Home / Publications / Data Law Navigator | Greece

Data Law Navigator | Greece

Information on Data Protection and Cyber Security laws from CMS experts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security

Data Protection

Last reviewed 14 November 2019

Risk Scale

Risk Scale Orange

Laws

  • General Data Protection Regulation (GDPR).
  • Law 4624/2019 introducing implementation measures of and derogations from the GDPR, and transposing Directive (EU) 2016/680, i.e. the Data Protection Law Enforcement Directive (GDPR Implementation Law).
  • Law 2472/1997 transposing Directive 95/46/EC (Data Protection Directive), insofar as it has not been repealed by Article 84 of the GDPR Implementation Law (as regards, for instance, the definitions, the publication of suspects' or perpetrators' identity in the context of criminal procedures; the national "do not call" register; the administrative sanctions for violations of domestic provisions transposing the ePrivacy Directive; etc.). 
  • Law 3471/2006, as amended and in force, transposing Directive 2002/58/EC (ePrivacy Directive). 

Important note:  A number of provisions of the GDPR Implementation Law have been criticised, already during the public consultation, for being contrary to the mechanics and rationale of the GDPR. By an announcement dated 2 October 2019 (i.e. after the law was passed), the HDPA stated that they are in the process of examining the GDPR Implementation Law in order to deliver an opinion accordingly. Also, they underlined that, within their enforcement powers, they shall interpret the provisions of the GDPR Implementation Law in the context of the GDPR, and they shall assess the validity of these provisions from the perspective of compliance with the GDPR and the Data Protection Law Enforcement Directive.

Furthermore, it is to be noted that the analysis included in the previous editions of the CMS Data Law Navigator relied on a February 2018 draft bill. In August 2019, a different legislative proposal was put to public consultation, and eventually it formed the basis of the GDPR Implementation Law that was finally adopted on 26 August 2019. 

The following analysis deals only with the part of the GDPR Implementation Law relating to the GDPR and does not extend to the Data Protection Law Enforcement Directive.

Authority

  • Hellenic Data Protection Authority (HDPA) (www.dpa.gr)
  • Hellenic Authority for Communication Security and Privacy (HACSP) as far as providers of publicly available electronic communications services are concerned (www.adae.gr)

Anticipated changes to law

The new EU e-Privacy Regulation is set to replace the e-Privacy Directive. In effect, this will replace Greek Law 3471/2006 which transposed the e-Privacy Directive. This is still in the legislative process, with no definite timeframe for implementation.

If applicable: stage of legislative implementation of GDPR 

The GDPR Implementation Law was passed on 26 August 2019 and applies as of 29 August 2019. 
Already prior to that date, in a number of decisions, the HDPA had disapplied provisions of domestic law that were incompatible with the GDPR in view of the latter's direct effect.

Please consider the "Important note" in section "Laws", as well.

If applicable: local derogations as permitted by GDPR 

The GDPR Implementation Law has introduced a number of deviations from the GDPR and additional restrictions, such as:

  • Public bodies: Differentiated treatment of public bodies (broadly defined; see section "Scope") in their capacity as controllers or processors as opposed to regular controllers or processors, with respect, for instance, to legal bases; DPO duties; data processing for further purposes; transmission of personal data; and fines applicable to certain public authorities
  • Special categories of data: The ban to process sensitive data is lifted, for instance, where processing is carried out by public bodies for reasons of substantial public interest.
  • Child's consent: In the context of information society services, consent is lawful provided that the child is at least 15 years old. Below that age, it is required to obtain the consent of the holder of parental responsibility.
  • Genetic data: Processing of genetic data for life and health insurance purposes is banned.
  • "National" legal bases: For certain processing operations, in particular such as processing for purposes other than that for which the data have been collected, controllers may rely on the justifications laid down in the GDPR Implementation Law (e.g. for the establishment, exercise and defense of legal claims), thereby escaping the compatibility test of article 6(4) GDPR.
  • Employment: Detailed rules apply to the processing of employees' personal data, such as for instance the requirement to comply with the GDPR Implementation Law even if personal data are not stored or are not intended to form part of a filing system.
  • Freedom of expression and information; archiving in the public interest; scientific or historical research; statistical purposes: Detailed rules apply to data processing for these purposes, including inter alia balancing and reconciling tests and a possibility for controllers to deny certain data subject rights where the balancing exercise so suggests.
  • Restrictions: The GDPR Implementation Law introduces a number of restrictions based on Article 23 GDPR, such as on the right to information in the context of certain processing operations for either initial or further purposes or both; and on the obligation to communicate a data breach to the data subjects concerned, subject to certain conditions (in particular, where confidentiality obligations apply).
  • Public documents: Special provisions, governing the right of access to documents drafted by public authorities and documents relating to Court procedures, have been maintained by the GDPR Implementation Law.       

