Kyriakides Georgopoulos & Daniolos issaias Law firm
Greece implemented the EU Data Protection Directive 95/46/EC in October 1997 with
Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data,
as amended (“Law”). Such law is currently in force as amended by Laws 3471/2006 3783/2009.
3947/2011, 4024/2011 and 4070/2012.
Enforcement is through the Data Protection Authority (“DPA”).
Definition of Personal Data
“Personal data” shall mean any information relating to the data subject. Personal data is not considered to be the consolidated data of a statistical nature where data subjects may no longer be identified.
Definition of Sensitive Personal Data
“Sensitive data” shall mean the data referring to racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, social welfare and sex life, criminal charges or convictions as well as membership to societies dealing with the aforementioned areas.
National Data Protection Authority
Data Protection Authority
1-3 Kifissias Avenue
The DPA is responsible for overseeing the Data Protection Law.
The data controller must notify the DPA in writing about the establishment and operation of a file or the commencement of data processing. In the course of the aforementioned notification, the data controller must necessarily declare the following:
■ His/her name, trade name or distinctive title, as well as his/her address;
■ The address where the file or the main hardware supporting the data processing is
■ The description of the purpose of the processing of personal data included or about to be
Included in the file;
■ The category of personal data that is being processed or about to be processed or included or about to be included in the file;
■ The time period during which s/he intends to carry out data processing or preserve the file;
■ The recipients or the categories of recipients to whom such personal data is or may be
■ Any transfer and the purpose of such transfer of personal data to third countries; and
■ The basic characteristics of the system and the safety measures taken for the protection of the file or data processing.
The above data is then registered with the Files and Data Processing Register kept by the DPA. Any modification of the above data must be communicated in writing and without any undue delay by the data controller to the DPA.
Data Protection officers
There is no requirement in Greece for organizations to appoint a data protection officer.
Collection and Processing
Collection and processing of personal data is permitted only when the data subject has given his/her consent. Exceptionally, data may be processed even without such consent, but only if:
■ processing is necessary for the execution of a contract to which the data subject is party or in
Order to take steps at the request of the data subject prior to entering into a contract;
■ processing is necessary for the compliance with a legal obligation to which the data
Controller is subject;
■ processing is necessary in order to protect the vital interests of the data subject, if s/he is physically or legally incapable of giving his/her consent;
■ processing is necessary for the performance of a task carried out in the public interest or a project carried out in the exercise of public function by a public authority or assigned by it to the data controller or a third party to whom such data are communicated; or
■ processing is absolutely necessary for the purposes of a legitimate interest pursued by the data controller or a third party or third parties to whom the data is communicated and on condition that such a legitimate interest evidently prevails over the rights and interests of the persons to whom the data refer and that their fundamental freedoms are not affected.
Processing sensitive personal data:
The collection and processing of sensitive data is prohibited. Exceptionally, the collection and processing of sensitive data, as well as the establishment and operation of the relevant file, is permitted by the DPA, when one or more of the following conditions occur:
■ the data subject has given his/her written consent, unless such consent has been extracted in a manner contrary to the law or bonos mores or if law provides that any consent given may not lift the relevant prohibition;
■ processing is necessary to protect the vital interests of the data subject or the interests provided for by the law of a third party, if s/he is physically or legally incapable of giving his/ her consent;
■ processing relates to data made public by the data subject or is necessary for the recognition, exercise or defense of rights in a court of justice or before a disciplinary body;
■ processing relates to health matters and is carried out by a health professional subject to the obligation of professional secrecy or relevant codes of conduct, provided that such processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or the management of health care services;
■ processing is carried out by a Public Authority and is necessary for the purposes of a) national security, b) criminal or correctional policy and pertains to the detection of offences, criminal convictions or security measures, c) protection of public health or d) the exercise of public control on fiscal or social services;
■ processing is carried out exclusively for research and scientific purposes provided that anonymity is maintained and all necessary measures for the protection of the persons involved are taken; or
■ Processing concerns data pertaining to public figures, provided that such data are in connection with the holding of public office or the management of third parties’ interests, and is carried out solely for journalistic purposes. The DPA may grant a permit only if such processing is absolutely necessary in order to ensure the right to information on matters of public interest, as well as within the framework of literary expression and provided that the right to protection of private and family life is not violated in any way whatsoever.
The DPA grants a permit for the collection and processing of sensitive data, as well as a permit
For the establishment and operation of the relevant file, upon request of the data controller. The permit is issued for a specific period of time, depending on the purpose of the data processing. It may be renewed upon request of the data controller.
