Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

Until 25 May 2018, Law 2472/1997, a dedicated data protection law transferring Directive 95/46/EC was in force. After entry into force of the General Data Protection Regulation 2016/679/EE (GDPR) on 25 May 2018, which prevails over statutory law, Law 2472/1997, although not yet abolished, may not be enforced in areas regulated by the GDPR, which is directly applicable and enforceable in Greece, as a European Union member state. No law implementing the GDPR has been issued yet.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The responsible authority is the Greek Data Protection Authority. The Greek Data Protection Authority may perform investigations, either on its own initiative or after a complaint has been lodged, and obtain access to the premises of a PII owner or processor, including data protection equipment and means, as well as personal data and all information necessary for the performance of its tasks.

Moreover, the Greek Data Protection Authority has the power to order the PII owner or the PII processor to provide any information it deems necessary, to carry out investigations in the form of data protection audits and to carry out reviews on certifications related to data protection.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

The Greek Data Protection Authority, like all supervisory authorities in EU member states, participates in the ‘consistency mechanism’ provided in the GDPR. Therefore, the Greek Data Protection Authority is under the obligation to cooperate with, including sharing information and providing mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR. The Greek Data Protection Authority shall also participate in joint operations, joint investigations or joint enforcement measures of the supervisory authorities. To resolve disputes between supervisory authorities, the European Data Protection Board shall issue binding decisions, which may be challenged before the European Court of Justice.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches to data protection law shall lead to administrative sanctions, imposed by the Greek Data Protection Authority, as well as to criminal penalties imposed by the criminal courts.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

National security and policing do not fall under the scope of the GDPR, but they do fall under the scope of Directive 2016/680/EU, which has not yet been transferred to the Greek legal order.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Interception of communications is covered by Law 2225/1994 on freedom of communication, which implements article 19 of the Greek Constitution providing for the right to communication privacy. Articles 370 and 370A of the Greek Penal Code concerning the privacy of correspondence, telephone conversations and oral conversations also apply. As regards the interception of electronic communications, article 4 of Law 3471/2006 implementing Directive 2002/58/EC on electronic communications privacy applies as well. Law 3115/2003 establishes the Greek Communications Security Authority, which is responsible for supervising the security of communications infrastructure.

Electronic marketing or monitoring is covered by Law 3471/2006, implementing Directive 2002/58/EC on electronic communications privacy. For any issue not covered by Law 3471/2006, the GDPR applies. Law 3471/2006 will be abolished once the ePrivacy Regulation comes into force.

CCTV is covered by the GDPR. Also, the Greek Data Protection Authority issued, under the force of Directive 95/46/EC and Law 2472/2007, Directive 1/2011 on the use of CCTV in private or semi-private entities (eg, restaurants, banks, etc) and Directive 115/2001 on the protection of privacy in the workplace, also dealing with the issue of CCTV. Notwithstanding the GDPR, these two directives may still be consulted.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

In addition to the laws and regulations listed in question 6, the following specific data protection rules should also, indicatively, be pointed out:

  • Legislative Decree 1059/1971, as in force, on bank account privacy;
  • article 40 of Law 3259/2004, as in force, on the retention period of data relating to economic behaviour;
  • Law 4557/2018, as in force, concerning anti-money laundering measures, transferring Directive 2015/849/EU, in combination with Law 3932/2011 on the establishment of an anti-money laundering authority;
  • decisions of the Greek Data Protection Authority (Nos. 109/1999, 523/1999, 86/2002, 24/2004, 6/2006, 11/2006, 21/2007 and 50/2011) on data processing by TEIRESIAS SA, a société anonyme responsible for the holding of data concerning legal or natural persons in default, bankruptcy, etc;
  • article 5 of the Administrative Procedure Code, as in force, regarding access to documents;
  • Law 3861/2010, as in force, on open governance; and
  • Law 3979/2011, as in force, on electronic governance.
PII formats

What forms of PII are covered by the law?

Both automated and non-automated processing activities are covered by the law, but personal data should be structured according to specific criteria that composes a filing system.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

Based on article 3 of the GDPR, it is applied to both PII owners and PII processors established in Greek territory, as well as to data subjects in Greece that have been offered goods or services or whose behaviour is monitored by PII owners or PII processors not established in the EU.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

All processing or use of PII is covered.

