Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

The Data Protection Act imposes several security obligations on data controllers. They include a confidentiality obligation and an obligation that data processing be conducted solely and exclusively by persons acting under the authority and instructions of the data controller or processor.

The confidentiality obligation is fulfilled where the persons so appointed are suitable, in the sense that they possess professional qualifications that provide sufficient guarantees in respect of their technical expertise and personal integrity. The data controller must also implement organisational and technical measures, taking into consideration the risks and nature of the data processing, so as to prevent unlawful processing. To this end, the Hellenic Data Protection Authority has issued its Guidelines 1/2005 on the safe destruction of personal data.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is no legal requirement to notify a data breach under the Data Protection Act. However, Law 4070/2012 obliges electronic communication service providers (mainly telecommunications providers and internet service providers) to notify individuals in the event of a breach of their personal data. In such case the provider should:

  • notify the Hellenic Data Protection Authority and the Hellenic Authority for Information and Communication Security and Privacy without undue delay, as stipulated in Joint Decision 1/2013; and
  •  notify the subscribers or individuals of the breach, under the terms and conditions set out in EU Regulation 611/2013 on Technical Implementing Measures for Data Breaches.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no legal obligation to notify the regulator in the event of a data breach, except in the specific case of electronic communication service providers.

Click here to view the full article.