The permit must necessarily contain the following:
■ The full name or trade name or distinctive title, as well as the address, of the data controller
and his/her representative, if any;
■ The address of the place where the file is established;
■ The categories of personal data which are allowed to be included in the file;
■ The time period for which the permit is granted;
■ The terms and conditions, if any, imposed by the DPA for the establishment and operation of the file; and
■ The obligation to disclose the recipient or recipients as soon as they are identified.
A copy of the permit is registered with the Permits Register kept by the DPA. Any change in the above data must be communicated without undue delay to the DPA. Any change other than a change of address of the data controller or his/her representative must entail the issuance of a new permit, provided that the terms and conditions stipulated by law are fulfilled.
The transfer of personal data is permitted:
■ For member states of the European Union;
■ For a non-member of the European Union following a permit granted by the DPA if it deems that the country in question guarantees an adequate level of protection. For this purpose it shall particularly take into account the nature of the data, the purpose and the duration of the processing, the relevant general and particular rules of law, the codes of conduct, the security measures for the protection of personal data, as well as the protection level in the countries
of origin, transit and final destination of the data. A permit by the DPA is not required if the European Commission has decided, on the basis of the process of article 31, paragraph 2 of Directive 95/46/EC of the Parliament and the Council of 24 October 1995, that the country in question guarantees an adequate level of protection, in the sense of article 25 of the aforementioned Directive;
The transfer of personal data to a non-member state of the European Union which does not ensure an adequate level of protection is exceptionally allowed only following a permit granted by the DPA, provided that one or more of the following conditions occur:
■ the data subject has consented to such transfer, unless such consent has been extracted in a
Manner contrary to the law or bonus mores; and
■ the transfer is necessary:
– in order to protect the vital interests of the data subject, provided s/he is physically or legally incapable of giving his/her consent;
– for the conclusion and performance of a contract between the data subject and the data controller or between the data controller and a third party in the interest of the data
subject, if he/she is incapable of giving his/her consent; or
– for the implementation of pre contractual measures taken in response to the data subject’s
■ the transfer is necessary in order to address an exceptional need and safeguard a superior public interest, especially for the performance of a cooperation agreement with the
public authorities of the other country, provided that the data controller provides adequate safeguards with respect to the protection of privacy and fundamental liberties and the exercise of the corresponding rights;
■ the transfer is necessary for the establishment, exercise or defense of a right in court;
■ the transfer is made from a public register which by law is intended to provide information to the public and which is accessible by the public or by any person who can demonstrate legitimate interest, provided that the conditions set out by law for access to such register are in each particular case fulfilled; or
■ the data controller shall provide adequate safeguards with respect to the protection of the data subjects’ personal data and the exercise of their rights, when the safeguards arise from conventional clauses which are in accordance with the regulations of the Law. A permit
is not required; in case of the Standard Contractual Clauses approved by the European Commission; in cases where the data importer has been registered with the Safe Harbor Framework; and finally in cases where the Binding Corporate Rules have been executed.
The processing of personal data must be confidential. It must be carried out solely and exclusively by persons acting under the authority of the data controller or the processor and upon his/her instructions.
In order to carry out data processing the data controller must choose persons with
Corresponding professional qualifications providing sufficient guarantees in respect of technical expertise and personal integrity to ensure such confidentiality.
The data controller must implement appropriate organizational and technical measures to secure data and protect it against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access as well as any other form of unlawful processing. Such measures must ensure a level of security appropriate to the risks presented by processing and the nature of the data subject to processing.
If the data processing is carried out on behalf of the data controller, by a person not dependent upon him, the relevant assignment must necessarily be in writing. Such assignment must necessarily provide that the processor carries out such data processing only on instructions from the data controller and that all other confidentiality obligations must mutatis mutandis
be borne by him.
There is no mandatory requirement in the Law to report data security breaches or losses to the
DPA or to data subjects.
The DPA may impose on the data controllers or on their representatives, if any, the following administrative sanctions for breach of their duties arising from the Law as well as from any other regulation on the protection of individuals from the processing of personal data:
■ a warning with an order for the violation to cease within a specified time limit;
■ a fine amounting between EUR 880 and EUR 147,000;
■ a temporary revocation of the permit;
■ a definitive revocation of the permit; or
■ the destruction of the file or a ban of the processing and the destruction, return or locking of the relevant data.
In addition the following penal sanctions may be imposed:
Anyone who fails to notify the DPA of the establishment or the operation of a file or any change in the terms and conditions regarding the granting of the permit will be punished by imprisonment for up to three years and a fine amounting between EUR 2,940 and EUR 14,705.
Anyone who keeps a file without permit or in breach of the terms and conditions referred to in the DPA’s permit, will be punished by imprisonment for a period of at least one year and a fine amounting between EUR 2,940 and EUR 14,705.