A distinction is made between PII processors PII controllers, but a PII owner is also a PII controller and bears the duties of a PII controller.

The duties of PII owners and controllers on the one hand and PII processors on the other hand differ accordingly. PII owners and controllers bear the full bundle of obligations, provided for by the GDPR, indicatively they are responsible for:

  • lawfully processing personal data, eg, after acquiring the explicit consent of the data subject;
  • accommodating and satisfying the data subjects’ rights (to information, access, rectification, erasure, restriction of processing, data portability and the withdrawal of consent);
  • notifying the Data Protection Authority of a data breach;
  • conducting a data protection impact assessment (DPIA) study, if applicable; and
  • providing documented instructions to processors on data processing in a data processing agreement with the processor.

PII Processors are mainly responsible for:

  • fulfilling their contractual obligations under the data processing agreement, and informing the PII owner or controller if an instruction, in their opinion, infringes the GDPR or other data protection law;
  • notifying the PII owner or controller of a data breach;
  • assisting the PII owner or controller in answering data subjects’ requests, and in satisfying their rights, if possible and reasonable;
  • at the request of the PII owner or controller, deleting or returning all PII after the end of the provision of services, and deleting existing copies, unless the law requires otherwise;
  • ensuring that their personnel have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
  • making available to the PII owner or controller all information necessary to demonstrate compliance with their obligations; and
  • allowing for and contributing to audits, including inspections, conducted by the PII owner or controller or another auditor mandated by the latter.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

PII holding has to be legitimised on one of the following specific grounds:

  • consent;
  • performance of a contract (eg, to proceed to payments or other obligations in the contract) or a precontractual stage necessitating the collection of PII (to conduct due diligence);
  • compliance with a legal obligation of the PII owner, (eg, imposed by tax legislation, labour law or a court order in the course of a criminal investigation);
  • performance of a task in the public interest vested with the PII controller, eg, when the PII controller is a public authority;
  • protection of the vital interests of a data subject (eg, health) or of another natural person; or
  • protection of the legitimate interest of the PII owner or a third party (for example with whom the PII owner has a contractual relationship) that is not overridden by the rights and interests of the data subjects.
Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Processing of personal data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is in principle prohibited.

The processing of such data is exceptionally permitted if:

  • an explicit consent is available, unless consent is not the legal basis for processing;
  • the vital interests of the data subject or of another natural person are concerned, and the data subject is physically or legally incapable of giving consent;
  • a substantial public interest specified by law is at stake;
  • it is necessary to defend a legal claim;
  • it is necessary for reasons of public health, specified in the law;
  • personal data has been manifestly made public by the data subject; or
  • it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Specific types of data related to beliefs may be processed by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim in the course of their legitimate activities, and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside that body without the consent of the data subjects.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

Yes, the PII owner must notify the individual whose PII it holds. If PII is collected from the data subject, then the notification must be made at the time of the collection. If PII is collected from another source, then the notification must take place within a reasonable period after collection depending on the circumstances, and in any case not exceeding one month, or at the time of the first communication with the data subject, if the PII is to be used for that purpose, or prior to a disclosure to another recipient, if PII is to be used for such a purpose.

The notification must contain:

  • the identity and contact details of the PII owner and the contact details of the DPO, if applicable;
  • the purposes and the legal basis of processing. If the legal basis for processing is a legitimate interest of the PII owner, the PII owner must explain the legitimate interest. If the legal basis is a statutory, contractual or pre-contractual obligation, the PII owner has to explain such an obligation, and also the consequences, in case of failure to provide such data;
  • the retention period or the retention criteria;
  • the eventual recipients and data transfers. If PII is transferred outside the EU, the PII owner has to explain whether the PII is transferred to an organisation or a third country covered by an adequacy decision or not. If not, the PII owner has to demonstrate the appropriate safeguards governing such a transfer and offer the ability to have a copy of them;
  • the data subjects’ rights (access, rectification or erasure of personal data, restriction of processing concerning the data subject and objection to processing, as well as the right to data portability and the ability to withdraw consent, if applicable), including the right to lodge a complaint before the supervisory authority; and
  • if PII owner has not been obtained the PII from the data subject, the PII owner has to inform the data subject about the source of the PII, as well as whether it came from a publicly available source.
Exemption from notification

When is notice not required?

