[co-authors: Mary Deligianni and Yolanda Antoniou-Rapti, Zepos & Yannopoulos]

Greece

In this chapter:

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

Greece has implemented the requirements of the GDPR through new legislation, in the form of Law 4624/2019 (“Data Protection Law”), which entered into force on 29 August 2019.

———

(b) Relevant legislation includes:

• Law 4624/2019
  • Date in force: 29 August 2019
  • Link: see here

———

(c) What is the status of national pre-GDPR data protection law?

The main piece of legislation that governed the processing of personal data before the entry into force of the GDPR was Law 2472/1997, which has been repealed with the exception of a few provisions that remain in force. These provisions mainly refer to the registry, which is retained by the Greek DPA, which defines some terms and provides rules in relation to the establishment and operation of the DPA including which individuals may register to stop receiving marketing materials by post.

———

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

There are no specific rules governing this issue.

———

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

The Data Protection Law includes specific rules regarding the processing of personal data in compliance with a legal obligation in the following cases:

• the processing of sensitive personal data is permitted when, among other things, such processing is necessary for the exercise of rights of social security and social welfare and the fulfilment of similar obligations; and
• the processing of sensitive personal data in the employment context is permitted, when, among other things, such processing is necessary for the exercise of rights or the fulfilment of lawful obligations arising from labour and the social security laws and the legitimate interest of the data subject do not prevail over the interests of the data controller in relation to the processing of data.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

The Data Protection Law includes a significant number of provisions governing the processing of personal data for the performance of tasks carried out in the public interest:

• the performance of tasks carried out by public bodies in the public interest or in the exercise of official authority;
• public bodies may process sensitive personal data to the extent necessary for reasons of substantial public interest, national or public security; or the implementation of humanitarian measures;
• disclosure of personal data, including sensitive personal data, from public bodies to private entities is permitted to the extent necessary for the performance of tasks vested with the public body;
• the obligation to provide notice under Art. 13 GDPR does not apply to public bodies subject to certain requirements (e.g., where it would jeopardise the proper fulfilment of the tasks of the public body);
• the obligation to provide notice under Art. 14 GDPR does not apply to public bodies in certain circumstances (e.g., where it would jeopardise the proper fulfilment of tasks of the public body, or create national security risks);
• there are exemptions to the right of access on the basis of national and public security; and
• there are exemptions to the right to object, on the basis of an imperative public interest.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

The Data Protection Law includes a significant number of provisions governing the processing of personal data in the exercise of official authority vested in the controller (see Q3(b) above).

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are separate rules for public bodies and private entities:

• public bodies may process personal data for new purposes when necessary:
  • to validate the data provided by the data subject, where there exists reasonable doubt as to its accuracy;
  • for purposes of national security, public security or taxation;
  • for the prosecution of criminal offences;
  • to prevent serious violations of rights of third persons; and
  • to generate official statistics; and
• private entities may further process personal data when necessary:
  • for national security purposes, following a request from a public body;
  • for the prosecution of criminal offences;
  • to establish, exercise and defend legal claims; and
  • except when the interests of the data subject override the interests of the data controller.

———

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

15 years of age.

———

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

The processing of genetic data for health and life insurance purposes is prohibited.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

The processing of sensitive personal data is permitted when, among other things, it is necessary for the exercise of rights of social security and social welfare and the fulfilment of similar obligations. In an employment context, the processing of sensitive personal data is permitted when, among other things, such processing is necessary for compliance with employment law and social security law obligations.

(ii) Substantial public interest

The processing of sensitive personal data by a public body is permitted when it is essential for reasons of substantial public interest.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

There are no specific rules on processing this category of data.

(iv) Public interest in the area of public health

The processing of sensitive personal data is permitted when the processing is necessary for reasons of public interest in the area of public health.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

The processing of sensitive personal data for archiving purposes in the public interest is expressly permitted, and processing for scientific or historical research purposes and for statistical purposes is permitted without the consent of the data subject, provided that the interest of the data controller overrides the interest of the data subject.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

The only provision explicitly dealing with the processing of genetic data stipulates that the processing of genetic data for health and life insurance purposes is prohibited.

———

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

There are no specific rules on processing this category of data.

———

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

The right of erasure does not apply in the following scenarios:

• in cases of non-automated data processing, where erasure is impossible or only possible with disproportionate effort;
• the processing is unlawful and the data subject opposes the erasure of personal data and requests the restriction of their use instead;
• the controller no longer needs personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
• personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• personal data have been unlawfully processed and the controller has reasons to believe that erasure would harm the legitimate interests of the data subject;
• in cases of compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
• personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

Additionally, the right of erasure does not apply when the processing is conducted in the context of freedom of expression.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

A data subject’s right to be provided information does not apply in the following circumstances:

• the controller is a public body and providing the information could jeopardise the carrying out of its obligations or could endanger national or public security;
• the controller is a private entity and providing the information would damage the establishment, exercise or defence of legal claims;
• the controller is a private entity and the competent public body has declared to the controller that the publication of the data would put in danger the national defence or the national or public security; and
• the processing is conducted in the context of freedom of expression, including for purposes of academic, journalistic, artistic or literary expression.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

The only exemption which is established in the Data Protection Law as regards the data subject’s right to not be subject to a decision based solely on automated processing, including profiling, is when the processing is conducted in the context of freedom of expression, including for purposes of academic, journalistic, artistic or literary expression.

