Guide to Implementing GDPR at a National Level: Greece

Guide to Implementing GDPR at a National Level: Greece

Greece has fully implemented the General Data Protection Regulation (GDPR) through national legislation, specifically Law 4624/2019. This law aligns Greece's data protection framework with the GDPR and establishes the Personal Data Protection Authority, responsible for enforcement and oversight.

Processing of National Identification Number

In Greece, there are no specific provisions governing the processing of a national identification number.

Complaints and Annulment of Decisions

Any natural person or legal entity in Greece has the right to lodge an application for an annulment of a decision or a right to make a complaint on grounds of an omission by the Data Protection Authority (DPA), subject to fulfilling certain conditions. However, there are no not-for-profit bodies that are specifically mandated to bring claims on behalf of individuals without the specific mandate of those individuals in Greece.

Penalties for Unlawful Data Interference

Anyone who intentionally and unlawfully interferes with a personal data file in Greece is liable for imprisonment of up to one year. If the unlawful actions relate to sensitive personal data or personal data relating to criminal convictions, such actions are punishable by imprisonment of a term of ten days up to five years and a penalty up to €100,000.

The Role of the Hellenic Data Protection Authority

The Hellenic Data Protection Authority, located at 1-3 Kifissias Ave., 115 23 Athens, Greece, with a website at dpa.gr, plays a significant role in data protection. Following a complaint made in 2017 and after conducting an ex officio investigation, the DPA in Greece imposed its first monetary fine amounting to €150,000 for unlawful processing of personal data of employees.

The law in Greece grants the DPA additional powers including conducting audits, providing its view on statutory provisions, issuing warnings or orders to controllers and processors, and issuing orders imposing provisional or final restrictions or prohibitions on processing. The DPA also has the right to access all personal data that are being processed and obtain all information required for the purposes of the investigation and performance of its duties.

Consent and Data Subject Rights

Consent under the GDPR, as applicable in Greece, must follow the GDPR’s strict rules, meaning it has to be freely given, specific, informed, and unambiguous, with explicit consent required for sensitive data categories such as health or ethnicity. The Greek law also incorporates the GDPR rules concerning data subjects’ rights, appointment of data protection officers, registration formalities, and processing conditions.

Data Transfers and Processing for Specific Purposes

Data transfers from public registers in Greece are not subject to specific rules. Data transfers are not subject to restrictions beyond those set out in the GDPR. The processing of personal data for academic, artistic or literary expression and journalistic purposes is permitted in Greece, subject to certain conditions. In all of the abovementioned cases, the processing of personal data, especially the processing of sensitive personal data, is limited to what is strictly necessary.

Fines for Public Authorities

The DPA can impose fines on public authorities up to €10 million in Greece, considering factors such as the nature, gravity and duration of the infringement, the number of data subjects affected and the level of harm suffered, any action taken to mitigate the harm, any relevant previous infringements, the manner in which the infringement became known to the DPA, and whether measures referred to in Art. 58 (2) GDPR have previously been ordered against the relevant public authority.

Employment Context

In the employment context in Greece, employee personal data can be processed for the purposes of the employment contract, when it is strictly necessary for a hiring decision, or for the management of the employment relationship. Employees' consent to processing is exceptionally permitted as a lawful basis for the employees' personal data, and such consent must be in writing and separate from the employment contract. Sensitive personal data may be processed to the extent necessary for the exercise of rights and the fulfilment of legal obligations arising from employment law or social security law. The processing of employees' personal data may be based on collective employment agreements. The use of CCTV systems in the working areas is permitted only if it is necessary for the protection of individuals and assets.

Templates and Standardised Forms

The Hellenic Data Protection Authority has published template registries of processing activities to be used by data controllers and data processors, standardized notification forms for personal data breaches, different template complaint forms to be used by data subjects depending on the nature of the complaint, the list of the processing activities which require an impact assessment, and standardized applications for prior consultation with the DPA.

In summary, Greece fully applies the GDPR through Law 4624/2019 with corresponding national enforcement via the Personal Data Protection Authority but does not appear to impose unique or additional substantive requirements beyond the GDPR standards themselves. Any specific conditions would typically relate to the implementation and enforcement regime rather than altering GDPR’s core principles or rights.

1. White & Case LLP's services, encompassing international law practices and regulatory compliance, provide valuable insights into Greece's implementation of the General Data Protection Regulation (GDPR).
2. In the science and health-and-wellness sector, Greek corporate entities must adhere to GDPR rules for consent and data subject rights, ensuring that there is no ambiguity when collecting sensitive personal data such as health information.
3. For partners and associates in White & Case's intellectual property law practice, understanding Greece's GDPR compliance is crucial, considering the strict requirements for consent and data subject rights, data transfers, and processing for specific purposes.
4. Published on White & Case's website (whitecase.com), the firm shares news, publications, and detailed analysis on Greece's GDPR implementation, offering guidance for clients navigating the legal landscape.
5. In the employment context within Greece, data controllers must be mindful of the strict rules for consent and the processing of sensitive personal data, ensuring that they process employees' personal data lawfully and ethically in accordance with GDPR and local law.
6. The Hellenic Data Protection Authority provides template registries, standardized forms, and guidelines, enabling Greek organizations to satisfy their GDPR obligations effectively, while encouraging transparency and accountability.
7. In the public sphere, the DPA in Greece imposes significant fines on public authorities for noncompliance, providing a strong incentive for public entities to develop robust privacy practices and adhere to GDPR principles.
8. To better understand the nuances of GDPR within the Greek context, legal practitioners should dive deep into the requirements regarding data transfers, processing for specific purposes, and employees' data protection rights.
9. Individuals and organizations can benefit from White & Case's expertise in GDPR compliance and its comprehensive understanding of the unique aspects of Greece's legal landscape, ensuring both compliance with legal obligations and a strong focus on safeguarding personal data and maintaining a strong reputation in the health-and-wellness, science, and corporate sectors.

Read also: