August 2024

1. Governing Texts

In Greece, the protection of a person's personal data against any collection, processing, and use, has been constitutionally safeguarded (see Article 9A of the Constitution of Greece, as revised in 2001. Pursuant to said provision, an independent authority shall ensure the protection of personal data.

The Hellenic Data Protection Authority (HDPA) serves as the competent national regulatory authority, entitled to supervise and enforce the application of data protection rules in the Greek territory. The main legal framework consists of the rules under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the national implementation law. The HDPA also follows EU guidance (e.g., guidelines and recommendations by the European Data Protection Board (EDPB)) in exercising its regulatory powers.

In 2024, the HDPA issued a series of decisions involving, inter alia:

• the non-satisfaction of data subjects' rights;
• the infringement of the principles for the processing of personal data;
• the failure to notify data breaches; and
• the failure to implement the requisite technical and organizational measures, etc.

Among the highest fines by the HDPA (of €2,995,140, €400,000, and €127,709) have been for failure to implement appropriate technical and organizational measures, as well as for failure to comply with the principles for the processing of personal data.

Based on HDPA's statistics data for the period between July 11, 2023, and April 23, 2024, the number of complaints lodged before the HDPA amounted to 1332, whereas 167 data breach incidents were notified to the HDPA.

1.1. Key acts, regulations, directives, bills

Law No. 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions (only available in Greek here) (the Data Protection Law), which implements certain provisions of the GDPR, is the basic national legal framework on personal data protection in Greece along with the GDPR.

Apart from the Data Protection Law, Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector (the Electronic Communications Law), as in force, incorporates the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the e-Privacy Directive) and provides specific rules on the protection of personal data in the field of electronic communications.

1.2. Guidelines

The HDPA has issued guidance addressed to data controllers on different topics of the GDPR, such as:

• principles relating to the processing of personal data (only available in Greek here), including the conditions for the lawful processing (only available in Greek here), and conditions for consent (only available in Greek here);
• guide with the general obligations under the GDPR (only available in Greek here);
• records of processing activities and relevant templates for both data controllers and data processors (both only available in Greek here);
• security of processing (only available in Greek here);
• personal data breach notification (only available in Greek here);
• personal data breach notification form to be submitted to the HDPA in an encrypted form (only available in Greek here);
• codes of conduct (only available in Greek here);
• obligations relevant to electronic communications (only available in Greek here);
• data protection officer (DPO) (only available in Greek here);
• DPO appointment notification form to be filled in and submitted electronically to the HDPA (only available in Greek here) (the Form);
• HDPA Frequently asked questions on DPOs (only available in Greek here);
• designation of a lead authority (only available in Greek here);
• certification (only available in Greek here);
• Data Protection by Design and by Default (only available in Greek here);
• accountability principle (only available in Greek here);
• transfers of personal data (only available in Greek here);
• Data Protection Impact Assessment (DPIA) (only available in Greek here);
• HDPA list of processing operations requiring a DPIA (only available in Greek here);
• prior consultation (only available in Greek here);
• 'Registry of Article 13' of the authority (only available in Greek here);
• the CCTV templates (only available in Greek here);
• HDPA DPIA Guidelines; and
• the Guidelines on submitting prior consultation request to the HDPA (the Prior Consultation Guidelines).

The HDPA also refers to the various guidelines that were issued by the EDPB, which replaced the Article 29 Working Party.

1.3. Case law

The HDPA's case law concerning the GDPR is steadily developing with respect to different topics, including the following:

• principles relating to the processing of employees' data (see HDPA Decision 7/2024 here, 6/2024 here, 31/2023 here, 29/2023 here, all only available in Greek);
• infringement of Article 5 of the GDPR regarding principles relating to the processing of personal data (HDPA Decisions 16/2024 (press release in English) here, 10/2024 here, 6/2024 here, 48/2023 here, 35/2023 here, 36/2023 here, 34/2023 here, 33/2023 here, 31/2023 here, 30/2023 here, 29/2023 here, 11/2023 here, 12/2023 here, 13/2023 here, and 16/2023 here, all only available in Greek);
• processing of data through CCTV system (HDPA Decision 1/2023 here and 36/2023 here, both available in Greek);
• non-compliance with the exercise of data subject's rights, namely the right to be informed, the right of access, the right to erasure, and the right to object (see HDPA Decisions 17/2024 here, 15/2024 here, 12/2024 here, 49/2023 here, 48/2023 here, 47/2023 here, 38/2023 here, 36/2023 here, 34/2023 here, 33/2023 here, 22/2023 here, 29/2023 here, and 20/2023 here, all only available in Greek);
• unsolicited commercial communication, through electronic means, such as SMS and email, as well as telephone calls (see respectively HDPA Decisions 24/2023 here and 9/2024 here, both only available in Greek);
• unsolicited political communication (HDPA Decision 16/2024 (press release in English), only available in Greek here);
• non-compliance with controller and processor obligations, such as implementing appropriate technical and organizational measures, maintaining a record of processing activities (ROPA), conducting the requisite data impact assessments, designating a data protection officer and cooperating with the HDPA (see HDPA Decisions 17/2024 here, 16/2024 (press release in English) here, 13/2024 here, 9/2024 here, 10/2024 here, 1/2024 here, 2/2024 here, and 30/2023 here, all only available in Greek), and
• failure to notify of an incident of personal data breach (see HDPA Decisions 17/2024 here, 16/2024 here (press release in English), and 35/2023 here, all only available in Greek).

2. Scope of Application

2.1. Personal scope

No national law variations exist.

2.2. Territorial scope

The Data Protection Law has a similar material scope to the GDPR but distinguishes between public bodies and private entities that process personal data (Article 2 of the Data Protection Law).

2.3. Material scope

The provisions of the Data Protection Law apply to public bodies. With regard to private bodies, these apply provided that (Article 3 of the Data Protection Law):

• the data controller or data processor is processing personal data within the Greek territory;
• the personal data is subject to processing in the context of the activities of an establishment of the data controller or the data processor within the Greek Territory; or
• the data controller or data processor falls within the GDPR scope even if not established in an EU Member State or another country of the European Economic Area (EEA).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The HDPA is responsible for monitoring the implementation of the GDPR provisions, the Data Protection Law, and other provisions related to the protection of persons against the processing of personal data in the Greek territory.

3.2. Main powers, duties and responsibilities

Besides its powers under Article 58 of the GDPR, the HDPA has been provided with the following investigative and corrective powers under Article 15 of the Data Protection Law:

• to carry out, ex officio or following a complaint, investigations, and audits over compliance with the provisions of the Data Protection Law in the context of which technological infrastructure and other, automated or not means, that support the processing of personal data are also investigated;
• to address warnings to the data controller or data processor that intended processing operations are likely to infringe provisions of the Data Protection Law;
• to order the data controller or data processor to bring processing operations into compliance with the provisions of the Data Protection Law, in a specified manner and within a specified period, particularly by means of an order for the rectification or erasure of personal data;
• to order and impose a temporary or definitive limitation and/or ban on the processing of personal data;
• to order and impose the delivery to the authority of documents, filing systems, equipment, or processing means of personal data and their content;
• to seize any documents, information, filing systems of any equipment and means of a personal data breach, including their content, that comes to its attention when exercising its investigatory powers and be declared as a sequestrator until issuance of a decision by competent judicial authorities;
• to order the data controller or data processor to interrupt the processing of personal data, to return or 'freeze' the relevant data, or to destroy the filing system or relevant data;
• to impose administrative sanctions under Article 83 of the GDPR and Article 39 of the Data Protection Law;
• to impose administrative sanctions under Article 82 of the GDPR;
• to issue a provisional order for the immediate, whole, or partial, temporary limitation of the processing or of the file operation until issuance of a final decision; and
• to issue administrative regulatory acts in order to regulate specific, technical, and detailed matters.

4. Key Definitions

Data controller: There is no national variation to this definition.

Data processor: There is no national variation to this definition.

Personal data: There is no national variation to this definition.

Sensitive data: There is no national variation to this definition.

Health data: There is no national variation to this definition.

Biometric data: There is no national variation to this definition.

Pseudonymization: There is no national variation to this definition. It is noted that, although no national law variations exist, the distinction is made under the Data Protection Law between public and private entities when acting as controllers, as different treatment applies with regard to the restrictions imposed on personal data processing depending on the type of organization.

