Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

Greece has transposed the major directives on data protection – the EU Data Protection Directive 95/46/EC) and the EU E-Privacy Directive (2002/58/EC and its amending Directive 2009/136/EC) – into national law. Therefore, it can be argued that Greece has kept pace with Europe, since it is in compliance with the European legal framework on data protection.

Are any changes to existing data protection legislation proposed or expected in the near future?

Following the adoption of the EU General Data Protection Regulation (2016/679) and the EU Law Enforcement Data Protection Directive (2016/680), Greece is obliged to abide by the new European legislation on data protection. Since the regulation entered into force on May 24 2016, Greece has two years to comply with the new requirements. As regards the directive, Greece will elaborate on its transposition into national law by May 6 2018.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

The collection, storage and use of personal data is mainly governed by the Data Protection Act (2472/1997). Especially in relation to the protection of personal data and privacy in the electronic telecommunications sector, Law 3471/2006 also applies.

Scope and jurisdiction
Who falls within the scope of the legislation?

The Data Protection Act refers only to natural persons, identified or identifiable, whose personal data is processed. Information concerning legal entities is not regarded as personal data that falls within the scope of the Data Protection Act, unless the trade name includes the name of a natural person (eg, sole traders or partnerships). Nevertheless, it may be concluded from case law, Articles 5A and 9A of the Constitution and Articles 57, 59 and 932 of the Civil Code on the protection of personality that legal persons also enjoy data protection rights. 

What kind of data falls within the scope of the legislation?

Two categories of data are governed by the Data Protection Act: personal data and sensitive data. ‘Personal data’ is any information relating to the data subject, except statistical data where natural persons may no longer be identified. ‘Sensitive data’ is any information referring to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, social welfare and sexual life, criminal charges or convictions, as well as membership of any associated societies.

Are data owners required to register with the relevant authority before processing data?

In accordance with the Data Protection Act, data controllers must notify the Hellenic Data Protection Authority (HDPA) of the establishment and operation of a file or the commencement of data processing. However, the act sets out the following exemptions from the notification obligation:

  • An employment relationship or project relationship exists, or services are provided to the public sector;
  • The data subjects are clients or suppliers of the data controller;
  • The data controller is a trade union, association, legal entity or political party, and the data subjects are members or partners thereof;
  • Medical data is processed by doctors or other healthcare providers;
  • Data is processed by lawyers, notaries public, land registrars or bailiffs, or associated companies, for the purpose of providing legal services to clients; or
  • Data is processed by judicial authorities or services.

Is information regarding registered data owners publicly available?

An online registry for authorised data owners is under construction by the HDPA and will soon be available to the public. At the moment, anyone with a legal interest can be informed about registered data owners after submitting an application to the HDPA. 

Is there a requirement to appoint a data protection officer?

The act does not require the appointment of a data protection officer. However, there is always someone responsible for the processing of personal data whom data subjects may contact in order to exercise their rights.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The Hellenic Data Protection Authority is responsible for enforcing data protection legislation in Greece. Its powers, competences and composition are regulated in Articles 15 to 20 of the Data Protection Act. Its establishment is also foreseen in the Constitution under Article 9A.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

As a general rule, personal data can be collected, stored and processed only if the data subject has given his or her consent. However, a limited number of exemptions from the fundamental legal basis for the lawful processing of personal data apply to processing that is necessary:

  • to execute a contract to which the data subject is a party or during the pre-contractual stages;
  • to comply with a legal obligation;
  • to preserve vital interests of the data subject;
  • to perform a task carried out in the public interest or a project carried out in the exercise of public functions by a public authority, or assigned by such to the data controller or a third party to which such data is communicated; or
  • to serve a legitimate interest of the data controller or a third party, where this legitimate interest evidently prevails over the rights and interests of the data subject and the processing does not affect his or her fundamental freedoms. 

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

There are no specific limitations or restrictions on the period for which the data must be retained under the Data Protection Act. The Hellenic Data Protection Authority may decide on an ad hoc basis according to the nature of data and the purpose of processing. However, under Law 3917/2011, which transposed the EU Data Retention Directive (2006/24) into national law, providers of publicly available electronic communication services are obliged to retain traffic and location data of their subscribers for 12 months. Even though the Data Retention Directive was invalidated by the European Court of Justice in Digital Rights Ireland Ltd (Joint Cases C-293/12 and C-594/12), Greece has not yet reformed Law 3917/2011. 

Do individuals have a right to access personal information about them that is held by an organisation?

Under Article 12 of the Data Protection Act, data subjects are granted the right to access their personal information. Article 12 sets out the information that a data subject is entitled to request (eg, all personal data and its source, the purposes of the processing and the recipients or categories of recipient). Upon filing an application and paying the requested fee, the right to access must be satisfied within 15 days.

Do individuals have a right to request deletion of their data?

Another significant right that data subjects enjoy is the right to object to the processing of their personal data. An objection to data processing also involves the deletion of data. Individuals may submit a written request to the data controller and the controller must provide a justified reply within 15 days.

Consent obligations
Is consent required before processing personal data?

Consent is regarded as the fundamental legal basis for the lawful processing of personal data. The Data Protection Act defines ‘consent’ as follows:

“any freely given, explicit and specific indication of will, whereby the data subject expressly and fully cognizant signifies his/her informed agreement to personal data relating to him being processed. Such information shall include at least information as to the purpose of processing, the data or data categories being processed, the recipient or categories of recipients of personal data as well as the name, trade name and address of the data controller and his/her representative, if any. Such consent may be revoked at any time without retroactive effect.” 

If consent is not provided, are there other circumstances in which data processing is permitted?

As a general rule, personal data can be collected, stored and processed only if the data subject has given his or her consent. However, a limited number of exemptions from the fundamental legal basis for the lawful processing of personal data apply to processing that is necessary:

  • to execute a contract to which the data subject is a party or during the pre-contractual stages;
  • to comply with a legal obligation;
  • to preserve vital interests of the data subject;
  • to perform a task carried out in the public interest or a project carried out in the exercise of public functions by a public authority, or assigned by such to the data controller or a third party to which such data is communicated; or
  • to serve a legitimate interest of the data controller or a third party, where this legitimate interest evidently prevails over the rights and interests of the data subject and the processing does not affect his or her fundamental freedoms. 

What information must be provided to individuals when personal data is collected?

When personal data is collected, the data subject must be informed of:

  • the identity of the data controller and of the data controller’s representative;
  • the purpose of the data processing;
  • the recipients or the categories of recipient; and
  • the right of access.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

The Data Protection Act imposes several security obligations on data controllers. They include a confidentiality obligation and an obligation that data processing be conducted solely and exclusively by persons acting under the authority and instructions of the data controller or processor.

The confidentiality obligation is fulfilled where the persons so appointed are suitable, in the sense that they possess professional qualifications that provide sufficient guarantees in respect of their technical expertise and personal integrity. The data controller must also implement organisational and technical measures, taking into consideration the risks and nature of the data processing, so as to prevent unlawful processing. To this end, the Hellenic Data Protection Authority has issued its Guidelines 1/2005 on the safe destruction of personal data.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is no legal requirement to notify a data breach under the Data Protection Act. However, Law 4070/2012 obliges electronic communication service providers (mainly telecommunications providers and internet service providers) to notify individuals in the event of a breach of their personal data. In such case the provider should:

  • notify the Hellenic Data Protection Authority and the Hellenic Authority for Information and Communication Security and Privacy without undue delay, as stipulated in Joint Decision 1/2013; and
  •  notify the subscribers or individuals of the breach, under the terms and conditions set out in EU Regulation 611/2013 on Technical Implementing Measures for Data Breaches.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no legal obligation to notify the regulator in the event of a data breach, except in the specific case of electronic communication service providers.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

Law 3471/2006 on the protection of personal data in the electronic communications sector transposed EU Directive 2002/58/EC into national law and introduced new rules on spam. The use of electronic communications (eg, email, fax, automatic calling machines) for the purpose of direct marketing is permitted only if the data subjects have given their prior consent (opt-in system), unless there is an existing customer relationship or a prior transaction has been concluded (restoration of the opt-out rule). In order to ensure compliance with the data protection rules, the Hellenic Data Protection Authority has issued its Guidelines 2/2011, which set out best practices for obtaining consent by electronic means for the purposes of direct marketing.

Cookies
Are there rules governing the use of cookies?

Law 4070/2012 introduced provisions governing cookies into Greek law. Cookies (or similar technologies) can be used to store information or gain access to information stored on the technical equipment of a subscriber or user, as long as he or she has given informed consent. If the data subject has not been provided with clear and comprehensive information on cookie use, his or her consent is not considered valid. Consent can also be given via browser or other application settings. In this case, and in accordance with guidance from the Hellenic Data Protection Authority, consent must be given for every single cookie to be installed. General and abstract consent to all cookies provided via browser or other application settings is prohibited.

Exceptionally, consent is not required for technical storage or access for the sole purpose of transmitting a communication through an electronic communications network, or which is strictly necessary for the provision of information society services explicitly requested by the subscriber or user. The Hellenic Data Protection Authority stipulates that cookies installed for the purpose of online advertising are expressly excluded from this exemption; thus, data subjects should explicitly consent to the installation of both ‘first-party’ cookies and ‘third-party’ cookies.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Under the Data Protection Act, the following cross-border data flows are permitted:

  • data transfers within the European Union, which are unconditional; and
  • data transfers to non-EU countries, where the Hellenic Data Protection Authority (HDPA) has issued its permission.

