Data Law Nav­ig­at­or | Greece

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security

 

Data Protection

Last reviewed 26 November 2018

Risk scale

No assessment is possible at this moment, given that the Draft Bill which is intended to align the national legislation with the GDPR has not been adopted yet. 

Laws

  • General Data Protection Regulation (GDPR).
  • Law 2472/1997, as amended and in force, transposing Directive 95/46/EC (Data Protection Directive).
  • Law 3471/2006, as amended and in force, transposing Directive 2002/58/EC (ePrivacy Directive).

Please note that the following analysis relies on the contents of a February 2018 draft bill on the protection of personal data ("Draft Bill"), as published during the public consultation, and is therefore without prejudice to the provisions and shape that national legislation will finally have after the Draft Bill is debated and voted by the Greek Parliament. 

As far as the currently applicable regime is concerned, the GDPR applies directly, irrespectively of any national law measures. Thus, in anticipation of new legislation, the Greek supervisory authority (HDPA) is adapting their practices by disapplying any existing provisions of domestic law that are incompatible with the GDPR. For instance, by Decision 46/24.5.2018, the HDPA confirmed that it will no longer accept notifications of processing operations or, in the case of sensitive data, issue relevant permits, as was laid down in Law 2472/1997, since the GDPR has moved away from the system of notification to the principle of accountability.

Authority

  • Hellenic Data Protection Authority (HDPA) (www.dpa.gr)
  • Hellenic Authority for Communication Security and Privacy (HACSP) as far as providers of publicly available electronic communications services are concerned (www.adae.gr

Anticipated changes to law

The Draft Bill is supposed to enable the smooth implementation of the GDPR, amongst others by repealing Law 2472/1997, and make use of the possibility offered to Member States to further specify the application of data protection rules in specific fields, as illustrated below.

It is nevertheless to be noted that the language used in the Draft Bill sometimes creates uncertainty as it is not fully aligned with the GDPR. For instance, the territorial scope of the Draft Bill (article 2 para. 8) extends to processing of personal data taking place in Greece even if the controller is not established in Greece without the conditions of article 3 para. 2 of the GDPR being met. Also, contrary to the provisions of Regulation (EU) 536/2014 and those of the GDPR, the Draft Bill (article 19 para. 2) appears to confuse the informed consent to participate in a clinical trial under the former with the explicit consent to the processing of personal data under the latter.

If applicable: stage of legislative implementation of GDPR

The Draft Bill on the protection of personal data was open to public consultation from 20 February to 5 March 2018. Nevertheless, it has not been put to the vote of Greek Parliament yet. Its adoption is not expected before the first quarter of 2019, since the designated law-making body has been given an extension to complete their tasks until end-December 2018.

If applicable: local derogations as permitted by GDPR

Examples of deviations from the GDPR and additional restrictions to be introduced with the Draft Bill include inter alia the following:

  • A child's consent shall be lawful where the child is at least 15 years old.
  • CCTV records must be destroyed within 15 days, unless they contain proof for the occurrence of relevant incidents.
  • Requests of access to image/voice recordings must be honored by controllers within 15 days.
  •  Prior consultation of the HDPA shall be obligatory in further cases, such as large-scale systematic processing of genetic or biometric data (including when carried out for scientific research purposes), processing of genetic data of employees, etc.   
  • In the employment relationship context, employers shall be obliged to inform in writing each employee separately concerning the processing of personal data (this means practically that employers are expected to obtain employees' signature on the relevant handbook). Furthermore, they will be required to issue and put in place internal policies and privacy statements specific to the use of Internet and email facilities. At the same time, employers will be allowed to collect personal data relating to criminal convictions and offences, if strictly necessary considering the duties or job description of the employee concerned.
  • The HDPA will be authorised to specify processing activities where the controller or processors shall be obliged to appoint a data protection officer.

Scope

The Draft Bill applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system:

  • in the context of the activities of an establishment of a controller or a processor in Greece; or
  • if the processing of personal data that takes place in Greece (NB: if the Draft Bill is voted as such, this provision will not be in line with the GDPR, as explained above); or
  • if the conditions of article 3 para. 2 of the GDPR are met, i.e. in brief, where the processing involves personal data of individuals who are in Greece and relates to the offering of goods or services to those individuals, or the monitoring of their behaviour which takes place in Greece. 