Public bodies: the public authorities, the independent and regulatory administrative authorities, the public entities (i.e., legal persons of public law), local authorities (municipalities, etc.) of the first and second degree and their legal entities and their undertakings, the state and public undertakings and public bodies, the legal entities of private law which belong to the state or which are subsidized by 50% at least of their annual budget by the state or their management is appointed by the state.

Private bodies: the natural or legal person or association of persons without a legal entity, that does not fall within the notion of 'public body.'

5. Legal Bases

5.1. Consent

The GDPR allows for EU Member States to lower child's consent age below 16 for online service providers offering services directly to children. The Data Protection Law lowers the age of child consent to 15 years (see Article 21 of the Data Protection Law).

5.2. Contract with the data subject

No national law variations exist.

5.3. Legal obligations

No national law variations exist.

5.4. Interests of the data subject

No national law variations exist.

5.5. Public interest

No national law variations exist.

5.6. Legitimate interests of the data controller

No national law variations exist.

5.7. Legal bases in other instances

Not applicable.

For direct marketing cases, the HDPA would apply the provisions under the Electronic Communications Law.

Processing of employee data

Article 27 of the Data Protection Law sets out provisions that apply to the processing of personal data of employees in the context of employment.

In particular, it is specified that the provisions under the Data Protection Law apply to all employees, regardless of the specific type of employment relationship, of the validity of the contract, and irrespective of whether processing involves applicants' or former employees' personal data.

Further, the Data Protection Law provides that employees' personal data may be subject to processing for the purposes of the employment contract, so long as this is strictly necessary for the decision of conclusion of the employment contract or following the employment contract's conclusion for its performance (Article 27(1) of the Data Protection Law).

According to the HDPA Opinion (see pages 16 to 19 of the HDPA Opinion), to the extent that Article 27(1) of the Data Protection Law introduces a sole legal basis of processing in the employment context, in which all legal bases of Article 6(1) of the GDPR are merged, such provision is in contradiction to the provisions of Article 88(1) of the GDPR allowing for the provision of more specific national rules and not for the creation of a new legal basis or for the exclusion of legal bases under the GDPR. Hence, the HDPA has considered that Article 27(1) of the Data Protection Law is not in line with the GDPR.

By way of exception, the Data Protection Law provides that the processing of employees' personal data may be based, in exceptional circumstances, on consent, so long as such consent has been the result of free choice, taking into account in particular:

• the existing dependence under the employment contract; and
• the circumstances under which consent was given.

Under the Data Protection Law, consent is provided either in written form or electronically and must be clearly distinguished from the employment contract. The employer should inform the employee either in written form or electronically of the processing purpose and of the employee's right to withdraw their consent in accordance with Article 7(3) of the GDPR.

Notwithstanding specific provisions under Article 9(1) of the GDPR, the processing of special categories of personal data for the purposes of the employment contract is permitted provided it is necessary for the exercise of the rights, or the carrying out of the lawful obligations arising from employment law, as well as social security and social protection law, and there is no reason to consider that data subjects' legitimate interests prevail.

Under the Data Protection Law, the employer has to take appropriate measures to ensure compliance with the principles for the processing of personal data under Article 5 of the GDPR.

Finally, special rules are provided for regarding the processing of employees' personal data through a closed-circuit recording system in the workplace, including the requirement to inform employees in a written form respectively.

Processing of personal data for other purposes

The processing of personal data by public entities for purposes other than those for which they were initially collected is permitted if the processing is necessary for the fulfillment of their duties and if necessary:

• to check the information provided by the data subject, because there are reasonable indications that said information is incorrect;
• for the avoidance of risks to national safety, national defense, or public safety, or to ensure tax or customs income;
• for the prosecution of criminal offenses;
• for the prevention of harm to another; and
• for the production of official statistics.

Processing for other purposes by private entities is permitted if necessary:

• for the avoidance of threats to national or public security following a request from a public entity;
• for the prosecution of criminal offenses; and
• for the establishment, exercise, or defense of legal claims, unless data subjects' interests override.

Processing for scientific or historical research purposes

Pursuant to Article 30 of the Data Protection Law, and notwithstanding Article 9(1) of the GDPR, the processing of special categories of data is permitted, without the data subject's consent, provided that it is necessary for scientific or historical research purposes or for purposes related to the collection or retention of statistics and data controller's interest overrides the data subject's interests. In this respect, the data controller must take appropriate and specific measures for the protection of the data subject's interests, including restrictions of access to the data controller and/or data processor, pseudonymization, encryption, and the appointment of a DPO.

