on accreditation below). Certification shall be issued for a maximum period of three years (Article 42(7) GDPR) and may be renewed under the same conditions, provided that the relevant criteria continue to be met. Certification shall be withdrawn where the criteria for the certification are not or are no longer met.

Certification bodies may issue and renew certification to controllers and processors only where they have previously a) been accredited to have an appropriate level of expertise in relation to data protection, and b) informed the competent supervisory authority accordingly. The accreditation of certification bodies is of particular relevance as it is an official confirmation that the bodies in question have been authorised to that effect, making it possible to generate trust in the certification mechanism. Pursuant to Article 43(1) GDPR, Member States shall ensure that certification bodies are accredited by the competent supervisory authority or the national accreditation body or both of these bodies.

Pursuant to Article 37(1) of Law 4624/2019, in Greece the accreditation of bodies which issue certification under Article 42 of the GDPR shall be carried out by the National Accreditation System (E.SY.D.) in accordance with EN-ISO/IEC17065:2012 and additional requirements established by the HDPA.

The accreditation of certification bodies shall take place on the basis of requirements approved by the competent supervisory authority pursuant to Article 55 or 56, or by the EDPB pursuant to Article 63 (Article 43(3) GDPR). Certification shall be issued for a maximum period of three years (Article 42(7) GDPR) and may be renewed under the same conditions, provided that the relevant criteria continue to be met. Where accreditation is conducted by the national accreditation body, this shall take place on the basis of ΕΝ-ISO/IEC 17065/2012 and the additional requirements for accreditation established by the competent supervisory authority. Accreditation shall be issued for a maximum period of five years and may be renewed on the same conditions provided that the certification body meets the requirements set out in Article 43 (Article 43(4) GDPR). Accreditation is revoked by the competent supervisory authority or the national accreditation body, where the conditions for the accreditation are not, or are no longer, met or where actions taken by the certification body infringe the GDPR. Pursuant to Article 37(2) of Law 4624/2019, the ESYD shall revoke an accreditation if notified by the Authority that the requirements for accreditation are no longer met or the certification body infringes the GDPR and the provisions of Law 4624/2019.

The Hellenic Data Protection Authority (HDPA), by Decision 25/2020, has decided to set out requirements for the accreditation of certification bodies, in addition to EN ISO/IEC 17065/2012, pursuant to Article 43(1)(b) and (3) GDPR, and Article 37(1) of Law 4624/2019. The HDPA’s final additional accreditation requirements for accreditation of certification bodies contained in the Appendix of its decision 25/2020, as amended according to opinion 22/2020 of the EDPB, is published on the HDPA’s online portal, pursuant to Articles 43(6) and 57(1p) of the GDPR as well as Article 15(10) of Law 4624/2019.

III. Dealing with personal data: Illustrations and takeaways

1.   Data processing at work

Article 88 of the GDPR provides that EU Member States may provide for specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context.

In this respect, article 27 of Law 4624/2019 lays down the following provisions:

  • Employee data may be lawfully processed for the purposes of the employment contract on the condition that processing is necessary for the performance of the employment contract or in order to take steps at the request of the employee prior to entering into the employment contract (27 § 1).
  • Special categories of employee data may be lawfully processed in case that processing is necessary for rights or obligations arising from labour or social insurance law, which clearly override the interests of the employee (27 § 3). This may include the processing of health data for the evaluation of the appropriateness of a candidate for a specific job post, on the condition that such processing is necessary.
  • Employee data may be lawfully processed for the purposes of the employment contract on the grounds of a collective labour agreement (27 § 4).
  • Employee data may be lawfully processed in the case it is necessary for the purpose of protecting persons and assets. In this context, evaluation of employee performance is not a lawful purpose. The relevant notice to employees should be given in written, including electronic, form (27 § 7).
  • As an exception, the consent of the employee may constitute a valid legal ground for processing, on the condition that such consent is freely given, taking into account (i) the imbalance between the employee and the employer and (ii) the circumstances in which consent is given (27 § 2). For example, consent shall be valid in cases that it provides the legal grounds for a legal or economic advantage granted by the employer to the employee, such as in the cases of employee insurance schemes, intranet photos or private use of corporate IT systems (according to the Explanatory Report of the Law).
  • Any employee consent should be given in written, including electronic, form (27 § 2).
  • Apart from part- or full-time employees, the scope of the foregoing provisions includes job candidates, ex-employees, volunteers, apprentices, contractors and free-lancers (according to the Explanatory Report of the Law).