Please consider the "Important note" in section "Laws", as well.

Scope

The material scope of the GDPR Implementation Law includes the processing of personal data wholly or partly by automated means and the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system, by:

  • public bodies, i.e. public authorities; independent and regulatory authorities; legal entities of public law; regional and local authorities as well as any legal entities and companies belonging to the latter; state and public companies and organisations; and legal entities of private law belonging to the State or financed, at least by 50%, by the State, or whose management is appointed by the State; or
  • other legal persons or bodies without legal personality, or natural persons unless the data processing is carried out in the course of a purely personal or household activity.

It follows that the GDPR Implementation Law introduces the "public bodies" as a separate category of addressees of the law, namely next to (regular) controllers and processors (see also section "Penalties/enforcement" for a subcategory of "public bodies"). Other than the household exemption, the GDPR Implementation Law does not reiterate the full list of excluded subject matters of Article 2(2) GDPR, which is partly understandable since the same act transposes Directive (EU) 2016/680 (i.e. the Data Protection Law Enforcement Directive). Please consider the "Important note" in section "Laws", as well.

The territorial scope of the GDPR Implementation Law includes:

  • the public bodies; and
  • other legal persons or bodies without legal personality or natural persons (unless within the household exemption), if (i) the controller or processor process personal data inside the territory of Greece; (ii) the personal data is processed in the context of the activities of an establishment of a controller or a processor inside the territory of Greece; or (iii) the data processing falls within the GDPR scope although the controller or processor has no establishment in an EU/EEA Member State.

It follows that the territorial scope of the GDPR Implementation Law is based on the establishment and, by inference, the targeting criterion of Article 3(1) and (2) GDPR, respectively. However, at the same time, the targeting criterion seems to involve data subjects anywhere in the EU/EEA (i.e. not only in Greece), and, in addition thereto, the scope catches processing operations carried out in Greece, even if the criteria of the GDPR territorial scope are not met. Please consider the "Important note" in section "Laws", as well.

Penalties/enforcement

The GDPR lays down administrative fines which, depending on the nature and characteristics of the infringement, may reach up to 10 million Euros or 2% of the total worldwide annual turnover, and up to 20 million Euros or 4% of the total worldwide annual turnover, respectively. The GDPR Implementation Law follows the same pattern; however, it provides for reduced fines when it comes to violations by certain public sector entities, i.e. a subcategory of pubic bodies (see section "Scope"). 

In addition to the administrative fines introduced by the GDPR, the GDPR Implementation Law lays down criminal sanctions for violations of the GDPR. Depending on the circumstances, those may be treated either as misdemeanours or felonies and are punishable with imprisonment or incarceration and monetary penalties amounting up to 300,000 Euros.

Please consider the "Important note" in section "Laws", as well.

Registration/notification

After the GDPR took effect on 25 May 2018, controllers do no longer have to notify their processing operations to the HDPA or seek approval by the HDPA concerning processing operations involving sensitive data, as was, conversely, the case until then under Law 2472/1997 (see also section "stage of legislative implementation of GDPR" for more details). By the same token, the GDPR Implementation Law has not introduced any registration or notification requirements for data processing operations.

Having said that, according to Article 36 GDPR, the controller is required to consult the HDPA prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

Main obligations and processing requirements

The main obligations and processing requirements foreseen in the GDPR Implementation Law reflect the GDPR, without prejudice to a number of deviations, as explained above.

Also, it is to be noted that the GDPR Implementation Law has not authorised the processing of personal data relating to criminal convictions and offences (Article 10 GDPR), with the exception of a single provision relating to such processing balanced against the freedom of expression and information. Therefore, there is uncertainty as to whether such personal data could be processed other than under the control of an official authority, such as in the context of an employment relationship. It is noteworthy that under Law 2472/1997, whose definitions have been maintained by Article 84 GDPR Implementation Law, data relating to criminal convictions and offences were part of the category of sensitive data.

Please consider the "Important note" in section "Laws", as well.