A notification is not required if the data subject already has all the information required and the PII owner is able to demonstrate such fact, for example, if all the required information has been provided before acquiring consent to data processing.

Additionally, if PII has been obtained by a source other than the data subject, then notification is not required if it is impossible, would demand disproportionate effort or would make impossible or impair seriously the objectives of the processing; or if the PII must remain confidential due to professional or statutory secrecy obligations.

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

As a principle, individuals are entitled to provide their consent to the processing of any personal data concerning them. This means that the individual freely (that is, without any coercion or fear of the consequences) gives a specific (that is, related to a particular purpose), informed and unambiguous indication of his or her wishes, by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Additionally, PII owners must offer individuals the ability to withdraw their consent to processing in the future as easily as the consent was given.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Not specifically.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

PII may be kept for as long as it is necessary to serve the purpose of processing. No specific retention period is laid down in the GDPR. However, specific retention periods may be found in respective legislation. For example, a school has to maintain medical certificates of pupils for three years; then it has to return old certificates and request new ones.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes, the finality principle applies.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Further processing is exceptionally permitted in the following cases:

  • if the data subject has given his or her consent to the processing for a specific purpose other than that for which the personal data has been collected;
  • if a law that is both necessary and proportionate in a democratic society provides for such an exception in order to safeguard important aspects of the public interest, such as national security, defence, public security, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, an important economic or financial interest of the EU or a member state, the protection of judicial independence and judicial proceedings, the enforcement of civil law claims, etc;
  • for archiving purposes in the public interest, for scientific or historical research purposes or statistical purposes, under the condition that such further processing does not permit or no longer permits the identification of data subjects; or
  • if the PII owner can ascertain compatibility of the initial purpose with the further purpose, taking into account any link between them, the context in which the PII has been collected, in particular regarding the relationship between the data subjects and the PII owner, the nature of the personal data (if it is simple or sensitive), possible consequences for the data subjects and the existence of appropriate safeguards, which may include encryption or pseudonymisation.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

The PII owner has to follow technical and organisational security measures, which are generally prescribed in the GDPR by reference to:

  • pseudonymisation and encryption;
  • ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  • regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure the security of the processing.

Directive 2016/680/EU specifies the security measures as those designed to control equipment access, data media, user, data access, communication, input and transport, as well as recovery and integrity measures.

The Greek DPA published on its website under the force of Law 2472/1997 a detailed template of a security policy, incorporating suggestions and directions for technical and organisational measures, physical and electronic security measures and a restoration plan in case of an accident. This template may still provide some guidance to PII owners.

For electronic communication services providers, the Communications Security Authority has issued decisions (eg, Government Gazette 1742/B/2013, Government Gazette 2715/B/2011) that include analytic provisions about what a security policy (based on the details of the processing) should include. Such provisions are strictly enforced by the Communications Security Authority.

As the NIS Directive (2016/1148/EU), the directive on security and information systems) entered into force on 9 May 2018, Greek law 4577/2018 implementing the NIS Directive has been issued.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

In case of a personal data breach, the PII owner has to notify the Greek Data Protection Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, it shall be accompanied by reasons for the delay.

The PII owner also has to notify the data subject of the data breach without undue delay when the personal data breach is likely to result in a high risk to his or her rights and freedoms. The PII owner is not under an obligation to inform the data subject if:

  • appropriate technical and organisational protection measures, such as encryption, have been applied;
  • subsequent measures mitigating the high risk to the rights and freedoms of data subjects means it is no longer likely to materialise; or
  • it would involve disproportionate effort. In such a case, a public communication or similarly effective measure takes place instead.

However, the Greek Data Protection Authority may still demand that the data subject be notified.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

The appointment of a data protection officer (DPO) is mandatory for the public sector, including administrative authorities of the state, legal entities of public law and state-owned legal entities offering products or services of public goods or operating infrastructure facilities.