———

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

There is a general exemption of the data subject’s right when processing is conducted in the context of freedom of expression, including for purposes of academic, journalistic, artistic or literary expression.

———

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation that apply in general.

———

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

Impact Assessments are only required in accordance with the provisions of the GDPR.

———

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

DPOs of public bodies are under the obligation to keep the identity of the data subjects and any other information relating to them confidential, unless data subjects themselves make their personal data publicly available.

———

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

Q15/ DPAs

(a) Details of the DPA(s).

• Name of DPA: Hellenic Data Protection Authority
  • Address: 1-3 Kifissias Ave., 115 23 Athens, Greece
  • Website: dpa.gr

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

The law in Greece grants the DPAs the following additional powers:

• conducting audits, either ex officio or following a complaint;
• providing its view on any statutory provision which may be included in the law or any regulatory act;
• issuing warnings or orders to controllers and processors to comply with data protection legislation; and
• issuing orders imposing provisional or final restrictions or prohibitions on processing.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Subject to fulfilling certain conditions, any natural person or legal entity has the right to lodge an application for an annulment of a decision or a right to make a complaint on grounds of an omission by the DPA.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

While conducting audits, the DPA has the right to access all personal data that are being processed and obtain all information required for the purposes of the investigation and performance of its duties. That right is not subject to objections on grounds of confidentiality or secrecy, except in cases of identification data stored for national security purposes or detection of serious crimes.

———

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

The DPA can impose fines on public authorities up to €10 million. In imposing fines, the DPA must consider:

• the nature, gravity and duration of the infringement, the number of data subjects affected and the level of harm suffered;
• any action taken to mitigate the harm;
• any relevant previous infringements;
• the manner in which the infringement became known to the DPA; and
• whether measures referred to in Art. 58 (2) GDPR have previously been ordered against the relevant public authority.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

The following additional penalties/sanctions are available:

• anyone who intentionally and unlawfully interferes in any way whatsoever with a personal data file is liable for imprisonment of up to one year;
• anyone who transfers, offers, discloses or makes accessible data they obtained through the abovementioned means is liable for imprisonment of up to five years;
• if the unlawful actions relate to sensitive personal data or personal data relating to criminal convictions, such actions are punishable by imprisonment of a term of ten days up to five years and a penalty up to €100,000;
• where a perpetrator of the above acts with the intention to gain unlawful benefit, such acts are punishable with imprisonment of a term of five to ten years of imprisonment if the total of the benefit or the total of the damages exceeds €120,000; and
• if the abovementioned unlawful acts caused endangerment of democratic functions or national security they are punishable with imprisonment of a term of five to 20 years and a pecuniary penalty of up to €300,000.

———

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

The processing of personal data for academic, artistic or literary expression and journalistic purposes is permitted in the following circumstances:

• when the data subject has provided his/her consent;
• when the processing relates to data that are being manifestly made public by the data subject; and
• when the processing is necessary to ensure freedom of expression and information.

In all of the abovementioned cases the processing of personal data, especially the processing of sensitive personal data, is limited to what is strictly necessary.

Chapters II-V, VII & IX, except for Arts. 5, 28-29 & 32 GDPR, do not apply where personal data are processed for the above purposes.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

See Q17(a) above.

———

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

There are no specific provisions governing this issue.

———

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

The following limitations apply to the processing of personal data in the context of employment:

• employee personal data can be processed for the purposes of the employment contract, when it is strictly necessary for a hiring decisions, or for the management of the employment relationship;
• employees’ consent to processing is exceptionally permitted as a lawful basis for the employees’ personal data, and such consent must be in writing and separate from the employment contract;
• sensitive personal data may be processed to the extent necessary for the exercise of rights and the fulfilment of legal obligations arising from employment law or social security law;
• the processing of employees’ personal data may be based on collective employment agreements; and
• the use of CCTV systems in the working areas is permitted only if it is necessary for the protection of individuals and assets.

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

See Q19 above.

———

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

There are no other material derogations.

———

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

Following a complaint made in 2017 and after conducting an ex officio investigation, the DPA imposed its first monetary fine amounting to €150,000 for unlawful processing of personal data of employees.

———

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The following guidelines and tools have been published by the DPA:

• template registries of processing activities to be used by data controllers and data processors (see here (in Greek));
• standardised notification form for personal data breaches (see here (in English));
• different template complaint forms to be used by data subjects depending on the nature of the complaint (e.g., spam emails/SMS, unsolicited telephone calls, violation of data subject’s rights) (see here (in English));
• the list of the processing activities which require an impact assessment (see here (in English)); and
• standardised applications for prior consultation with the DPA (see here (in Greek)).

———

[View source.]