In addition, notwithstanding the provisions of Articles 15, 16, 18, and 21 of the GDPR, data subjects' rights are restricted, if their exercise could make impossible or significantly impede the performance of the scientific or historical research and so long as these restrictions are deemed necessary for their performance.

Apart from the above, special categories of data when processed for the above purposes must be anonymized, once the scientific or statistical purposes allow it, unless contrary to data subject's legitimate interest.

Finally, the data controller may publish personal data that are processed in the context of the research, so long as data subjects have consented in writing or publication is necessary for the presentation of the results of the research, in which case the publication must take place only by means of pseudonymization.

6. Principles

No national law variations exist.

7. Controller and Processor Obligations

7.1. Data processing notification

Following the entry into effect of the GDPR, there is no longer an obligation to notify the HDPA with regard to the processing of personal data, recordkeeping, or CCTV. In addition, the granting of licenses by the HDPA for the processing of sensitive data has been abolished (See HDPA Decision 46/2018, only available in Greek here).

7.2. Data transfers

No national law variations exist.

Under Data Protection Law (see Article 28(2)(d)), certain GDPR provisions, including Chapter V of the GDPR on the transfer of personal data to third countries, do not apply to the extent necessary in order to reconcile personal protection rights with the right to freedom of expression and information, including processing for journalistic purposes or academic, artistic, or literary expression.

In this respect, the HDPA issued in 2021, guidance on the latest Standard Contractual Clauses (SCCs) issued by the European Commission for transfers to third countries (only available in Greek here) as well as with regard to the new SCCs of the European Commission to be signed between data controllers and data processors pursuant to Article 28(7) of the GDPR (only available in Greek here).

7.3. Data processing records

No national law variations exist.

7.4. Data protection impact assessment

Under Article 35(4) of the GDPR, the supervisory authority establishes and makes public a list of the kinds of processing operations that are subject to the requirement of a DPIA.

Pursuant to the above rule, the HDPA has issued a blacklist of the kind of processing operations which are subject to the requirement for a data protection impact assessment. This list was adopted by means of HDPA's Decision 65/2018 (only available in Greek here).

The blacklist includes processing activities relating to:

• systematic evaluation, scoring, prediction, prognosis, and profiling, especially of aspects concerning the data subject's economic situation, health, personal preferences, or interests, reliability or behavior, location or movements, or the credit rating of data subjects;
• the systematic processing of personal data that aims at taking automated decisions producing legal effects concerning data subjects or similarly significantly affects data subjects and may lead to the exclusion or discrimination against individuals;
• systematic processing of personal data which may prevent the data subject from exercising their rights or using a service or a contract, especially when data collected by third parties are taken into account;
• systematic processing of personal data concerning profiling for marketing purposes when the data are combined with data collected from third parties;
• large-scale systematic processing for monitoring, observing, or controlling natural persons using data collected through video surveillance systems, through networks, or by any other means over a public area, publicly accessible area, or private area accessible to an unlimited number of persons. It includes the monitoring of movements or location/geographical position on real time or not real time of identified or identifiable natural persons;
• large-scale systematic processing of personal data concerning health and public health for public interest purposes as is the introduction and use of electronic prescription systems and the introduction and use of electronic health records or electronic health cards;
• large-scale systematic processing of personal data with the purpose of introducing, organizing, providing, and monitoring the use of electronic government services;
• large-scale processing of special categories of personal data referred to in Article 9(1) of the GDPR, including genetic data and biometric data for the purpose of uniquely identifying a natural person, and of personal data referred to in Article 10 of the GDPR;
• large-scale systematic processing of data of high significance or of a highly personal nature;
• systematic monitoring provided that it is fair, of the position/location of employees as well as of the content and of the metadata of employee communications with the exception of logging files for security reasons provided that the processing is limited to the absolutely necessary data and is specifically documented;
• innovative use or application of new technological or organizational solutions, which can involve novel forms of data collection and usage, possibly with a high risk to individuals' rights and freedoms;
• matching and/or combining personal data originating from multiple sources or third parties, or for two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subjects; and
• in case the processing concerns personal data that has not been obtained from the data subject and the information to be provided to data subjects pursuant to Article 14 of the GDPR proves impossible or would require a disproportionate effort or is likely to render impossible or seriously impair the objectives of the processing.