Permission will be issued only where the destination country provides an adequate level of protection. The adequacy of protection is assessed based on factors such as:

  • the nature of the data to be transmitted;
  • the purpose and duration of the processing;
  • sectoral and general rules of law and principles in the destination country;
  • relevant codes of conduct; and
  • the minimum level of security and level of protection in the countries of origin, transit and final destination of the data.

Permission is not required if the European Commission has decided, on the basis of Article 31.2 of the EU Data Protection Directive (95/46/EC), that the country in question guarantees an adequate level of protection, in the sense of Article 25 of the directive.

The act provides that, in the following limited situations, data transfers from third countries that do not provide an adequate level of protection may still be permitted at the HDPA’s discretion:

“a. The data subject has consented to such transfer, unless such consent has been extracted in a manner contrary to the law or bonos mores .

b. The transfer is necessary:

i) in order to protect the vital interests of the data subject, provided s/he is physically or legally incapable of giving his/her consent, or

ii) for the conclusion and performance of a contract between the data subject and the Controller or between the Controller and a third party in the interest of the data subject.

c) The transfer is necessary in order to address an exceptional need and safeguard a superior public interest, especially for the performance of a co-operation agreement with the public authorities of the other country, provided that the Controller provides adequate safeguards with respect to the protection of privacy and fundamental liberties and the exercise of the corresponding rights.

d) The transfer is necessary for the establishment, exercise or defence of a right in court.

e) The transfer is made from a public register which by law is intended to provide information to the public and which is accessible by the public or by any person who can demonstrate legitimate interest, provided that the conditions set out by law for access to such register are in each particular case fulfilled.

f) The Controller shall provide adequate safeguards with respect to the protection of the data subjects' personal data and the exercise of their rights, when the safeguards arise from contractual clauses which are in accordance with the regulations of the present law. A permit is not required if the European Commission has decided, on the basis of article 26, paragraph 4 of Directive 95/46/EC, that certain contractual clauses offer adequate safeguards for the protection of personal data.”

Are there restrictions on the geographic transfer of data?

Under the aforementioned rules on data transfers, restrictions and conditions must be met for data transfers outside the European Union. 

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

If data is transferred to a third party, the data owner must notify the Hellenic Data Protection Authority about its disclosure or request permission for the transfer of sensitive data to third parties. Additionally, the data subjects must be informed of the recipients or categories of recipient of the data.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

The penalties for non-compliance with data protection provisions depend on the specific violation:

  • Improper notification or failure to notify is punishable by imprisonment for up to three years and a fine ranging from €2,934.70 to €14,673.51.
  • Failure to obtain a permit is punishable by imprisonment for at least one year and a fine ranging from €2,934.70 to €14,673.51.
  • Failure to notify the interconnection of files is punishable by imprisonment for up to three years and a fine ranging from €2,934.70 to €14,673.51.
  • Unauthorised access or similar is punishable by imprisonment and a fine; if sensitive data is involved, the term of imprisonment is at least one year and the fine ranges from €2,934.70 to €29,347.02.
  • Failure to comply with decisions of the Hellenic Data Protection Authority is punishable by imprisonment for at least two years and a fine ranging from €2,934.70 to €14,673.51.
  • Illegal financial gain is punishable by imprisonment for up to 10 years and a fine ranging from €5,869.40 to €29,347.02.
  • Threat to national security is punishable by imprisonment at the court’s discretion (for between five and 20 years) and a fine ranging from €14,673.51 to €29,347.02.

The Hellenic Data Protection Authority may also impose administrative sanctions, which include:

“a) warning, with a deadline to stop the breach,

b) fines ranging from 880.41 Euros to 146,752.37 Euros (these amounts may be adjusted from time to time upon a decision of the Ministry of Justice),

(c) temporary revocation of permit,

(d) permanent revocation of permit,

e) destruction of a filing system or interruption of processing and destruction, return or engaging (blocking) of the relevant files.”

The above administrative sanctions may be imposed upon considering the seriousness of the violation, independently or cumulatively, and only after hearing the data controller or its representative.

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Civil liability is established on the principle that the data subject must be fully compensated for any loss that he or she has suffered due to acts or omissions of a natural or legal person in breach of the Data Protection Act. If the loss is not financial, the data subject may be awarded compensation for moral injury. The act imposes a standard of liability that is close to strict, in the sense that the party causing harm will not be excused simply because it did not predict the harm, if it ought to have predicted the possibility of harm. Civil liability is independent of any criminal consequences for the defendant.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Greece has not yet introduced legislation with regard to cybersecurity. However, according to the European Union Agency for Network and Information Security, Greece is in the process of preparing a cybersecurity strategy.