Anyone who proceeds to the interconnection of files without notifying the DPA accordingly will be punished by imprisonment for up to three years and a fine amounting between EUR 2,940
and EUR 14,705. Anyone who proceeds to the interconnection of files without the DPA’s permit, wherever such permit is required, or in breach of the terms of the permit granted to him, will be punished by imprisonment for a period of at least one year and a fine amounting between EUR
2,940 and EUR 14,705.
Anyone who unlawfully interferes in any way whatsoever with a personal data file or takes notice of such data or extracts, alters, affects in a harmful manner, destroys, processes, transfers, discloses, makes accessible to unauthorized persons or permits such persons to take notice of such data or anyone who exploits such data in any way whatsoever, will be punished by imprisonment and a fine and, regarding sensitive data, by imprisonment for a period of
at least one year and a fine amounting between EUR 2,940 Euros and EUR 29,411, unless otherwise subject to more serious sanctions.
Any data controller who does not comply with decisions issued by the DPA in the exercise of the right of access, in the exercise of the right to object, as well as with acts imposing the administrative sanctions will be punished by imprisonment for a period of at least two years and a fine amounting between EUR 2,940 and EUR 14,705. The sanctions referred to in the preceding sentence will also apply to any data controller who transfers personal data, in breach of the Law.
If the data controller is not a natural person, then the representative(s) of the legal entity shall be liable.
Finally, any natural person or legal entity of private law, who in breach of the Law, causes material damage will be liable for damages in full. If the same causes non pecuniary damage, s/he will be liable for compensation. Liability subsists even when said person or entity should have known that such damage could be brought about. The compensation payable according to article 932 of the Civil Code for non-pecuniary damage caused in breach of the Law has been set at the amount of at least EUR 5,882, unless the plaintiff claims a lesser amount or the said breach was due to negligence. Such compensation shall be awarded irrespective of the claim for damages.
Electronic marketing is regulated by Law 3471/2006 “for the protection of personal data and privacy in electronic communications” (“The Law”), in combination with the general provisions of Law 2472/1997 “for the protection of individuals from the processing of personal data” (“The Data Protection Act”).
According to the provisions of article 11 of the Law, data processing for electronic marketing purposes is allowed only upon the individuals’ prior express consent. The said article prohibits the use of automated calling systems for marketing purposes to subscribers that have previously declared to the public electronic communications services providers (“CSPs”) that they do not wish to receive such calls in general. The CSPs must register
these declarations for free on a separate publicly accessible list.
Personal data (such as e-mail addresses) that have been legally obtained in the course of sales of products, provision of services or any other transaction may be used for electronic marketing purposes, without the receiver’s prior consent thereto, provided that the receiver of such email has the possibility to “opt out” for free to the collection and processing of his/ her personal data for the aforementioned purposes.
Direct marketing emails or advertising emails of any kind are absolutely prohibited, when the identity of the sender is disguised or concealed and also when no valid address, to which the receivers can address requests for the termination of such communications, is provided.
Online Privacy (Including Cookies and Location Data)
Traffic data – Traffic data of subscribers or users held by a CSP must be erased or anonymised after the termination of a communication, unless they are retained for one the following reasons:
■ The billing of subscribers and the payment of interconnections, provided that the subscribers are informed of the categories of traffic data that are being processed and the duration of processing, which must not exceed 12 months from the date of the communication (unless the bill is doubtable or unpaid).
■ Marketing of electronic communications services or value added services, to the extent that traffic data processing is absolutely necessary and following the subscriber’s or the user’s prior express consent thereto, after his/her notification regarding the categories of traffic
Data that are being processed and the duration of the processing. Such consent may be freely recalled. The provision of electronic communication services by the CSP must not depend
on the subscriber’s consent to the processing of his/her traffic data for other purposes (eg. Marketing purposes).
Location data – Location data may only be processed for the provision of value added service, only if such data are anonymised or with the subscriber’s/ user’s express consent, to the extent and for the duration for which such processing is absolutely necessary. The CSP must previously notify the user or the subscriber of the categories of location data that are being processed, the purposes and the duration of the processing as well as of the third parties to which the data
will be transmitted for value added services provision. The subscriber’s/user’s consent may be freely recalled and the “opt out” possibility must be provided to the subscriber by the CSP free of charge and with simple means, every time he is connected to the network or in each transmission of communication.
Location data processing is allowed exceptionally without the subscriber’s/user’s prior consent to authorities dealing with emergencies, such as prosecution authorities, first aid or fire-brigade authorities, when location of the caller is necessary for serving such emergency purposes.
Cookie compliance – The use and storage of cookies and similar technologies is allowed when the subscriber/user has provided his express consent, after his/her comprehensive and detailed notification by the CSP. The subscriber’s consent may be provided through the necessary browser adjustments or through the use of other applications.