To the extent it refers to the GDPR, the Draft Bill does not apply to the processing of data:

  • by a natural person in the course of a purely personal or household activity (NB: this exemption is nevertheless qualified under the current wording of the Draft Bill which seems to deny the exemption where the processing is intended to or results in systematic sharing of personal data with third parties); or
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the prevention of threats to public security, or for national security purposes.

Penalties/enforcement

The GDPR lays down administrative fines which, depending on the nature of the infringement and the characteristics of the organisation pursued, may reach up to 10 million Euros or 2% of total worldwide annual turnover, and up to 20 million Euros or 4% of total worldwide annual turnover, respectively. 

In addition to the administrative fines introduced by the GDPR, the Draft Bill provides for criminal sanctions for violations of the GDPR. Depending on the circumstances, those may be treated either as misdemeanors or felonies and are punishable with imprisonment and monetary penalties amounting up to 300,000 Euros.

Registration / notification 

After the GDPR took effect on 25 May 2018, controllers do no longer have to notify their processing operations to the HDPA or seek approval by the HDPA concerning processing operations involving sensitive data, as was the case until then under Law 2472/1997 (see also section "Laws" for more details).

Nevertheless, according to article 36 of the GDPR, the controller is required to consult the HDPA prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. Additional cases involving obligatory consultation with the HDPA are laid down in the Draft Bill, as explained above.

Main obligations and processing requirements

The main obligations and processing requirements foreseen in the Draft Bill reflect the GDPR, without prejudice to a number of deviations, as explained previously.

Data subject rights

The main data subject rights foreseen in the Draft Bill reflect the GDPR with the following exceptions:

  • Right to be informed and right of access can be refused by the controller when it comes to processing operations relating to national security and defence, etc.
  • Right of access, right to rectification and rights to restriction, data portability and to object can be restricted or denied, as the case may be, when it comes to processing for archiving purposes in the public interest.
  • Right of access, right to rectification and rights to restriction and to object can be refused by the controller when it comes to processing for scientific or historical research purposes or statistical purposes. 

It is to be noted that at the same time the Draft Bill makes employees' role stronger, as seen in the examples discussed above.

Processing by third parties

There shall be no deviation from article 28 of the GDPR, except when it comes to processing of personal data for journalistic purposes.

Transfers out of country

There shall be no deviation from articles 44 - 49 of the GDPR, except when it comes to processing of personal data for journalistic purposes.

Data Protection Officer

There shall be no deviation from the GDPR.

Security

There shall be no deviation from the GDPR, except when it comes to processing of personal data for journalistic purposes. In such a case, controllers are exempted from the obligations to notify a data breach (likely to result in a high risk) to the data subject, carry out a data protection impact assessment, and consult the HDPA.

Breach notification

There shall be no deviation from the GDPR, except when it comes to processing of personal data for journalistic purposes, where controllers are not required to notify a data breach (likely to result in a high risk) to the data subject.

Also, a general reservation is introduced for processing operations relating to national security and defense, etc.

Please note that according to article 12(5) of Law 3471/2006 providers of publicly available electronic communications services are required to notify the HACSP and the HDPA of personal data breaches.

Direct marketing

According to article 11 of Law 3471/2006, unsolicited communications (incl. by email, fax, automatic calling machines, text messages, etc.), with or without human intervention, for the purposes of direct marketing are allowed only in respect of subscribers who have given their prior consent.

Where users register on a marketer's website to receive direct marketing communications through email, the HDPA requires a double opt-in function in order to verify that the owner of the email address and the user concerned is the same person. Further requirements apply to marketing through other means.

The HDPA has indicated in its Opinion 2/2011 that consent cannot extend to a period longer than 6 months following the last direct marketing communication.

Please note that providers of publicly available electronic communications services maintain "do not call me" lists allowing users to object in advance to any direct marketing call with human intervention.

An exemption from the consent requirements is laid down in law 3471/2006 when it comes to direct marketing communications through emails, provided that:

  • the email address of the recipient has been obtained by the marketer in accordance with the data protection legislation (i.e. all conditions for lawful processing having been met, including the provision of a fully-fledged privacy notice) in the context of the sale of its products or services, thereby making the recipient a customer of the marketer,
  • the recipient-customer was given the opportunity to object, free of charge and in an easy manner (opt-out), to the use of his/her e-mail address at the time of their collection by the marketer,
  • the recipient-customer is given the opportunity to object (opt-out), in the same way, on the occasion of each marketing message (e.g. through an unsubscribe link), and
  • the communication relates to "similar products or services" of the marketer or is intended for "similar purposes".