According to Opinion 2/2017 of the Art29 Working Party (OE29) on data processing at work (WP249) and with the OE29 Guidelines of 10-4-2018 on the provision of consent under the GDPR (WP259rev.01)”, the imbalance of power between employer and employee leads to the conclusion that, in the majority of cases of personal data processing at work, the legal basis cannot and should not be that of consent, as rarely the employee can provide valid consent to the employer for the processing of his personal data.

The HPDA has issued its Guidelines 115/2001 for data processing in the employment context. The Guidelines specify several aspects of the processing by employers of employee data and provide for additional requirements to the GDPR and Law 4624/2019.

2.   Direct marketing

2.1.             The opt-in & opt-out rules

Article 11 of Law 3471/2006 lays down the rules for the regulation of direct marketing and unsolicited communications as follows:

  • The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail, for the purposes of direct marketing of goods or services, or any advertising purposes, may only be allowed in respect of subscribers who have given their prior consent ( 1).
  • Unsolicited communications with human intervention (calls) for the above purposes must not be performed, if the subscriber has stated to the provider of the publicly available electronic communications service that he/she does not wish to accept such communications in general. The provider must enter these statements in a special subscriber directory, which shall be at the subscriber’s disposal, free of charge ( 2).
  • The e-mail contact details that have been lawfully obtained in the context of the sale of a product or a service or other transaction can be used for direct marketing of similar products or services by the supplier or the fulfilment of similar purposes, even when the recipient of the message has not given his/her prior consent, provided that he/she is clearly and distinctly given the opportunity to object, in an easy manner and free of charge, to such collection and use of electronic contact details when they are collected and on the occasion of each message in case the user has not initially refused such use ( 3).
  • The practice of sending e-mail messages for purposes of direct marketing of goods and services, as well as any kind of commercial purposes, shall be prohibited, when the identity of the sender or the person on whose behalf the message is sent, is not mentioned in a clear and explicit manner neither is a valid address to which the recipient can request the termination of such communications, or when the recipients are encouraged to visit webpages that violate the obligations deriving from the present article ( 4).
  • The providers of electronic communications services are obliged to take the suitable measures that are defined by a common act οf DPA and ADAE for the prevention of unsolicited communications. From the provider of publicly available electronic communications services, who by negligence violated this obligation as well as the obligation that is foreseen in section b of paragraph 2 above, the recipients of unsolicited communications, hold their right to demand compensation for any property damage or pecuniary compensation for moral damage. The provider of electronic communications services is not obliged to provide compensation and take measures so that the breach doesn’t occur again in the future if he/she proves that he/she is not liable for negligence ( 5).
  • Apart from compensation pursuant to article 14 of present law, the recipients of unsolicited communications as well as the providers of publicly available communications services have the right to demand from anyone that violates the aforementioned obligations, not to repeat the breach in the future under the threat of pecuniary penalty ( 6).

2.2.             The right to object at any time and without justification

According to Article 21 § 2 of the GDPR, where personal data are processed for direct marketing purposes, the data subject have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. The data subjects do not need to demonstrate a valid reason for this request, and the controller shall immediately stop processing the data for such purposes.

The right to object can be materialized via multiple methods (e.g., by ticking a box in an HTML form or by clicking on an unsubscription link).

Greek data protection law does not provide any exceptions to this absolute right of the data subject to object to marketing activities.

3.   Profiling, automated decision making

3.1.             The rules applicable to profiling

Pursuant to Article 4(4) of the GDPR, ‘profiling’ means “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

Personal data may be collected about individuals from a variety of different sources such as internet searches, buying habits, lifestyle and behavior data gathered from mobile phones, social networks, video surveillance systems etc.