The HDPA's list is subject to regular revisions every two years or to an unscheduled revision due to significant developments in technology or in operational models, as well as in the case of a change in the purposes of the processing when these new purposes present a high risk.

Finally, according to information available on the HDPA's website, the above list is not exhaustive and, as such, the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, if the conditions of Article 35(1) of the GDPR are met, has not been removed.

The HDPA has not issued a list of the kind of processing operations for which no DPIA is required pursuant to Article 35(5) of the GDPR (GDPR Whitelist). However, the HDPA outlines in the HDPA DPIA Guidelines, that it is not necessary to carry out a DPIA:

• for processing activities for which authorization to establish and operate the relevant file containing sensitive personal data has been granted under Article 7 of Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data, provided that such authorization is in force and there has been no change which may result in a high risk to the rights and freedoms of data subjects, taking into account the nature, scope, context, and purposes of the processing; and
• where the processing activity pursuant to Article 6(1)(c) or (e) of the GDPR has a legal basis in EU or Member State law where that law regulates the specific processing activity, and a DPIA has already been carried out as part of the establishment of that legal basis, except if it is deemed necessary to carry out such an assessment prior to processing activities.

In addition, the HDPA outlines in the Prior Consultation Guidelines, that to submit a prior consultation to the HDPA, the controller must fill in a form and submit it electronically through the HDPA online poral. In this submission, the relevant DPIA provided for above must be included, alongside other documentation necessary to the DPIA.

7.5. Data protection officer appointment

The Data Protection Law provides for specifications with regard to the appointment of a DPO by public entities, including:

• DPO's appointment (Article 6 of the Data Protection Law), (e.g., one person may serve as a DPO for several public bodies, a choice is made on the basis of professional qualifications, an employee of the public entity may be appointed as a DPO, provision for the notification of appointment to the HDPA, unless not permitted for national security reasons or secrecy duties etc.);
• DPO's position (Article 7 of the Data Protection Law), (e.g., participation in all matters related to data privacy; provision of necessary resources, etc.); and
• DPO's duties (Article 8 of the Data Protection Law), (e.g., to cooperate with the HDPA; to act as the contact point with the HDPA, etc.).

In addition, data controllers and processors must inform the HDPA of the appointment or replacement of a data protection officer (DPO) by sending the Form via email to [email protected]. Any statement of DPO appointment sent to the HDPA before 25 May 2018, or in any other form will not be valid. The removal of a DPO must also be communicated to the HDPA via email to [email protected] (DPO Information).

On the topic of the DPO's conflict of interest, the HDPA issued a statement on January 23, 2020, on the representation of data controllers and data processors by DPOs before the HDPA. The HDPA highlighted that DPOs should be independent and impartial and, therefore, cannot represent data controllers and data processors when data protection issues arise before the HDPA.

7.6. Data breach notification

There are no variations with regard to the notification of a personal data breach to the HDPA.

Data breaches can be notified electronically, (only available in Greek here). In this respect, data controllers are required to complete and submit a specific form which is available on the HDPA's website here.

Although no variations are provided with regard to notification of the data breach to the authority, the Data Protection Law provides for an exception to the obligation of data controllers to communicate a personal data breach to the data subject, in particular, when and to the extent that by means of this communication, certain information which is protected by secrecy rules would be revealed (Article 33(5) of the Data Protection Law).

Providers of publicly available electronic communications services must notify the Hellenic Authority for Communication Security and Privacy (ADAE) and the HDPA in case of a personal data breach via the ADAE's online notification form, (only available in Greek here) (Article 12(5) of the Electronic Communications Law).

7.7. Data retention

The Data Protection Law does not include any data retention provisions. For the data subject's right to erasure, see below under the section on the right to erasure as regards timeframes for retaining data (although not provided in Data Protection Law), statutory (general/ specific prescription rules), or contractual retention periods would also apply.

7.8. Children's data

Under Article 21 of the Data Protection Law, the processing of personal data belonging to a child, in relation to the offer of information society services, is lawful only if the child is at least 15 years old and provides their consent. Otherwise, children under the age of 15 must have parental or guardian's consent to be offered information society services.

