Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

As a general rule, personal data can be collected, stored and processed only if the data subject has given his or her consent. However, a limited number of exemptions from the fundamental legal basis for the lawful processing of personal data apply to processing that is necessary:

  • to execute a contract to which the data subject is a party or during the pre-contractual stages;
  • to comply with a legal obligation;
  • to preserve vital interests of the data subject;
  • to perform a task carried out in the public interest or a project carried out in the exercise of public functions by a public authority, or assigned by such to the data controller or a third party to which such data is communicated; or
  • to serve a legitimate interest of the data controller or a third party, where this legitimate interest evidently prevails over the rights and interests of the data subject and the processing does not affect his or her fundamental freedoms. 

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There are no specific limitations or restrictions on the period for which the data must be retained under the Data Protection Act. The Hellenic Data Protection Authority may decide on an ad hoc basis according to the nature of data and the purpose of processing. However, under Law 3917/2011, which transposed the EU Data Retention Directive (2006/24) into national law, providers of publicly available electronic communication services are obliged to retain traffic and location data of their subscribers for 12 months. Even though the Data Retention Directive was invalidated by the European Court of Justice in Digital Rights Ireland Ltd (Joint Cases C-293/12 and C-594/12), Greece has not yet reformed Law 3917/2011. 

Do individuals have a right to access personal information about them that is held by an organisation?

Under Article 12 of the Data Protection Act, data subjects are granted the right to access their personal information. Article 12 sets out the information that a data subject is entitled to request (eg, all personal data and its source, the purposes of the processing and the recipients or categories of recipient). Upon filing an application and paying the requested fee, the right to access must be satisfied within 15 days.

Do individuals have a right to request deletion of their data?

Another significant right that data subjects enjoy is the right to object to the processing of their personal data. An objection to data processing also involves the deletion of data. Individuals may submit a written request to the data controller and the controller must provide a justified reply within 15 days.

Consent obligations
Is consent required before processing personal data?

Consent is regarded as the fundamental legal basis for the lawful processing of personal data. The Data Protection Act defines ‘consent’ as follows:

“any freely given, explicit and specific indication of will, whereby the data subject expressly and fully cognizant signifies his/her informed agreement to personal data relating to him being processed. Such information shall include at least information as to the purpose of processing, the data or data categories being processed, the recipient or categories of recipients of personal data as well as the name, trade name and address of the data controller and his/her representative, if any. Such consent may be revoked at any time without retroactive effect.” 

If consent is not provided, are there other circumstances in which data processing is permitted?

As a general rule, personal data can be collected, stored and processed only if the data subject has given his or her consent. However, a limited number of exemptions from the fundamental legal basis for the lawful processing of personal data apply to processing that is necessary:

  • to execute a contract to which the data subject is a party or during the pre-contractual stages;
  • to comply with a legal obligation;
  • to preserve vital interests of the data subject;
  • to perform a task carried out in the public interest or a project carried out in the exercise of public functions by a public authority, or assigned by such to the data controller or a third party to which such data is communicated; or
  • to serve a legitimate interest of the data controller or a third party, where this legitimate interest evidently prevails over the rights and interests of the data subject and the processing does not affect his or her fundamental freedoms. 

What information must be provided to individuals when personal data is collected?

When personal data is collected, the data subject must be informed of:

  • the identity of the data controller and of the data controller’s representative;
  • the purpose of the data processing;
  • the recipients or the categories of recipient; and
  • the right of access.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Under the Data Protection Act, the following cross-border data flows are permitted:

  • data transfers within the European Union, which are unconditional; and
  • data transfers to non-EU countries, where the Hellenic Data Protection Authority (HDPA) has issued its permission.

Permission will be issued only where the destination country provides an adequate level of protection. The adequacy of protection is assessed based on factors such as:

  • the nature of the data to be transmitted;
  • the purpose and duration of the processing;
  • sectoral and general rules of law and principles in the destination country;
  • relevant codes of conduct; and
  • the minimum level of security and level of protection in the countries of origin, transit and final destination of the data.

Permission is not required if the European Commission has decided, on the basis of Article 31.2 of the EU Data Protection Directive (95/46/EC), that the country in question guarantees an adequate level of protection, in the sense of Article 25 of the directive.

The act provides that, in the following limited situations, data transfers from third countries that do not provide an adequate level of protection may still be permitted at the HDPA’s discretion:

“a. The data subject has consented to such transfer, unless such consent has been extracted in a manner contrary to the law or bonos mores .

b. The transfer is necessary:

i) in order to protect the vital interests of the data subject, provided s/he is physically or legally incapable of giving his/her consent, or

ii) for the conclusion and performance of a contract between the data subject and the Controller or between the Controller and a third party in the interest of the data subject.

c) The transfer is necessary in order to address an exceptional need and safeguard a superior public interest, especially for the performance of a co-operation agreement with the public authorities of the other country, provided that the Controller provides adequate safeguards with respect to the protection of privacy and fundamental liberties and the exercise of the corresponding rights.

d) The transfer is necessary for the establishment, exercise or defence of a right in court.

e) The transfer is made from a public register which by law is intended to provide information to the public and which is accessible by the public or by any person who can demonstrate legitimate interest, provided that the conditions set out by law for access to such register are in each particular case fulfilled.

f) The Controller shall provide adequate safeguards with respect to the protection of the data subjects' personal data and the exercise of their rights, when the safeguards arise from contractual clauses which are in accordance with the regulations of the present law. A permit is not required if the European Commission has decided, on the basis of article 26, paragraph 4 of Directive 95/46/EC, that certain contractual clauses offer adequate safeguards for the protection of personal data.”

Are there restrictions on the geographic transfer of data?

Under the aforementioned rules on data transfers, restrictions and conditions must be met for data transfers outside the European Union. 

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If data is transferred to a third party, the data owner must notify the Hellenic Data Protection Authority about its disclosure or request permission for the transfer of sensitive data to third parties. Additionally, the data subjects must be informed of the recipients or categories of recipient of the data.

Click here to view the full article.