The analysis of such information can help find something out about individuals’ preferences, predict their behavior; and/or make decisions about them. Online targeted adverting is, for instance, heavily based on profiling.

The data processing for profiling purposes is not subject to any specific restrictions as such. It simply needs to comply with the general data protection principles of lawfulness, transparency, minimization, purpose limitation, storage limitation, accuracy, integrity, and confidentiality.

The transparency principle is the main challenge for this type of processing, as profiling may be invisible to the data subjects concerned who may also not expect their data to be used in this way. Purpose limitation is also necessary to be sufficiently considered as it needs to be tested that the conducted profiling is compatible with the original purpose for which the data has been used. Heavily intrusive profiling may need to be subject to a Data Protection Impact Assessment.

Some profiling activities may also lead to automated decision-making, in which case specific rules apply (see relevant section below).

3.2.             The rules applicable to automated decision making

Automated decision-making has a different scope and may partially overlap with or result from profiling. Automated decisions can be made with or without profiling; profiling can take place without making automated decisions.

 

The Article 29 Working Party (“WP29”), as of now European Data Protection Board” (“EDPB) defines it as “the ability to make decisions by technological means without human involvement” in its WP251rev.01.

 

In order for a process to be considered as “solely automated”, the element to consider is whether a human reviews the decision before it is applied and has discretion to alter it, or whether they are simply applying the decision taken by the automated system. In addition, if a human inputs the data to be processed, and then the decision-making is carried out by an automated system, the decision can still be considered as “solely automated”.

 

Article 22(1) GDPR establishes a general prohibition for decision-making based solely on automated processing, including profiling that has a legal or similarly significant effect.

 

A legal effect requires that the decision, which is based on solely automated processing, affects someone’s legal rights, a person’s legal status or their rights under a contract. Examples of this type of effect include automated decisions about an individual that result in:

  • cancellation of a contract;
  • entitlement to or denial of a particular social benefit granted by law, such as child or housing benefit;
  • refused admission to a country or denial of citizenship
  • limitations to the freedom to associate with others, and
  • prohibition to vote in an election, or take legal action etc.,

The “similarly significant effect” is not defined in the texts and it is difficult to be precise about what would be considered as such. However, the following decisions could constitute valid examples:

  • decisions that affect someone’s financial circumstances, such as their eligibility to credit;
  • decisions that affect someone’s access to health services;
  • decisions that deny someone an employment opportunity or put them at a serious disadvantage; and
  • decisions that affect someone’s access to education, for example university admissions etc.,

However, Article 22(2) GDPR provides some exceptions to this general prohibition for decision-making based solely on automated processing, including profiling that has a legal or similarly significant effect in the following cases:

  • When it is necessary for entering into, or performance of, a contract between the data subject and a data controller. The controller must be able to show that this type of processing is necessary, considering whether a less privacy-intrusive method could be adopted. If other effective and less intrusive means to achieve the same goal exist, then it would not be ‘necessary’.
  • when it is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  • when is based on the data subject’s explicit consent.

In all the above cases, the controller also has the obligation to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention, to express his or her point of view and to contest the decision.

4.   Big data

4.1.             Applicable law

Neither the GDPR nor Greek data protection legislation provide a definition of the terms “big data”.

4.2.             Data protection and privacy challenges

The collection, storing, analysis, and use of large amounts of personal data, to produce useable outcomes raises compliance issues with data protection law.

The collection and analysis of huge amounts of data can be useful in many cases. The GDPR requires that data be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation principle). Thus, in the case of Big Data, problems may arise when the intended purpose is not clarified nor when personal data is analyzed for unstated reasons.

Given also the fact that Big Data processing activities are systematically secondary to the original purpose of processing, the data controllers need to evaluate their compatibility with the original processing. Compatibility needs to be assessed on a case-by-case basis where the relationship, the expectations of the data subject at the time of collection, the context and the nature of the data should be considered. This approach may be in clear contradiction with big data practice.

