DATA PROTECTION
LAWS OF THE WORLD
Greece
Downloaded: 18 June 2017
GREECE
Last modified 26 January 2017
LAW
Greece implemented the EU Data Protection Directive 95/46/EC in October 1997 by Law 2472/1997 on the Protection of
Individuals with regard to the Processing of Personal Data, as amended (‘Law’). Such law is currently in force as amended by Laws
3471/2006, 3783/2009, 3917/2011, 4024/2011 and 4070/2012, and 4139/2013.
Enforcement is through the Data Protection Authority ('DPA').
DEFINITIONS
Definition of personal data
‘Personal data’ shall mean any information relating to the data subject. Personal data is not considered to be the consolidated data
of a statistical nature where data subjects may no longer be identified.
Definition of sensitive personal data
‘Sensitive data’ shall mean the data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs,
membership of a trade union, health, social welfare and sex life, criminal charges or convictions as well as membership to societies
dealing with the aforementioned areas.
NATIONAL DATA PROTECTION AUTHORITY
Data Protection Authority
1-3 Kifissias Avenue, Athens, Greece.
T 2106475600
F 2106475628
[email protected]
The DPA is responsible for overseeing the Data Protection Law.
REGISTRATION
The data controller must notify the DPA in writing about the establishment and operation of a file or the commencement of data
processing. In the course of the aforementioned notification, the data controller must necessarily declare the following:
His/her name, trade name or distinctive title, as well as his/her address
2 | Data Protection Laws of the World | Greece | http://www.dlapiperdataprotection.com
The address where the file or the main hardware supporting the data processing is established
The description of the purpose of the processing of personal data included or about to be included in the file
The category of personal data that is being processed or about to be processed or included or about to be included in the
file
The time period during which s/he intends to carry out data processing or preserve the file
The recipients or the categories of recipients to whom such personal data is or may be communicated
Any transfer and the purpose of such transfer of personal data to third countries
The basic characteristics of the system and the safety measures taken for the protection of the file or data processing.
The above data is then registered with the Files and Data Processing Register kept by the DPA. Any modification of the above data
must be communicated in writing and without any undue delay by the data controller to the DPA.
DATA PROTECTION OFFICERS
There is no requirement in Greece for organisations to appoint a data protection officer.
COLLECTION & PROCESSING
Processing personal data
Collection and processing of personal data is permitted only when the data subject has given his/her consent. Exceptionally, data
may be processed even without such consent, but only if:
processing is necessary for the execution of a contract to which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract
processing is necessary for the compliance with a legal obligation to which the data controller is subject
processing is necessary in order to protect the vital interests of the data subject, if s/he is physically or legally incapable of
giving his/her consent
processing is necessary for the performance of a task carried out in the public interest or a project carried out in the
exercise of public function by a public authority or assigned by it to the data controller or a third party to whom such data
are communicated
processing is absolutely necessary for the purposes of a legitimate interest pursued by the data controller or a third party
or third parties to whom the data is communicated and on condition that such a legitimate interest evidently prevails over
the rights and interests of the persons to whom the data refer and that their fundamental freedoms are not affected
Processing sensitive personal data
The collection and processing of sensitive data is prohibited. Exceptionally, the collection and processing of sensitive data, as well
as the establishment and operation of the relevant file, is permitted by the DPA, when one or more of the following conditions
occur:
the data subject has given his/her written consent, unless such consent has been extracted in a manner contrary to the
law or bonos mores or if the law provides that any consent given may not lift the relevant prohibition
processing is necessary to protect the vital interests of the data subject or the interests provided for by the law of a third
party, if s/he is physically or legally incapable of giving his/ her consent
3 | Data Protection Laws of the World | Greece | http://www.dlapiperdataprotection.com
processing relates to data made public by the data subject or is necessary for the recognition, exercise or defence of
rights in a court of justice or before a disciplinary body
processing relates to health matters and is carried out by a health professional subject to the obligation of professional
secrecy or relevant codes of conduct, provided that such processing is necessary for the purposes of preventive medicine,
medical diagnosis, the provision of care or treatment or the management of health care services
processing is carried out by a Public Authority and is necessary for the purposes of:
national security
criminal or correctional policy and pertains to the detection of offences, criminal convictions or security measures
protection of public health, or
the exercise of public control on fiscal or social services
processing is carried out exclusively for research and scientific purposes provided that anonymity is maintained and all
necessary measures for the protection of the persons involved are taken, or
processing concerns data pertaining to public figures, provided that such data are in connection with the holding of apublic
office or the management of third parties’ interests, and is carried out solely for journalistic purposes. The DPA may grant
a permit only if such processing is absolutely necessary in order to ensure the right to information on matters of public
interest, as well as within the framework of literary expression and provided that the right to protection of private and
family life is not violated in any way whatsoever.