Data subject rights

The main data subject rights laid down in the GDPR Implementation Law reflect the GDPR. Nevertheless, a number of provisions introduce restrictions on the data subject rights, such as inter alia:

  • All data subject rights may be denied to the extent it is necessary in order to reconcile the right to personal data protection with the freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.
  • The right of access, the rights to rectification, restriction, data portability and the right to object may be restricted in the context of processing for archiving purposes in the public interest, on the basis of a balancing test.
  • The right of access, the rights to rectification, restriction and the right to object may be restricted in the context of processing for scientific or historical research purposes or statistical purposes, on the basis of a balancing test.
  • The right to information under Articles 13 and 14 GDPR does not apply, where, amongst others, it would put at risk the discharging by a public body of its duties.
  • The right of access does not apply, for instance, where data have been stored as a result of a regulatory obligation, while granting access would require a disproportionate effort, and available technical and organisational measures do not allow further processing.
  • The right to erasure does not apply if, for instance, it relates to processing carried out without automated means, where the applicable storage technique would require a disproportionate effort to enable deletion. 
  • The right to object does not apply before public bodies if there is an imperative public interest in the processing, overriding the interests of the data subject, or if there is a statutory obligation.

Please consider the "Important note" in section "Laws", as well.

Processing by third parties

There is no deviation from Article 28 GDPR.

Transfers out of country

There is no deviation from Chapter V of the GDPR (transfers of personal data to third countries or international organisations), except where it is established that it is necessary to deviate therefrom, on the basis of a balancing test of the right to personal data protection with the freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.

Please consider the "Important note" in section "Laws", as well.

Data Protection Officer

There is no deviation from the GDPR. Having said that, the GDPR Implementation Law introduces detailed rules and requirements as regards the DPO post within public bodies.

Security

There is no deviation from Chapter IV of the GDPR, except where it is established that it is necessary to deviate therefrom, on the basis of a balancing test of the right to personal data protection with the freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression. In such cases, controllers are exempted, for instance, from the obligations to notify data breaches, carry out data protection impact assessments, keep records of processing activities etc. Nevertheless, the obligations to have in place a controller-processor data processing agreement (Articles 28 and 29 GDPR), and take appropriate technical and organisational measures for the security of the processing (Article 32 GDPR) shall always apply.

Please consider the "Important note" in section "Laws", as well.

Breach notification

There is no deviation from the GDPR, except:

  • where it is established that it is necessary to deviate from the obligation to notify the supervisory authority or the data subjects affected of a data breach, on the basis of a balancing test of the right to personal data protection with the freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression; or
  • where the obligation to notify the data subjects concerned of a data breach (likely to result in a high risk) runs counter to an overriding interest in keeping such information confidential.

Furthermore, according to article 12(5) of Law 3471/2006 providers of publicly available electronic communications services are required to notify the HACSP and the HDPA of personal data breaches.

Please consider the "Important note" in section "Laws", as well.

Direct marketing

According to article 11 of Law 3471/2006, unsolicited communications (incl. by email, fax, automatic calling machines, text messages, etc.), without human intervention, for the purposes of direct marketing, are allowed only in respect of subscribers who have given their prior consent.

Where users register on a marketer's website to receive direct marketing communications through email, the HDPA requires either the provision of additional information or a double opt-in function in order to verify that the owner of the email address and the user concerned is the same person. Further requirements apply to marketing through other means.

The HDPA has indicated in its Opinion 2/2011 that consent cannot extend to a period longer than 6 months following the last direct marketing communication.

Please note that providers of publicly available electronic communications services maintain "do not call me" lists allowing users to object in advance to any direct marketing call with human intervention.

An exemption from the consent requirements is laid down in law 3471/2006 when it comes to direct marketing communications through emails, provided that:

  • the email address of the recipient has been obtained by the marketer in accordance with the data protection legislation (i.e. all conditions for lawful processing having been met, including the provision of a fully-fledged privacy notice) in the context of the sale of its products or services, thereby making the recipient a customer of the marketer,
  • the recipient-customer was given the opportunity to object, free of charge and in an easy manner (opt-out), to the use of his/her e-mail address at the time of their collection by the marketer,
  • the recipient-customer is given the opportunity to object (opt-out), in the same way, on the occasion of each marketing message (e.g. through an unsubscribe link), and
  • the communication relates to "similar products or services" of the marketer or is intended for "similar purposes".

Cookies

According to article 4(5) of Law 3471/2006, the use of cookies is only allowed if the user has consented thereto after having been provided with clear and extensive information under the data protection legislation.