In addition to the above, the purpose limitation goes hand in hand with the transparency principle. The purpose of the collection should be explained to the data subject through a clear privacy notice that is concise, written in plain language and easily accessible. This seems also a hard obligation to comply with when doing Big Data.

Furthermore, Big data aims at collecting as much data as possible to analyze and make decisions based on it. This will hardly be compatible with the data minimization principle, which therefore becomes another challenge for data controllers.

When doing Big Data, it will also be hard to comply with the obligation to guarantee the rights of the data subjects, as the controller should be able to dig into the large amount of data stored across several different systems to locate, modify and/or erase the data belonging to the data subject.

The outcome of Big Data analysis is also something to consider. Several GDPR rules prevent discriminatory or unfair decision, including based on big data analytics. The EU Charter of Fundamental Rights also demands equality before the law.

Given all the above, it shall be said that any Big Data analysis, including AI applications and machine learning shall be subject to data protection compliance review. Data anonymization could also be considered as a solution to these challenges, as companies would also avoid the application of the GDPR. The use of pseudonymous data would also be good as it provides better security and strengthens compliance with the purpose limitation and minimization principle but does not allow to escape the application of the GDPR to the processing.

5.   Internet of Things

5.1.             Applicable law

The “Internet of Things” refers to the network of objects which incorporate technology to connect to and exchange data with other terminals and systems on the Internet. Which means they operate under the same personal data as email address, IP address, phone number as connected laptop and mobile.

IoT increases the interactions between the device and the data, involving numerous parties and thus the risks that may arise from all those involved parties and data exchanges.

Furthermore, not any Greek or European legislations addresses this matter specifically in terms of data protection.

5.2.             Data Protection and Privacy challenges

Challenges arising from the GDPR regarding the IoT are multiple. Some of the most significant are the ones below:

  • Data ownership & accountability

It is not always simple / possible to determine whether parties involved are a controller or a processor. IoT services involve significantly more parties than traditional services (for example, sensor manufacturers, hardware manufacturers, IoT operating systems vendors, IoT software vendors, mobile operators, device manufacturers, third party app developers).

In addition, legally binding all processors may be overwhelming, but the GDPR requires that a contract or other instrument is signed between the controller and the processor (art. 28 (3) GDPR)

  • Transparency

Given the involvement of way too many parties, acting often as separate controllers, the majority of connected devices fail to adequately explain to customers how their personal data is processed. Depending on the applications, this information could be provided for instance on the object itself but again all the involved data controllers will have to appear in the relevant information notice.

  • Data disclosure and security

The multiple data transfers between the multiple connected devices entails increased security risks. If security flaws resulting in breaches of the security principle are the result of an inadequate design or maintenance of the devices used, it engages the responsibility of all concerned data controllers. Thus, data controllers shall proceed to detailed security risk assessments when launching and IoT device or service.

  • Purpose limitation

The purposes of processing conducted via the IoT devices and apps must be defined before the data processing takes place, which excludes sudden changes in the key conditions of the processing. This implies that IoT stakeholders have a good overview of their business case before they start collecting any personal data.

  • Sensitive data

Some of the connected devices and apps may lead to the collected of sensitive data. For instance, smartwatches and other forms of the “Quantified Self” are mostly registering data relating to the well-being of the individual. This data does not necessarily constitute health data as such, yet it may quickly provide information about the individual’s health as the data is registered in time, thus making it possible to derive inferences from its variability over a given period. This means, that article 9 of the GDPR would apply, which requires that data controllers obtain the user’s explicit consent.

Given all the above, it shall be said that any IoT related data processing activities shall be subject to data protection compliance review. Best practices to deal with the data protection implications include the performance of Data Protection Impact Assessments and the application of the principles of Privacy by Design and Privacy by Default.

6.   High Risk Data Processing activities

6.1.             The criteria for the determination of high-risk activities and the applicable rules

Pursuant to Article 35 of the GDPR, “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data”.