The DPA grants a permit for the collection and processing of sensitive data, as well as a permit for the establishment and
operation of the relevant file, upon request of the data controller.
The permit is issued for a specific period of time, depending on the purpose of the data processing. It may be renewed upon
request of the data controller.
The permit must necessarily contain the following:
the full name or trade name or distinctive title, as well as the address, of the data controller and his/her representative, if
any
the address of the place where the file is established
the categories of personal data which are allowed to be included in the file
the time period for which the permit is granted
the terms and conditions, if any, imposed by the DPA for the establishment and operation of the file, and
the obligation to disclose the recipient or recipients as soon as they are identified.
A copy of the permit is registered with the Permits Register kept by the DPA. Any change in the above data must be
communicated without undue delay to the DPA. Any change other than a change of address of the data controller or his/her
representative must entail the issuance of a new permit, provided that the terms and conditions stipulated by law are fulfilled.
TRANSFER
The transfer of personal data is permitted:
For member states of the European Union
For a non member of the European Union following a permit granted by the DPA if it deems that the country in question
guarantees an adequate level of protection. For this purpose it shall particularly take into account the nature of the data,
the purpose and the duration of the processing, the relevant general and particular rules of law, the codes of conduct, the
4 | Data Protection Laws of the World | Greece | http://www.dlapiperdataprotection.com
security measures for the protection of personal data, as well as the protection level in the countries of origin, transit and
final destination of the data. A permit by the DPA is not required if the European Commission has decided, on the basis of
the process of article 31, paragraph 2 of Directive 95/46/EC of the Parliament and the Council of 24 October 1995, that
the country in question guarantees an adequate level of protection, in the sense of article 25 of the aforementioned
Directive.
The transfer of personal data to a non member state of the European Union which does not ensure an adequate level of
protection is exceptionally allowed only following a permit granted by the DPA, provided that one or more of the following
conditions occur:
The data subject has consented to such transfer, unless such consent has been extracted in a manner contrary to the law
or bonos mores
The transfer is necessary:
In order to protect the vital interests of the data subject, provided s/he is physically or legally incapable of giving
his/her consent
For the conclusion and performance of a contract between the data subject and the data controller or between
the data controller and a third party in the interest of the data subject, if he/she is incapable of giving his/her
consent, or
For the implementation of pre contractual measures taken in response to the data subject’s request
The transfer is necessary in order to address an exceptional need and safeguard a superior public interest, especially for
the performance of a co operation agreement with the public authorities of the other country, provided that the data
controller provides adequate safeguards with respect to the protection of privacy and fundamental liberties and the
exercise of the corresponding rights
The transfer is necessary for the establishment, exercise or defence of a right in court
The transfer is made from a public register which by law is intended to provide information to the public and which is
accessible by the public or by any person who can demonstrate a legitimate interest, provided that the conditions set out
by law for access to such register are in each particular case fulfilled, or
The data controller shall provide adequate safeguards with respect to the protection of the data subjects’ personal data
and the exercise of their rights, when the safeguards arise from conventional clauses which are in accordance with the
regulations of the Law. A permit is not required: in the case of the Standard Contractual Clauses as approved by the
European Commission have been executed.
Following the approval by the European Commission of the Privacy Shield, it is possible as of 1 August 2016 to proceed
with the transfer of data to the US by using such mechanism. The other tools for the transfer of personal data outside the
EU are namely the execution of the Standard Contractual Clauses and the implementation of the Binding Corporate Rules
which can be used for such transfers.