As for cybercrime legislation, there is no uniform legal framework, but rather only piecemeal provisions (eg, on child pornography and computer fraud) in the Penal Code and other laws, such as the Data Protection Act and Intellectual Property Act. 

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Greece transposed the EU Critical Infrastructure Directive (2008/114/EC) into national law through Presidential Decree 39/2011 regarding Critical Infrastructure Protection. In addition, the Hellenic Authority for Information and Communication Security and Privacy issued a Regulation for the Safety and Integrity Network and Electronic Communications Services in 2013, which addresses network and electronic communication services in Greece, information and communication systems and electronic critical infrastructure, and expressly references EU and international standards for security certification and accreditation.

Further, the National Intelligence Service Law (3649/2008) grants responsibility for the classification of government data to the National Intelligence Service. 

Which cyber activities are criminalised in your jurisdiction?

Under the Criminal Code, the Data Protection Act and IP laws, the following cyber activities have been criminalised:

  • computer fraud;
  • violation of secrecy;
  • use of software;
  • unauthorised data access;
  • child pornography;
  • grooming;
  • circumvention of technological measures;
  • circumvention of rights management information; and
  • breach of personal data.

Which authorities are responsible for enforcing cybersecurity rules?

The Hellenic Authority for Information and Communication Security and Privacy is the primary body responsible for network and information security in Greece. The National Intelligence Service (NIS) is responsible for matters relating to information and network security as established in Law 3649/2008; while the Directorate of Cyber Defence is responsible for cyber warfare and liaises with the NIS and the Greek police.

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Not applicable.

Are companies required to keep records of cybercrime threats, attacks and breaches?

Not applicable.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

There is no legal obligation for companies to report cybercrime incidents to the authorities. However, NCERT-GR – a body which collects data on cybersecurity incidents and maintains an email-based reporting platform to log such incidents – advises that government agencies should be informed of such incidents.

Are companies required to report cybercrime threats, attacks and breaches publicly?

Not applicable.

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

The criminal sanctions for cybercrimes are as follows:

  • Computer fraud is punishable by imprisonment for between three months and five years.
  • Child pornography is punishable by imprisonment for at least two years. Child pornography which is professional or habitual, or which “is connected to the exploiting of the need, mental or intellectual weakness or corporal dysfunction of the minor due to organic disease or by exercise or threat of violence or using a minor under the age of fifteen”, is punishable by imprisonment for up to 10 years. If the former act “resulted in grievous bodily harm to the victim, it will entail a sentence of at least ten years' imprisonment and a fine of one hundred thousand to five hundred thousand Euros. If, however, such an act resulted in the victim’s death, then life imprisonment is imposed”.
  • Violation of secrecy is punishable by imprisonment for between three months and five years. If the secret data is of great economic value, the violation is punishable by imprisonment for between one and five years.
  • Misuse of software is punishable by imprisonment for up to six months. The IP Law (2121/1993) further provides that copyright infringement is punishable by imprisonment for at least a year. Certain aggravating circumstances, such as financial gain or organised crime, will incur harsher criminal sanctions.
  • Unauthorised data access is punishable by imprisonment for up to six months.
  • Indecent exposure to “persons under the age of fifteen is sentenced to an imprisonment of at least two years. In case of this activity rehearsed repeatedly or an encounter has taken place, this shall entail a sentence of at least three years’ imprisonment for the adult”. Moreover, an offender who “builds contact with a person that appears to be a minor under the age of fifteen is sentenced to an imprisonment of at least one year. In case of this activity rehearsed repeatedly or an encounter with the appear-to-be a minor has taken place, this shall entail a sentence of at least three years’ imprisonment for the adult”.
  • Approaching a child for sexual reasons is punishable by imprisonment for at least two years.
  • Circumvention of technological measures in breach of Article 66A of the Technological Protection Measures Law (2121/1993) is punishable by imprisonment for at least one year.
  • Circumvention of Rights Management Information is punishable by imprisonment for at least one year.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Penalties may vary, depending on the crime:

  • Child pornography is punishable by a fine of between €50,000 and €300,000; child pornography which is professional or habitual is punishable by fines of between €50,000 and €100,000.
  • Misuse of software is punishable by a fine of between €290 and €5,900; the offender may also be ordered to pay a fine of between €2,900 and €15,000 under the IP Law (2121/1993).
  • Unauthorised data access is punishable by a fine of between €29 and €15,000.
  • Approaching a child for sexual reasons is punishable by a fine of between €50,000 and €200,000.
  • Circumvention of technological measures or rights management information is punishable by a fines of between €2,900 and €15,000.