A DPIA is carried out by the data controller when the processing operations are likely to result in a high risk to the rights and freedoms of natural persons, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing. Indicative kinds of high risk processing operations are referred to in Article 35 (3) of the GDPR (see rec.91 of the GDPR).

Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” were published by the WP29 (WP 248) and endorsed by the EDPB. These guidelines provide for nine criteria to be considered. The processing involves:

  • evaluation or scoring,
  • automated decision making with legal or similar significant effect,
  • systematic monitoring,
  • sensitive data or data of a highly personal nature,
  • data processing on a large scale,
  • matching or combining datasets,
  • data concerning vulnerable data subjects,
  • innovative use or applying new technological or organizational solutions, or
  • when the processing in itself prevents data subjects from exercising a right or using a service or a contract.

The more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA. As a rule of thumb, a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA.

In addition to the above, Member States have been requested to provide their list of processing activities mandatorily subject to a DPIA (“Black-listed activities) and those a priori exempted from (“White-listed activities”).

6.2.             Black-listed activities subject to DPIA

The Hellenic Data Protection Authority (HDPA) established, on the basis of Article 35 (4) of the GDPR, a draft list of the kinds of processing operations which are subject to the requirement for a DPIA. Before adopting the aforementioned DPIA list, the HDPA, in accordance with Article 35 (6), applied the consistency mechanism referred to in Article 63 by communicating the draft list to the European Data Protection Board (EDPB).

The EDPB, at its plenary session of the 25th of September 2018, issued, on the basis of Article 64 (1) of the GDPR, the Opinion 7/2018[1] regarding the HDPA’s draft DPIA list.

By virtue of Decision no. 65/2018 the Greek Supervisory Authority has published its list of data processing activities subject to DPIA according to article 35 (4) of the GDPR. The list is as follows:

This list groups and further specifies the types of processing activities that are subject to the requirement to conduct a DPIA with citation and indicative examples. This list is not exhaustive and does not remove or alter the obligation to conduct a DPIA in any case where the requirements of Article 35 (1) of the GDPR are fulfilled.

This list is based on Article 35 of the GDPR and in particular paragraphs 1 and 3 thereof, as well as on the Impact Assessment Guidelines (WP248), which it supplements and further specifies.

The HDPA criteria for conducting a DPIA are grouped into the following three categories:

– 1st category: based on types and purposes of processing.

– 2nd category: based on the type of data and / or subject categories.

– 3rd category : based on the additional characteristics and / or the means of processing used.

The implementation of a DPIA is mandatory when at least one of the criteria of the 1st or 2nd category is fulfilled. It is also mandatory when at least one criterion is met with respect to the 3rd Category and the processing relates to the types and purposes of processing of the 1st category and / or data types and / or categories of subjects of the 2nd category.

1st Category: types and purposes of processing

1.1 Systematic evaluation, scoring, predicting and profiling, especially in aspects relating to the financial situation, health, personal preferences or interests, the credibility or behavior, the position or the moves or the creditworthiness of the data subjects.

Examples of this are the case where a financial institution screens its clients on the basis of credit data or anti-money laundering and counter-terrorist financing, or fraud database, or the case where a biotechnology company offers genetic tests directly to consumers in order to assess and predict the disease / health risks.

1.2. Systematic data processing aimed at taking automated decisions that produce legal effects on data subjects or significantly affect data subjects in an analogous manner and may lead to exclusion or discrimination against the individual.

Examples are automatic denial of an online credit application or e-recruitment without human intervention (rec. 71 of GDPR) or automatic denial of insurance.

1.3. Systematic processing of data that may prevent a person from exercising his rights or from using a service or contract, particularly when taking into account data collected by third parties.

Examples of this are the case where a bank checks its clients using a credit database to decide whether or not to grant them a loan, listing the subject in a “black” list, such as a list of mobile telephony providers, the registration in whistleblowing systems.