Consent should be sought through appropriate means, such as pop-up windows. It is also possible to obtain consent through the browser settings as long as the browser rejects all cookies by default and enables users to give their consent on a cookie-by-cookie basis.

The informed consent requirement does not apply if cookies are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provision of information society services that are explicitly requested by the subscriber or user. According to the HDPA, this exemption applies to the categories of cookies indicated in WP29 Opinion 04/2012 on Cookie Consent Exemption, i.e.:

  • User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases.
  • Authentication cookies, used for authenticated services, for the duration of a session.
  • User centric security cookies, used to detect authentication abuses, for a limited persistent duration.
  • Multimedia content player session cookies, such as flash player cookies, for the duration of a session.
  • Load balancing session cookies, for the duration of session.
  • UI customization persistent cookies, for the duration of a session (or slightly more).
  • Third party social plug-in content sharing cookies, for logged in members of a social network.

On the other hand, cookies serving online advertising do not fall within the above exemption, but can be used only following the user's informed consent. The same applies to cookies for web analytics (HDPA Opinion 7/2011).

Useful links

Cyber Security 

Last reviewed 14 November 2019

Risk scale

Risk Scale Orange

Laws and regulations

  • Law 4577/2018 on network and information systems security and other matters ("NIS Law"), transposing Directive (EU) 2016/1148 (NIS Directive).
  • Ministerial Decision 1027/4.10.2019 (Government Gazette Vol. B, 3739/2019) on implementation measures of NIS Law ("NIS Implementation Decision").

Application

The NIS Law establishes amongst others requirements on security and incident notification, addressed to operators of essential services and digital service providers, as they are defined in the NIS Directive.

According to Article 4 NIS Law, operators of essential services, caught thereby, are to be determined by the Minister for Digital Governance, following a proposal of the National Authority for Cybersecurity ("NAC"; see below). Those include organisations established in Greece, active within the following sectors: energy (electricity, oil, gas); transport (air, rail, water and road transport); banking; financial market infrastructures; health sector (health care settings including hospitals and private clinics); drinking water supply and distribution; and digital infrastructures.

The NIS Implementation Decision lays down in Article 16 the methodology and criteria for determining the operators of essential services.  

Authority

The Directorate-General for Cybersecurity at the Ministry for Digital Governance acts as the National Authority for Cybersecurity ("NAC"), i.e. the national competent authority on the security of network and information systems. The NAC also acts as the single point of contact on the security of network and information systems according to the NIS Directive.

Key obligations 

Operators of essential services are required:

  • to implement technical and organisational measures in order to manage the risks posed to the security of network and information systems which they use in their operations;
  • to implement appropriate measures in order to prevent and minimise the impact of security incidents; and
  • to notify without undue delay, and in any event within 24 hours, the NAC and the competent CSIRT of security incidents having a significant impact on the continuity of the essential services they provide.

Subject to the specifications of Commission Implementing Regulation (EU) 2018/151, digital service providers are required (except if they qualify as micro or small enterprises as defined in Commission Recommendation 2003/361/EC):

  • to implement technical and organisational measures in order to manage the risks posed to the security of network and information systems which they use in the context of online marketplaces, online search engines, or cloud computing services;
  • to implement appropriate measures in order to prevent and minimise the impact of security incidents; and
  • to notify without undue delay, and in any event within 24 hours, the NAC and the competent CSIRT of security incidents having a substantial impact on the provision of services in the above contexts.

Detailed rules on system security requirements and notification of incidents, for both operators of essential services and digital service providers, are laid down in the NIS Implementation Decision.

Penalties/enforcement

Article 15 NIS Law lays down administrative fines for violations of the incident notification requirements, or failure to implement technical and organisational measures or to respond to a request or audit, which range from 15.000 to 200.000 Euros, depending on the nature of the infringement.

Procedures and criteria regarding the imposition of fines, including other sanctions such as reprimands and warnings, are provided for in Articles 13-15 NIS Implementation Decision.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes, it is the National Authority Against Electronic Attacks (NAAEA) – National CERT.

Also, according to NIS Law, the Directorate for Cyber-Defense of the Hellenic National Defense General Staff has been designated as the competent CSIRT.

Is there a national incident management structure for responding to cyber security incidents?

No. Nevertheless, it is part of the deliverables under the National Cybersecurity Strategy that was released in March 2018 and is currently subject to revision following the passing of the NIS Law.

Useful links

< back to Overview

Authors

Vassilis Karantounias
Vassilis Karantounias
Senior Counsel
Brussels - EU Law Office