As regards the private sector, the appointment of a data protection officer is mandatory if the data processing involves regular and systematic monitoring of data subjects on a large scale, eg, for the purposes of behavioural advertising or for safety reasons as in the case of CCTV. The appointment of a data protection officer is also mandatory if the core activities of the controller or the processor consist of processing on a large scale of special categories of data (eg, health data) or data relating to criminal convictions and offences.

In any case, the assignment of a DPO, even if not legally necessary, is considered a good practice.

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

Both PII owners and controllers are required to maintain records of processing activities under their responsibilities in writing, including in electronic form, which shall be made available to the Data Protection Authority upon request.

PII owners and controllers are exempted from such an obligation if they employ fewer than 250 persons. However, the exemption does not apply if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or the processing involves sensitive data or data relating to criminal convictions and offences.

New processing regulations

Are there any obligations in relation to new processing operations?

A DPIA must be carried out with regard to new processing operations or existing processing activities that change significantly and meet the criteria for high-risk processing laid down by article 35 of the GDPR.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

Since 25 May 2018, PII owners or processors have not been required to register with the supervisory authority. No exemptions have been made so far.

Formalities

What are the formalities for registration?

Not applicable.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Not applicable.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

Not applicable.

Public access

Is the register publicly available? How can it be accessed?

Not applicable.

Effect of registration

Does an entry on the register have any specific legal effect?

Not applicable.

Other transparency duties

Are there any other public transparency duties?

No, there are not.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

If the entity is within the EU or is covered by an adequacy decision of the European Commission (that is, a decision of the Commission ascertaining an adequate level of data protection in the third country in question), then data transfer shall be governed by a written contract, namely a data processing agreement between the PII owner and the entity, which is in this case the data processor. The data processing agreement shall include, at least, the following content:

  • the documented instructions of the PII owner regarding the categories of data to be processed, the categories of data subjects concerned, the scope and the duration of processing;
  • technical and organisational security measures;
  • the obligation of the data processor to ensure that processing personnel are bound by confidentiality, and ensure that sub-processors are contractually bound to abide by the same level of data protection as specified in the data processing agreement;
  • a list of sub-processors approved by the PII owner. If this list changes, the sub-processor must be contractually bound to notify the PII owner first and give him or her the right to object; and
  • other obligations listed under question 10.
Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Apart from restrictions as regards notification to the data subject explained in question 13, and restrictions regarding legality of the processing explained in question 11, additional restrictions of disclosure to other recipients may be derived from professional or statutory secrecy obligations.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

If the entity receiving personal data (either another PII owner or a PII processor) is outside the EU and is not covered by an adequacy decision, then data transfer shall be subject to appropriate safeguards and governed by standard contractual clauses between the data importer and the data exporter providing for such safeguards. The issuance of model standard contractual clauses (SCCs) by the European Commission in view of the GDPR is anticipated. Existing model SCCs issued under Directive 95/46/EC (namely, Decision 2001/497/EC, Decision 2004/915/EC, and Decision 2010/87/EU) remain in force based on provisional article 46 (5) of the GDPR. Other mechanisms of restricted data transfer to ensure appropriate safeguards for data protection are Binding Corporate Rules (BCRs), provided they will have been approved by a competent supervisory authority, approved (by a supervisory authority) code of conduct, as well as approved mechanisms of certification together with binding and enforceable commitments of the PII owner or PII processor in the third country to apply appropriate safeguards.

In specific situations, some derogations from the aforementioned restrictions to provide appropriate safeguards for data protection are, exceptionally, applicable, namely:

  • if the data subject has explicitly consented to the transfer after being informed of the risks involved;
  • the transfer is necessary for the performance of a contract between the data subject and the data exporter or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the data exporter and a third person (eventually the data importer);
  • the transfer is necessary for important reasons of public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims; or
  • the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

Notification of cross-border transfer to a Supervisory Authority is not required. However, an authorisation is required if:

  • cross-border transfer concerns an organisation or a third country not covered by an adequacy decision; and
  • no model SCCs approved by the European Commission, approved BCRs, approved code of conduct or approved mechanism of certification have been utilised to ensure an adequate level of data protection.
Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

Yes, all onward transfers have to satisfy the same level of data protection.