7.9. Special categories of personal data

Notwithstanding Article 9(1) of the GDPR, the Data Protection Law stipulates that the processing of special categories of data by public and private bodies is permitted, so long as it is necessary for (Article 22(1) of the Data Protection Law):

• the exercise of rights resulting from social security and social care right and for the performance of relevant obligations;
• the purposes of preventive medicine, the assessment of an employee's ability to work for medical diagnosis, the provision of health and social care or the management of health and social care systems and services, or by means of an agreement with a health care professional or another person also bound by professional secrecy or is under latter's supervision; or
• for the purposes of public interest in the field of public health.

In addition, processing of special categories of personal data, within the notion of Article 9(1) of the GDPR, by public entities is permitted, if (Article 22(2) of the Data Protection Law):

• absolutely necessary for reasons of public interest;
• necessary for the prevention of a significant threat for national or public safety; or
• necessary in order to take humanitarian measures, in which case the interest for the processing overrides the data subject's interest.

In all the above cases, all appropriate and special measures to safeguard data subjects' interests must be taken, taking into account the state of the art, implementation costs, the processing's context and purposes, and the severity of the risk to natural persons' rights and freedoms the processing poses, including technical and organizational measures (Article 22(3) of the Data Protection Law). In addition, the Data Protection Law also allows employers, in the capacity of data controllers, to process special categories of personal data if they meet certain conditions (see Article 27(3) of the Data Protection Law).

With regard to the processing of criminal conviction data, this is not addressed by the Data Protection Law.

Processing of genetic data

Under Article 23 of the Data Protection Law and pursuant to Article 9(4) of the GDPR, the processing of genetic data for health and life insurance purposes is expressly prohibited.

7.10. Controller and processor contracts

No national law variations exist.

8. Data Subject Rights

8.1. Right to be informed

When personal data is collected from the data subject, the data controller is exempt from the obligation to inform data subjects of further processing of personal data pursuant to Article 13(3) of the GDPR in the following cases (Article 31(1) of the Data Protection Law):

• the processing purpose of the further processing of personal data which the data controller stores in written form directly addressed to the data subject is compatible with the initial purpose, the communication with the data subject is not conducted via digital means and the data subject's interest to be informed is not particularly high; or
• when, in the case of a public body, such information would compromise:
  • the proper performance of the data controller's duties;
  • the national or public security and the data controller's interests not to provide the information override the data subject's interests;
  • the establishment, exercise, or defense of legal claims and the data controller's interests not to provide the information override the data subject's interests; or
  • the confidential transfer of personal data to public bodies.

The data controller must:

• take appropriate measures for the protection of the data subject's legitimate interests, including the provision of information outlined in Article 13(1) and (2) of the GDPR in an accurate, transparent, intelligible, and easily accessible manner, in a clear and plain language; and
• in most cases notify the data subject in writing of their reasons for not providing the information.

In addition, broader exceptions apply for public bodies when personal data have not been obtained from the data subject, under Article 32 of the Data Protection Law.

8.2. Right to access

Under Article 33(1) of the Data Protection Law, the right of access is restricted when:

• there is no obligation to inform data subjects; or
• when data subjects' data:
  • was recorded only because it could not have been deleted due to regulatory provisions of obligatory retention; or
  • serve exclusively for purposes of protection or control of data,
• and the provision of information would require a disproportionate effort and the necessary technical and organizational measures to make processing impossible for other purposes.

The reasons for refusing to provide access to the data subject must be documented. Refusal to provide information should be justified to the data subject unless there is a risk to compromise the purpose sought by means of refusing to provide access to the information (Article 33(2) of the Data Protection Law).

The data subject's right applies only if the data subject provides enough information to allow retrieval of data and the required effort would not be disproportionate to the data subject's interest to be informed (Article 33(3) of the Data Protection Law).

The data subject's right to be informed pursuant to Article 15 of the GDPR does not apply when the information to be disclosed to the data subject should remain confidential by law or by reason of its nature, in particular, due to third parties overriding legitimate interests.

8.3. Right to rectification

The Data Protection Law does not include general variations regarding the data subject's right to rectification. However, it includes limitations on the exercise of such right in the context of particular processing purposes (i.e., processing and freedom of expression and information of Article 28 of the Data Protection Law, processing for archiving purposes in the public interest under Article 29 of the Data Protection Law and processing for scientific or historical research or statistical purposes under Article 30 of the Data Protection Law).