1.4. Systematic processing of data relating to profiling for the purpose of promoting products and services where the data is combined with data collected by third parties

Systematic and large-scale processing for the monitoring, observation or control of individuals using data collected through video surveillance systems or via networks or by any other means in a public space, publicly accessible space or private space accessible to an unlimited number of persons. Includes tracking of movements or location/ geographical position in real time or non-time identified or identifiable individuals. Examples are the use of cameras in a shopping mall or public transport stations or the processing of location data for passengers at an airport or public transport. Also wi-fi tracking of visitors to shopping centers or data processing through drones.

Large-scale systematic processing of personal data relating to private and public health for public interest purposes, such as the introduction and use of e-prescription systems, and the introduction and use of an electronic file or electronic health card.

Large-scale systematic processing of personal data for the purpose of introducing, organizing, providing and controlling the use of eGovernment services as defined in Article 3 of Law 3979/2011 as in force.

2nd category: data type and / or subject categories

2.1. Large-scale processing of specific categories of data (including genetic and biometric identifiers) referred to in Article 9 (1) and the data referred to in Article 10 of the GDPR.

2.2. Systematic and large-scale processing of data of particular importance or exceptional character such as:

2.2.1 Social welfare data (data on poverty, unemployment, social work, etc.)

2.2.2 Electronic communications data, including content data such as e-mail, metadata and geographical position / location data, except for the recording of telephone conversations pursuant to Article 4 paragraph 3 of Law 4771/2006,

2.2.3. Data relating to a national identification number or other general purpose identifiers or to a change in the terms and conditions of processing and use thereof and personal data relating thereto,

2.2.4 data contained in personal documents, calendars, e-reader notes and life logging applications, which offer the possibility of keeping notes and very personal information,

2.2.5 data collected or produced by devices (such as sensors), in particular through IoT (such as smart TVs, smart home appliances, connected toys, intelligent cities, intelligent energy meters etc) and / or other means.

2.3. Systematic monitoring – where permitted – of the position / location as well as content data and metadata of employees’ communications except from logs for safety reasons, provided that the processing is limited to the absolutely necessary data and is specifically documented. An example of this is the use of DLP systems.

Systematic processing of biometric data of employees for the purpose of undoubted identification of the person as well as of genetic data of employees.

3rd category: additional characteristics and / or processing means used

3.1. Innovative use or application of new technologies or organizational solutions, which may include new forms of data collection and use, possibly posing a high risk to the rights and freedoms of individuals such as the combined use of fingerprints and facial recognition for improved physical access control, or mhealth applications or other “smart” applications that create user profiles (eg daily habits), or artificial intelligence applications or public access technologies blockchain containing personal data.

3.2. Combining and / or linking personal data from multiple sources or third parties, from two or more processing activities carried out for different purposes and / or by different controllers in a way that might exceed the reasonable expectations of the data subject.

3.2 If the processing concerns data that has not been collected by the subject and the information of the subjects under Article 14 of the GDPR proves impossible or would entail a disproportionate effort or is likely to make impossible or significantly harm the achievement of the purposes of processing.

Revision of the list

The above list is subject to regular review every two years or to an extraordinary review in the event of significant developments or developments in the operational models as well as in the event of a change in the purposes of the processing if they entail a high risk.

6.3.             White-listed activities exempted from DPIA

The list established by the HDPA (published here) does not include white-listed activities exempted from the obligation to conduct a DPIA.

7.   Biometric Data

7.1              Specific requirements regarding the use of biometric data

Greek data protection legislation does not provide horizontal specific requirements regarding the processing of biometric data.

8.   Genetic Data

8.1              Specific requirements regarding the use of genetic data

According to article 23 of Law 4624/2019, the processing of genetic data for health and life insurance purposes shall be prohibited under Article 9(4) of the GDPR.

9.   Health Data

9.1              Specific requirements regarding the use of health data

As far as health data are concerned, by way of derogation from Article 9(1) of the GDPR, article 22 § 1 of Law 4624/2019 provides that that the processing of special categories of personal data within the meaning of Article 9(1) of the GDPR by public and private bodies shall be allowed, if necessary: (a) for the purpose of exercising the rights arising from the right to social security and social protection, and for fulfilling the obligations arising therefrom; (b) for the purposes of preventive medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or the management of health or social care systems or pursuant to a contract with a health professional or other person who is subject to a duty of professional secrecy or supervised by him/her; or (c) for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, in addition to the measures referred to in the second subparagraph of paragraph 3, the provisions ensuring professional secrecy provided for in a law or code of conduct must in particular be complied with.