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Individuals have the right to access personal data held by PII owners. This means they may be able to get a hard or an electronic copy (depending on the circumstances) of the personal data held by the PII owner, and that they become aware of the conditions of the processing, eg, its scope and purposes and the retention period, as well as conditions for data transfer to other recipients and third countries. For further copies of personal data held, a reasonable fee may be charged.

The access right may be exercised by filing an application or sending an email to the PII owner or the data protection officer.

Limitations to this right may be foreseen by the law to safeguard important public interests such as national security and defence, monetary crises, the secrecy of criminal investigations, etc.

Other rights

Do individuals have other substantive rights?

Individuals have the right to require the rectification of incomplete or inaccurate data without undue delay, as well as to fill in incomplete data, if it is necessary for the processing.

Individuals have the right to ask for the erasure of personal data without undue delay, particularly if:

  • the personal data is no longer necessary in relation to the purposes of processing;
  • the person requesting the erasure withdraws the consent on which the processing is based and there is no other legal ground for the processing;
  • the data subject objects to the processing and there are no overriding legitimate grounds for the processing or the data subject objects to processing for direct marketing; or
  • the data has to be erased in compliance with a legal obligation.

Individuals have the right to request restriction of processing if the accuracy of personal data is disputed, for so long as it is needed so that the PII owner verifies the accuracy of the personal data.

Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format, as well as the right to request the direct transmission of personal data to another, if this is technically feasible.

Individuals may object to the processing of personal data that takes place without their consent.

Individuals may not be subject to fully automated individual decision-making, including profiling.

If processing occurs based on consent, individuals have the right to withdraw their consent for that processing at any time in the way they gave it.

Individuals have the right to lodge a complaint with the Greek Data Protection Authority, if they think that data protections laws and regulations have been violated.

Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Individuals shall be compensated for monetary damages, either actual or for injury to feelings, if they are affected by a breach of the law. Individuals may seek compensation both from the PII owner and jointly from the PII owner and the PII processor for matters lying in the sphere of their joint liability, such as those covered by the data processing agreement between them.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

These rights are exercisable through the judicial system (compensation claims) and by the supervisory authority (all other rights), so long as the claims to exercise such rights have first been raised with the PII owner and have not been satisfied or fully satisfied.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

Further derogations, exclusions or limitations may be provided for by a member state law, implementing the GDPR, which, in the case of Greece has not been issued yet.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

N/A

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

The supervisory authority - that is, the Greek Data Protection Authority - is an administrative independent agency that issues enforceable administrative acts. These acts may be challenged with the judicial remedy called ‘petition for annulment’ before the Supreme Administrative Court, (ie, the Council of State) within 60 days from their service or knowledge in any other way and, in any case, in reasonable time after their issuance.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

The following rules apply to the use of cookies or equivalent technology:

  • the consent of the data subject has to be freely given, specific, informed, unambiguous and written. Additionally, consent must be granular;
  • data processing has to be absolutely necessary to serve a legitimate cause;
  • technology for data minimisation by default must be applied; and
  • anonymity or pseudonymisation options must be made available to the data subject.

The provisions of the anticipated ePrivacy Regulation shall also be relevant.

Any kind of unsolicited communication for marketing purposes by electronic means is forbidden by law. Unsolicited telephone calls are possible, provided that the user has not opted not to receive such calls by enrolling in a relevant registry of the telecommunications provider. A PII owner may process the email addresses of its customers to market its own similar products or services, another legal entity even in the same group of companies thus being excluded, provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner, to such use of their electronic contact details both at the time of their collection and in the content of each message sent - for example, by clicking on a clearly visible ‘unsubscribe’ button in the message. It is noted that unsolicited marketing communications should be clearly recognisable as such and should indicate the identity of the PII owner.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

No specific rules or regulations have been issued on cloud computing services by the Greek Data Protection Authority. The Greek Data Protection Authority has pointed attention to the Opinion 05/2012 of the Article 29 Working Party Directive 95/46/EC WP 195 on cloud computing, 1 July 2012.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

The issuance of a Directive of the European Parliament and of the Council for the protection of persons reporting on breaches (Proposal COM (2018) 218 final) (whistle-blowing) is anticipated.