Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The general legislative framework for the Protection of PII is the General Data Protection Regulation 2016/679/EE (GDPR), which entered into force on 25 May 2018, as well as Greek Law 4624/2019, which implements the GDPR and entered into force in August 2019. 

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The responsible authority is the Greek Data Protection Authority. The Greek Data Protection Authority may perform investigations, either on its own initiative or after a complaint has been lodged, and obtain access to the premises of a PII owner or processor, including data protection equipment and means, as well as personal data and all information necessary for the performance of its tasks.

Moreover, the Greek Data Protection Authority has the power to order a PII owner or a PII processor to provide any information it deems necessary, to carry out investigations in the form of data protection audits and to carry out reviews on certifications related to data protection.

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The Greek Data Protection Authority, like all supervisory authorities in European Union member states, participates in the ‘consistency mechanism’ provided in the GDPR. Therefore, the Greek Data Protection Authority is under the obligation to cooperate with other supervisory authorities, including sharing information and providing mutual assistance to, with a view to ensuring the consistency of application and enforcement of the GDPR. The Greek Data Protection Authority shall also participate in joint operations, joint investigations or joint enforcement measures of the supervisory authorities. To resolve disputes between supervisory authorities, the European Data Protection Board shall issue binding decisions, which may be challenged before the European Court of Justice.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches to data protection law shall lead to administrative sanctions, imposed by the Greek Data Protection Authority, as well as to criminal penalties imposed by the criminal courts.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

National security and policing do not fall under the scope of the General Data Protection Regulation (GDPR), but they do fall under the scope of Directive 2016/680/EU, which has been transferred to the Greek legal order also by Greek Law 4624/2019.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

Interception of communications is covered by Law 2225/1994 on freedom of communication, which implements article 19 of the Greek Constitution providing for the right to communication privacy. Articles 370 and 370A of the Greek Penal Code concerning the privacy of correspondence, telephone conversations and oral conversations also apply. As regards to the interception of electronic communications, article 4 of Law 3471/2006 implementing Directive 2002/58/EC on electronic communications privacy applies as well. Law 3115/2003 establishes the Greek Communications Security Authority, which is responsible for supervising the security of communications infrastructure.

Electronic marketing or monitoring is covered by Law 3471/2006, implementing Directive 2002/58/EC on electronic communications privacy. For any issue not covered by Law 3471/2006, the GDPR applies. Law 3471/2006 will be abolished once the ePrivacy Regulation comes into force.

CCTV is covered by the GDPR. Also, the Greek Data Protection Authority issued, under the force of Directive 95/46/EC and Law 2472/2007, Directive 1/2011 on the use of CCTV in private or semi-private entities (eg, restaurants, banks, etc) and Directive 115/2001 on the protection of privacy in the workplace, also dealing with the issue of CCTV. Notwithstanding the GDPR, these two directives may still be consulted.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

The following specific data protection rules also apply:

  • Legislative Decree 1059/1971 on bank account privacy;
  • article 40 of Law 3259/2004 on the retention period of data relating to economic behaviour;
  • Law 4557/2018 concerning anti-money laundering measures, transferring Directive 2015/849/EU, in combination with Law 3932/2011 on the establishment of an anti-money laundering authority;
  • decisions of the Greek Data Protection Authority (Nos. 109/1999, 523/1999, 86/2002, 24/2004, 6/2006, 11/2006, 21/2007 and 50/2011) on data processing by TEIRESIAS SA, a société anonyme responsible for the holding of data concerning legal or natural persons in default, bankruptcy, etc;
  • article 5 of the Administrative Procedure Code regarding access to documents;
  • Law 3861/2010 on open governance; and
  • Law 3979/2011 on electronic governance.

 

PII formats

What forms of PII are covered by the law?

Both automated and non-automated processing activities are covered by the law, but personal data should be structured according to specific criteria that composes a filing system.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

Under article 3, the GDPR is applied to both PII owners and PII processors established in Greek territory, as well as to data subjects in Greece that have been offered goods or services or whose behaviour is monitored by PII owners or PII processors not established in the EU.

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

All processing or use of PII is covered.

A distinction is made between PII processors and PII controllers, but a PII owner is also a PII controller and bears the duties of a PII controller.

The duties of PII owners and controllers and PII processors differ. PII owners and controllers bear the full bundle of obligations, provided for by the GDPR, and so are responsible for:

  • lawfully processing personal data, (eg, after acquiring the explicit consent of the data subject);
  • accommodating and satisfying the data subjects’ rights (ie, to information, access, rectification, erasure, restriction of processing, data portability, and the withdrawal of consent);
  • notifying the Data Protection Authority of a data breach;
  • conducting a data protection impact assessment study, if applicable; and
  • providing documented instructions to processors on data processing in a data processing agreement with the processor.

 

PII Processors are mainly responsible for:

  • fulfilling their contractual obligations under the data processing agreement, and informing the PII owner or controller if an instruction, in their opinion, infringes the GDPR or other data protection law;
  • notifying the PII owner or controller of a data breach;
  • assisting the PII owner or controller in answering data subjects’ requests, and in satisfying their rights, if possible and reasonable;
  • at the request of the PII owner or controller, deleting or returning all PII after the end of the provision of services, and deleting existing copies, unless the law requires otherwise;
  • ensuring that their personnel have committed themselves to confidentiality or are under a statutory obligation of confidentiality;
  • making available to the PII owner or controller all information necessary to demonstrate compliance with their obligations; and
  • allowing for and contributing to audits, including inspections, conducted by the PII owner or controller or another auditor mandated by the latter.

 

Law stated date

Correct on

Give the date on which the information above is accurate.

25 May 2020.