SECURITY
The processing of personal data must be confidential. It must be carried out solely and exclusively by persons acting under the
authority of the data controller or the processor and upon his/her instructions.
In order to carry out data processing the data controller must choose persons with corresponding professional qualifications
providing sufficient guarantees in respect of technical expertise and personal integrity to ensure such confidentiality.
The data controller must implement appropriate organisational and technical measures to secure data and protect it against
accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access as well as any other form of
5 | Data Protection Laws of the World | Greece | http://www.dlapiperdataprotection.com
unlawful processing. Such measures must ensure a level of security appropriate to the risks presented by processing and the
nature of the data subject to processing.
If the data processing is carried out on behalf of the data controller, by a person not dependent upon him, the relevant assignment
must necessarily be in writing. Such assignment must necessarily provide that the processor carries out such data processing only
on instructions from the data controller and that all other confidentiality obligations must mutatis mutandis be borne by him.
BREACH NOTIFICATION
There is no mandatory requirement in the Law to report data security breaches or losses to the DPA or to data subjects.
ENFORCEMENT
The DPA may impose on the data controllers or on their representatives, if any, the following administrative sanctions for breach
of their duties arising from the Law as well as from any other regulation on the protection of individuals from the processing of
personal data:
a warning with an order for the violation to cease within a specified time limit
a fine amounting between EUR 880 and EUR 147,000
a temporary revocation of the permit
a definitive revocation of the permit, or
the destruction of the file or a ban on the processing and the destruction, return or locking of the relevant data.
In addition the following penal sanctions may be imposed:
anyone who fails to notify the DPA of the establishment or the operation of a file or any change in the terms and
conditions regarding the granting of the permit will be punished by imprisonment for up to three years and a fine
amounting between EUR 2,940 and EUR 14,705
anyone who keeps a file without permit or in breach of the terms and conditions referred to in the DPA’s permit, will be
punished by imprisonment for a period of at least one year and a fine amounting between EUR 2,940 and EUR 14,705
anyone who proceeds to the interconnection of files without notifying the DPA accordingly will be punished by
imprisonment for up to three years and a fine amounting between EUR 2,940 and EUR 14,705. Anyone who proceeds to
the interconnection of files without the DPA’s permit, wherever such permit is required, or in breach of the terms of the
permit granted to him, will be punished by imprisonment for a period of at least one year and a fine amounting between
EUR 2,940 and EUR 14,705
anyone who unlawfully interferes in any way whatsoever with a personal data file or takes notice of such data or extracts,
alters, affects in a harmful manner, destroys, processes, transfers, discloses, makes accessible to unauthorised persons or
permits such persons to take notice of such data or anyone who exploits such data in any way whatsoever, will be
punished by imprisonment and a fine and, regarding sensitive data, by imprisonment for a period of at least one year and a
fine amounting between EUR 2,940 Euros and EUR 29,411, unless otherwise subject to more serious sanctions
any data controller who does not comply with decisions issued by the DPA in the exercise of the right of access, in the
exercise of the right to object, as well as with acts imposing the administrative sanctions will be punished by imprisonment
for a period of at least two years and a fine amounting between EUR 2,940 and EUR 14,705. The sanctions referred to in
the preceding sentence will also apply to any data controller who transfers personal data, in breach of the Law
if the data controller is not a natural person, then the representative(s) of the legal entity shall be liable, and
6 | Data Protection Laws of the World | Greece | http://www.dlapiperdataprotection.com
finally, any natural person or legal entity of private law, who in breach of the Law, causes material damage will be liable for
damages in full. If the same causes non pecuniary damage, s/he will be liable for compensation. Liability subsists even when
said person or entity should have known that such damage could be brought about. The compensation payable according
to article 932 of the Civil Code for non-pecuniary damage caused in breach of the Law has been set at the amount of at
least EUR 5,882, unless the plaintiff claims a lesser amount or the said breach was due to negligence. Such compensation
shall be awarded irrespective of the claim for damages.
ELECTRONIC MARKETING
Electronic marketing is regulated by Law 3471/2006 ‘for the protection of personal data and privacy in electronic communications’
(the 'Law’), in combination with the general provisions of Law 2472/1997 ‘for the protection of individuals from the processing of
personal data’ (the 'Data Protection Act’).