8.4. Right to erasure

Under Article 34 of the Data Protection Law, the right to erasure does not apply, in cases of non-automated processing, when due to the special nature of storage, erasure is impossible or is possible only following a disproportionate effort and the data subject's interest for the erasure is not considered important. Also, the right to erasure does not apply when the data controller no longer needs the personal data for the collection purpose under Article 17(1)(a) of the GDPR or the personal data was unlawfully processed under Article 17(1)(d) of the GDPR, but the data controller has reason to believe that erasure would be prejudicial to the data subject's legitimate interests. In both cases, erasure is substituted by restriction of the processing. The same exception applies where erasure would be contrary to statutory or contractual retention periods. The above does not apply in case of unlawful processing.

8.5. Right to object/opt-out

Under Article 35 of the Data Protection Law, the right to object may not be applicable before a public entity, if the processing is required for the public interest, when the latter prevails over data subjects' interests, or the processing is obligatory under a legal provision.

8.6. Right to data portability

There are no variations under the Data Protection Law. However, the Data Protection Law permits data controllers to restrict data subjects' right to data portability in the following cases:

• when necessary to reconcile the right to data protection with the right to freedom of expression and information, including when processing for journalistic purposes or academic, artistic, or literary expression (Article 28(2) of the Data Protection Law); and
• when the data subject's exercise of the right likely renders impossible or seriously impairs the objectives of processing for archiving purposes in the public interest and restricting the right is necessary to achieve those purposes (Article 29(4) of the Data Protection Law).

8.7. Right not to be subject to automated decision-making

There are no variations with regard to profiling under the Data Protection Law.

8.8. Other rights

Right to restriction of processing

There are no variations under the Data Protection Law.

9. Penalties

Administrative sanctions

In addition to the corrective powers provided under Article 58(2) of the GDPR, the Data Protection Law further specifies that public entities will be subject to the imposition of administrative fines of up to €10 million by the HDPA for the infringements included in Article 83(4), (5), and (6) of the GDPR (with a few exceptions).

The Data Protection Law introduces no variations with regard to private entities.

Criminal sanctions

The Data Protection Law provides for the imposition of criminal sanctions and, in particular, punishment by imprisonment of up to one year, to anyone who interferes with a filing system containing personal data and by means of this act obtains knowledge thereof, copies, and generally processes personal data included therein.

Furthermore, if personal data is used, transmitted, disseminated, disclosed by transmission, made available, or communicated to unauthorized persons or the offender allows unauthorized persons to obtain knowledge of said data, the offender may be punished by imprisonment.

In the case of special categories of personal data, the Data Protection Law provides for the following criminal sanctions:

• imprisonment of at least one year; and
• a fine of up to €100,000.

In addition, if the offender of the above acts had the intent to unlawfully gain an economic benefit for himself or for another person or to cause property damage to another person or harm another person and the total benefit thereof exceeds €120,000, then the offender may be punished with imprisonment of up to ten years.

Finally, if from the above acts national security or the democratic functioning of the state has been put at risk, imprisonment and a fine of up to €300,000 may be imposed.

9.1 Enforcement decisions

HDPA Decision 10/2024

The HDPA, by virtue of Decision 10/2024 (only available in Greek here), imposed a fine of €2,995,140 on Hellenic Post S.A. (ELTA) on the grounds of a personal data breach in the form of a leak due to failure to implement appropriate technical and organizational measures.

ELTA initially notified the personal data breach incident to the HDPA concerning the software encryption of its system, as a result of a malicious attack by a third party, and subsequently submitted an additional notification regarding the disclosure to the dark web of personal data of up to 5 million individuals unlawfully collected during the cyber-attack. As a result of the cyber-attack, unauthorized remote access to workstations and files was obtained by the attacker, network vulnerabilities were detected, passwords for network domain management were compromised as well as malware was installed.

The HDPA held that ELTA had failed to implement appropriate technical and organizational measures for the protection against unauthorized or unlawful processing of personal data, resulting in a violation of confidentiality, as enshrined in Article 5(1)(f) of the GDPR. Also at a compliance level, in terms of policies adopted, ELTA failed to implement appropriate data protection policies to demonstrate that the processing occurred in line with the requirements of Article 32 of the GDPR. Moreover, it did not ensure the ongoing confidentiality, integrity, availability, and resilience of its processing systems and services, nor did it safeguard the process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for the security of the processing, as prescribed by Article 32(1)(b) of the GDPR.