10.Processing for archiving, scientific or historical research purposes

10.1           Processing for archiving, scientific or historical research purposes

Article 30 § 1 and 4 of Law 4624/2019 stipulates by way of derogation from Article 9(1) of the GDPR, that the processing of special categories of personal data, within the meaning of Article 9(1) of the GDPR, shall be allowed without the consent of the data subject where the processing is necessary for scientific or historical research purposes, or for the collection and maintenance of statistical information, and the interest of the controller is overriding the interest of the data subject in not having his or her personal data processed. The controller shall have the obligation to take suitable and specific measures to protect the data subject’s legitimate interests. Such measures may include, among others, the pseudonymisation of personal data. The controller may publish personal data processed in the context of research, if the data subjects have given their consent in writing or the publication is necessary for the presentation of the results of the research. In the latter case, the results shall undergo pseudonymisation before being published.

IV. Cybersecurity legal framework

1.   Cybersecurity governing texts

1.1.             Governing texts

The European directive No. 2016/1148 on the security of network and information systems (“NIS Directive”) adopted on 6 July 2016 aimed at improving European cooperation regarding cybersecurity and ensuring a high common level of security of network and information systems in the EU.

The NIS Directive has three parts:

  • Enhancement of national capabilities: EU Member States must have certain national cybersecurity capabilities of the individual EU countries, e.g., they must have a national CSIRT, perform cyber exercises, etc.
  • Strengthening of the cross-border collaboration between EU countries, e.g., through the operational EU CSIRT network, the strategic NIS cooperation group, etc., and
  • National supervision of the cybersecurity level of critical market operators.”

Law 4577/2018 (GG 199 / Α ‘/ 03-12-2018) transposes Directive 2016/1148 / EU of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union into Greek law (“NIS Directive”).

The Law establishes the national cybersecurity plan and Cybersecurity Authority in the Ministry of Digital Policy, Telecommunications and Information, designating the latter with a supervisory and regulatory role. It also provides for the establishment of a Computer Security Incident Response Team (CSIRT).

Other legislative and regulatory instruments setting out the framework for cybersecurity regulation in Greece are the following:

  • Ministerial Decision ΓΔ0ΕΣ/1/2/414 on the Operation of the Cybersecurity Studies Centre
  • Ministerial Decision 1027/2019 on the implementation and the procedures of L. 4577/2018
  • National Cybersecurity Strategy 2020-2025
  • Cybersecurity Handbook of the National Cybersecurity Authority

1.2.             Scope of application:

The new Law sets out important cybersecurity obligations for the following categories of companies:

  • Operators of Essential Services in the fields of energy, transport, credit institutions, financial market infrastructure, health, water supply and digital infrastructures.
  • Providers of Digital services, in particular e-commerce businesses and in general, digital services, search engines and cloud computing providers.

2.   Regulatory authorities and other bodies

2.1.             Regulatory authorities

The newly established National Cybersecurity Authority has the following powers:

  • Assesses compliance of obligated entities with Law 4577/2018;
  • Orders obligated entities to provide any information it requires under the law, including their security policies;
  • Orders obligated entities to bring their operations into compliance with the law.
  • Drafts the National Cybersecurity Strategy.

The National CERT has the mission to ensure the prevention and static and active response to cyber-attacks against communications networks, information storage facilities and computer systems.

The Hellenic Computer Security Incident Response Team (CSIRT) is the flagship of Greece’s cyber defense, incident response, and operational integration center. Its mission is to reduce the country’s risk of systemic cybersecurity and communications challenges.

The Center for Security Studies is supervised by the Minister of Citizen Protection and is responsible for the review and certification of any infrastructure and information technology systems, which require cybersecurity certification.