According to the provisions of article 11 of the Law, data processing for electronic marketing purposes is allowed only upon the
individuals’ prior express consent. The said article prohibits the use of automated calling systems for marketing purposes to
subscribers that have previously declared to the public electronic communications services providers ('CSPs') that they do not
wish to receive such calls in general. The CSPs must register these declarations for free on a separate publicly accessible list.
Personal data (such as e-mail addresses) that have been legally obtained in the course of sales of products, provision of services or
any other transaction may be used for electronic marketing purposes, without the receiver’s prior consent thereto, provided that
the receiver of such email has the possibility to 'opt out' for free to the collection and processing of his/ her personal data for the
aforementioned purposes.
Direct marketing emails or advertising emails of any kind are absolutely prohibited, when the identity of the sender is disguised or
concealed and also when no valid address, to which the receivers can address requests for the termination of such
communications, is provided.
ONLINE PRIVACY
Articles 4 and 6 of the Law (as amended by Directive 2009/136/EC) deals with the collection of location and traffic data by CSPs
and the use of cookies and similar technologies.
Traffic data
Traffic data of subscribers or users held by a CSP must be erased or anonymised after the termination of a communication, unless
they are retained for one the following reasons:
The billing of subscribers and the payment of interconnections, provided that the subscribers are informed of the
categories of traffic data that are being processed and the duration of processing, which must not exceed 12 months from
the date of the communication (unless the bill is doubtable or unpaid).
Marketing of electronic communications services or value added services, to the extent that traffic data processing is
absolutely necessary and following the subscriber’s or the user’s prior express consent thereto, after his/her notification
regarding the categories of traffic data that are being processed and the duration of the processing. Such consent may be
freely recalled. The provision of electronic communication services by the CSP must not depend on the subscriber’s
consent to the processing of his/her traffic data for other purposes (eg. Marketing purposes).
Location data
Location data may only be processed for the provision of value added services, only if such data are anonymised or with the
subscriber’s/ user’s express consent, to the extent and for the duration for which such processing is absolutely necessary. The
CSP must previously notify the user or the subscriber of the categories of location data that are being processed, the purposes
and the duration of the processing as well as of the third parties to which the data will be transmitted for value added services
provision. The subscriber’s/user’s consent may be freely recalled and the 'opt out' possibility must be provided to the subscriber
7 | Data Protection Laws of the World | Greece | http://www.dlapiperdataprotection.com
by the CSP free of charge and with simple means, every time he is connected to the network or in each transmission of
communication.
Location data processing is allowed exceptionally without the subscriber’s/user’s prior consent to authorities dealing with
emergencies, such as prosecution authorities, first aid or fire-brigade authorities, when the location of the caller is necessary for
serving such emergency purposes.
Cookie compliance
The use and storage of cookies and similar technologies is allowed when the subscriber/user has provided his express consent,
after his/her comprehensive and detailed notification by the CSP. The subscriber’s consent may be provided through the necessary
browser adjustments or through the use of other applications.
The latter do not prevent the technical storage or use of cookies for purposes relating exclusively to the transmission of a
communication through an electronic communications network or the provision of an information society service for which the
subscriber or the user has specifically requested. The Data Protection Authority is the competent authority for the issuance of an
Act, which will regulate the ways such services will be provided and the subscribers’ consent will be declared.
KEY CONTACTS
Kyriakides Georgopoulos Law Firm
www.kglawfirm.gr
Effie Mitsopoulou
Partner
T +30 210 817 1540
[email protected]
DATA PRIVACY TOOL
You may also be interested in our Data Privacy Scorebox to assess your organisation's level of data protection maturity.
8 | Data Protection Laws of the World | Greece | http://www.dlapiperdataprotection.com
Disclaimer
DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be
found at www.dlapiper.com.
This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client
relationship. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA
Piper will accept no responsibility for any actions taken or not taken on the basis of this publication.
This may qualify as 'Lawyer Advertising' requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
Copyright © 2017 DLA Piper. All rights reserved.