Cookies

According to article 4(5) of Law 3471/2006, the use of cookies is only allowed if the user has consented thereto after having been provided with clear and extensive information under the data protection legislation.

Consent should be sought through appropriate means, such as pop-up windows. It is also possible to obtain consent through the browser settings as long as the browser rejects all cookies by default and enables users to give their consent on a cookie-by-cookie basis.

The informed consent requirement does not apply if cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. According to the HDPA, this exemption applies to the categories of cookies indicated in WP29 Opinion 04/2012 on Cookie Consent Exemption, i.e.:

  • User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases.
  • Authentication cookies, used for authenticated services, for the duration of a session.
  • User centric security cookies, used to detect authentication abuses, for a limited persistent duration.
  • Multimedia content player session cookies, such as flash player cookies, for the duration of a session.
  • Load balancing session cookies, for the duration of session.
  • UI customization persistent cookies, for the duration of a session (or slightly more).
  • Third party social plug-in content sharing cookies, for logged in members of a social network.

On the other hand, cookies serving online advertising do not fall within the above exemption, but can be used only following users informed consent.

Useful links

 

Cyber Security 

Last reviewed 26 November 2018

Risk scale

Laws and regulations

Law of 21 November 2018 on network and information systems security and other matters ("NIS Law"; act number still pending on 26 November), transposing Directive (EU) 2016/1148 (NIS Directive)

Application

The NIS Law establishes amongst others requirements on security and incident notification, addressed to operators of essential services and digital service providers, as they are defined in the NIS Directive.

According to article 4 of the NIS Law, operators of essential services, caught thereby, shall be determined by the Minister for Digital Policy, Telecommunications and Media, following a proposal of the National Authority for Cybersecurity ("NAC"; see below). Those shall include organisations established in Greece, active within the following sectors: energy (electricity, oil, gas); transport (air, rail, water and road transport); banking; financial market infrastructures; health sector (health care settings including hospitals and private clinics); drinking water supply and distribution; and digital infrastructures

Authority

The Directorate for Cybersecurity of the Directorate General for Digital Policy of the Ministry for Digital Policy, Telecommunications and Media, shall act as the National Authority for Cybersecurity ("NAC"), i.e. the national competent authority on the security of network and information systems. The NAC shall also act as the single point of contact on the security of network and information systems according to the NIS Directive.

Key obligations 

Subject to further guidance to be issued by the NAC, operators of essential services are required:

  • to implement technical and organisational measures to manage the risks posed to the security of network and information systems which they use in their operations;
  • to implement appropriate measures to prevent and minimise the impact of security incidents; and
  • to notify without undue delay the NAC and the competent CSIRT of security incidents having a significant impact on the continuity of the essential services they provide. 

Subject to the specifications of Commission Implementing Regulation (EU) 2018/151, digital service providers are required (except if they qualify as micro or small enterprises as defined in Commission Recommendation 2003/361/EC):

  • to implement technical and organisational measures to manage the risks posed to the security of network and information systems which they use in the context of online marketplaces, online search engines, or cloud computing services;
  • to implement appropriate measures to prevent and minimise the impact of security incidents; and
  • to notify without undue delay the NAC and the competent CSIRT of security incidents having a substantial impact on the provision of services in the above contexts.

Penalties/enforcement

Article 15 of the NIS Law lays down administrative fines for violations of the incident notification requirements, or failure to implement technical and organisational measures or to respond to a request or audit, which range from 15.000 to 200.000 Euros, depending on the nature of the infringement.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes, it is the National Authority Against Electronic Attacks (NAAEA) – National CERT. 

Also, according to the NIS Law, the Directorate for Cyber-Defense of the Hellenic National Defense General Staff has been designated as the competent CSIRT.

Is there a national incident management structure for responding to cyber security incidents?

No. Nevertheless, it is part of the deliverables under the National Cybersecurity Strategy that was released in March 2018 and is currently subject to revision following the passing of the NIS Law.

Useful links

< back to Overview

Authors

Vassilis Karantounias
Senior Counsel
Brussels - EU Law Office