3.   Cybersecurity obligations

3.1.             Obligations applicable to digital services (RSDPs) covered by your cybersecurity legislation

Businesses falling within the scope of the Law have the following basic obligations with regard to the security of their systems:

  • Adopt technical and organizational measures for the security of networks and information systems.
  • Adopt measures to prevent and minimize the impact of incidents affecting the security of networks and information systems.
  • Notify the National Cybersecurity Authority and the CSIRT of incidents with a serious impact on business continuity. The notification must be made without undue delay and be accompanied by additional information to the Authority regarding the severity of the relevant incident.
  • Cooperate with the competent authorities.

3.2.             Obligations specific to critical sectors (OES) covered by your cybersecurity legislation

See para. 3.1. above.

4.   Penalties

Following the opinion of the National Cybers​ecurity Authority, the Minister of Digital Policy, Telecommunications and Information, imposes the below sanctions in case of violation of the provisions of Law 4577/2018:

  • A fine of up to EUR 15,000 in the event of no notification / delay of notification.
  • A fine of up to EUR 200,000 in the event of failure to take appropriate organizational / technical measures to manage the risks to network and system security.
  • A fine of up to EUR 50,000 in case of non-provision or unjustified delay in the provision of information, if requested by the National Cybersecurity Authority.

5.   Cybersecurity & data protection law

5.1.             Scope

Cybersecurity and data protection laws should not be confused.

On one hand, the cybersecurity legislation addresses the security and integrity of information systems and all information contained in such systems, incident management and prevention of cyberattacks.

On the other hand, Greek data protection law aims to protect personal data and data subjects’ rights, and to make companies that process data accountable for their activities to ensure the free movement of personal data in accordance with the rights and obligations defined.

However, the two legislations can sometimes overlap (e.g., regarding the general security measures required by both legislations, or in the event of a security breach which would result in a mandatory notification to both the HDPA and the ANSSI, or in the event that a data controller meets the conditions for the mandatory appointment of both a DPO and a cybersecurity representative, although their scope and objectives are completely different.

5.2.             Personal data used for cyber security purposes

The implementation of proper cybersecurity measures involves the processing of some categories of personal data of the users of the concerned technologies (e.g., IP protocols, log files and other directories etc.)

No specific GDPR or French data protection law rules cover the topic of data processing for cybersecurity purposes.

5.3.             Security incidents involving data breaches

A cybersecurity incident can also be a personal data breach in the event that the cybersecurity incident involves or results in unauthorized access to and/or disclosure of personal data or reveals a breach of security obligations imposed on the data controller and/or processor under the GDPR.

In such event, notifications to the HDPA and the National Cybersecurity Authority will be required.

[1] The Greek text of Law 4624/2019 in the Government Gazette (GG 137/A’/29-08-2019) can be found in the following URL: http://www.et.gr/api/DownloadFeksApi/?fek_pdf=20190100137.

[2] The European Commission’s relevant press release, dated 25.07.2019, can be found in the following URL: https://europa.eu/rapid/press-release_IP-19-4261_en.htm.

[3] See HPDA Opinion no. 1/2020, available: https://www.dpa.gr/el/enimerwtiko/prakseisArxis/epi-ton-diataxeon-toy-n-46242019.

[4] Government Gazzette 133/A/28-06-2006.

[5] Government Gazzette 22/A/21-02-2011.

[6] See CJEU, Judgment in Joined Cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Others.

[7] Government Gazzette 136/A/07-07-2009.

[8] See Art29WP, Opinion 05/2014 on Anonymisation Techniques, adopted on 10 April 2014, 0829/14/EN, WP216, p. 5.

[9] CJEU, C-582/14, 19.10.2016.

[10] Available: http://www.dpa.gr/pls/portal/url/ITEM/B4C16F52A061298FE040A8C07C241FC4.

[11] Further information available here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

[12]                See Art29 WP, Guidelines on Data Protection Officers (‘DPOs’), 16/EN, WP 243 rev.01.