In light of the above, the HDPA substantiated two separate infringements of the GDPR, pursuant to Articles 5(1)(f) and 32 respectively. Taking into account both aggravating (i.e., the large scale of data subjects affected, the high level of damage incurred, and the loss of services availability) and mitigating factors (i.e., the subsequent implementation by ELTA of technical and organizational measures and the non-leakage of special categories of personal data) the HDPA finally imposed a fine amounting to €2,995,140 against ELTA.

HDPA Decision 9/2024

In Decision 9/2024 (only available in Greek here), the HDPA jointly examined numerous complaints (40) from telephone subscribers, lodged over a period of more than two years, of different facts but all concerning the alleged infringement of marketing communication rules by means of the unlawful conduct of telephone calls for the promotion of the products and services of ELPEDISON, an energy service provider. The HDPA investigated over the conduct of ELPEDISON and five associated call center companies.

The HDPA found that ELPEDISON, in its capacity as data controller, failed to provide to the call centers, in their capacity as data processors, with the appropriate tools, guidance, and instructions to ensure that only permitted calls (under the Electronic Communications Law) and only lawful processing activities (under the GDPR) took place. As per HDPA’s ruling, ELPEDISON also failed to exercise the required supervision to guarantee the efficacy of procedures and their appropriate implementation by the call centers, particularly in the event of complaints. The HDPA found that this two-fold obligation under Article 32 of the GDPR was not met and imposed a fine of €127,709 against ELPEDISON.

Three call center companies (Call Experts, Zitatel, PLEGMA) were also found by the HDPA to be in breach of Article 32 of the GDPR, due to their failure to implement adequate technical and organizational measures in the execution of telephone calls. As a result, unsolicited calls were made to subscribers who had opted out from receiving such communication (by means of their registration to the special directory of Article 11 of the Electronic Communications Law). For this infringement, the HDPA imposed against the three call centers a fine of €10,000, €6,000, and €20,000 respectively. Zitadel was also additionally fined €5,000 for the unlawful collection of personal data (telephone numbers) through a website in violation of Article 5(1)(a) of the GDPR. In addition to the fines, the HDPA addressed a warning and ordered the implementation of other corrective measures to ensure compliance.

HDPA Decision 30/2023 OASA

The HDPA, by virtue of Decision 30/2023 (only available in Greek here), found multiple violations of the GDPR by the Athens Urban Transport Organization S.A. (OASA) and imposed a fine of €50,000, issued an order for compliance and a reprimand.

Following press publications on whether OASA was ensuring the anonymity of transportations, the HDPA conducted an on-site inspection in its premises, in order to assess the OASA's compliance with the requirements, previously laid down under HDPA's Opinion 1/2017 and 4/2017 (only available in Greek here and here), in relation to the envisaged processing of personal data, including special categories, in the context of OASA's electronic ticket system.

Upon extensive investigation and oral hearings, the HPDA concluded that OASA, inter alia, had failed to set an appropriate timeframe for data retention, contrary to the principle of storage limitation under Article 5(1)(e) of the GDPR. Furthermore, a DPIA was conducted by OASA with a delay, while, upon completion, its content was not fully substantiated and exhibited inconsistencies, thus failing to meet the requirements of Article 35(1) of the GDPR. In the DPIA conducted, the risks associated with the processing were not sufficiently addressed, substantiating a failure to comply in full with the principle of privacy by design enshrined in Article 25(1) of the GDPR. Moreover, the ROPAs maintained were not compliant with Article 30 of the GDPR, as the purposes of processing described therein were not aligned with the relevant information provided to data subjects via the OASA website, causing them ambiguity in this regard.

In view of the above findings, the HDPA imposed a fine to OASA of €50,000 for violating the storage limitation principle and reprimanded it for failing to comply with its privacy by design obligation as well as the obligation to conduct a DPIA compliant with the provisions of the GDPR. OASA was also ordered to define and document all the data retention periods in relation to the various processing purposes within one month, as well as to revise its DPIA within three months, as well as to implement any additional measures deemed necessary pursuant to the DPIA.