This article sets out the legislative and regulatory framework governing the protection of personal data in Greece.
GDPR
The main legislation regarding the protection of personal data in Greece is the General Data Protection Regulation (Regulation (EU)2016/679), in force from May 25, 2018. According to article 288 of the Treaty on the Functioning of the European Union (TFEU), the GDPR is directly applicable to all Member States, which are required to take necessary steps to adapt their national legislation to it.
General Principles: Data must be processed by the data controller in compliance with seven general principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability.
Lawful Basis for Processing and Security of Processing: Data controllers can only process personal data in the following six circumstances: (1) if the data subject gives his or her explicit consent; (2) to meet contractual obligations entered into by the data subject; (3) to meet a legal obligation under EU or national legislation; (4) to protect the data subject’s or of another natural person’s vital interests; (5) where processing is necessary for the performance of a task carried out in the public interest under EU or national legislation; or (6) for the purposes of legitimate interests pursued by the data controller.
Rights of the Data Subject: All data subjects have the following rights relating to the processing of their personal data: the Right to Information (data subjects have the right to know how their personal data is being used); the Right of Access (data subjects have the right to request access to the personal data that is being processed; the Right to Rectification (data subjects have the right to request the rectification of incorrect or incomplete data); the Right to Erasure (also known as the “Right to be Forgotten,” meaning that data subjects have the right to request the deletion or removal of their personal data permanently); the Right to Restriction of Processing (data subjects have the right to block or suppress the processing of their personal data); the Right to Data Portability (data subjects have the right to move, copy, or transfer their personal data from one data controller to another, in a structured, commonly used and machine-readable format); the Right to Object to Processing (data subjects have the right to object (in certain circumstances) to the processing of their personal data); the Right to Avoid Automated Decision-Making (data subjects have the right to demand human intervention, rather than having important decisions made solely by algorithm).
The Greek Legal Framework
The key Greek laws regarding personal data protection are: L. 4624/2019 (Government Gazette A137) which lays out the measures for the implementation of the GDPR and incorporates Directive (EU) 2016/680 (which regulates the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties) into Greek law; L. 2472/1997, which provides for the protection of individuals with regard to the processing of personal data (L. 2472/1997 has been repealed, except for the provisions referred to expressly in Article 84 of Law 4624/2019); and L. 3471/2006, which incorporates Directive 2002/58/EC (the “E-Privacy Directive”), as amended by Directive 2009/136/EC, and which is complementary and specific to the institutional framework for the protection of personal data in the field of electronic communications.
Also, every regulatory act and direction issued by the Hellenic Data Protection Authority is applicable. The HDPA is a constitutionally-established independent public authority tasked with supervising the application of national laws and other regulations concerning the protection of individuals from improper processing of personal data.
Special laws with crucial provisions relating to the protection of personal data (mainly) include L. 3917/2011, concerning the retention of data produced or processed with regards to the disposal of electronic communications or public networks of communication services and the usage of surveillance systems with sound or image recording in public places; L. 4579/2018, concerning the obligations of airplane operators with regards to passenger files and data, which also transposed Directive (EU) 2016/680; and L. 3783/2009 concerning the identification of owners and users of mobile telephony equipment and services.
By Marios Bahas, Managing Partner, and Vassilis Keramaris, Senior Associate, Bahas, Gramatidis & Partners
This Article was originally published in Issue 8.6 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.