Support Centre

Greece

Summary

Law: Law 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions (the Law), and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: The Hellenic Data Protection Authority (HDPA)

Summary: Greece implemented the GDPR in 2019 through Law 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions (the Law).

In addition, Law 3471/2006 on the Protection of Personal Data and Privacy in the Electronic Telecommunications Sector and Amendment of Law 2472/1997 (the Electronic Telecommunications Law) governs cookies and other trackers.

The Law derogates from the GDPR with respect to the processing of special categories of data for processing for scientific and historic research purposes. Additionally, the Law sets out some requirements for processing of employee data.

The Hellenic Data Protection Authority (HDPA) is the supervisory authority under the Law. The HDPA has been particularly active in releasing guidelines on GDPR compliance, and has covered topics such as cookies and other trackers, breach notifications, accountability, and processing records. The HDPA has also issued a list of the kind of processing operations which are subject to the requirement for a Data Protection Impact Assessment. In addition, the HDPA has conducted several enforcement actions and issued fines ranging from €5,000 to €20 million for unlawful processing of employee data, transparency violations, non-compliance with access requests, and inadequate security measures. On January 27, 2020, the HDPA issued an opinion (only available in Greek here) which discusses the incompatibility of certain provisions of the Law with the GDPR.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.

Greek Law 4961/2022 on 'Emerging information and communications technologies, strengthening digital governance and other provisions' ('the Law') creates one of the first unified frameworks on emerging technologies within the EU. The Law attempts to address the possible impact that emerging technologies may have in everyday life and especially with fundamental human rights. Spiros Tassis, Founder at Tassis & Associates Law Office, provides a look into the Law and its purpose.