Data Protection in Greece
|Data Protection in Greece|
|Data Protection Authority:||HDPA (Greece)|
|National Implementation Law (Original):||Data Protection Act 2019|
|English Translation of National Implementation Law:||[n/a English Translation]|
|National Legislation Database(s):||Link|
|English Legislation Database(s):||n/a|
|National Decision Database(s):||n/a|
- 1 Legislation
- 1.1 History
- 1.2 National constitutional protections
- 1.3 National GDPR implementation law
- 1.4 National ePrivacy Law
- 2 Data Protection Authority
- 3 Judicial protection
Law 2472/1997 implemented the Directive 95/46/EC and was the first Greek law for the protection of individuals from the processing of personal data. By this law the Hellenic Data Protection Authority was established. From 29.8.2019 this Law was repealed by Law 4624/2019, which provides for the implementing measures of the GDPR and implements the Directive (EU) 2016/680.
National constitutional protections
The Constitution of Greece after its revision in 2001 introduced in Article 9A a Constitutional right to the protection of personal data.
National GDPR implementation law
In Greece the GDPR is implemented by the Law 4624/2019 which also contains provisions for the implementation of Directive (EU) 2016/680 and other provisions (Data Protection Act 2019Data Protection Act 2019). This law has been criticised as deviating from some of the provisions of the GDPR and, thus, creating legal uncertainties and inconsistencies which pose serious risks to people's rights and freedoms. The HDPA explicitly stated its concerns about its compatibility with the GDPR in its Opinion 1/2020.
Age of consent
Pursuant to Article 21(1) of the Data Protection Act 2019 the age of consent is 15.
Pursuant to Article 21(2), below that age processing of personal data is lawful upon consent of its legal representative.
Freedom of Expression and Information
Article 28 of the Data Protection Act 2019 sets exceptions to accommodate the right to the freedom of expression and information, including processing for journalistic purposes and purposes of academic, artistic or literary expression.
Article 27 of the Data Protection Act 2019 regulates the processing of personal data in employment context.
Pursuant to Article 27(1) processing of employees' personal data is allowed for purposes of the employment agreement and when this is strictly necessary for determining the conclusion of an employment agreement or for the execution of that agreement.
There are provisions about the validity of an employee's consent, the processing of sensitive personal data, the processing for the purposes of collective labour agreements and CCTV cameras in workplaces.
Article 27(8) clarifies that for the purposes of this law the term "employee" refers to people employed under any employment relationship or public work contract or service providing in public or private sector. The validity of the employment agreement and the status as job candidate or former employee are not decisive for the protection of the rights in this context
Archiving in public interest
Article 29 of the Data Protection Act 2019 establishes exceptions in Article 9(1) GDPR, Article 15 GDPR, Article 16 GDPR, Article 18(1)(a) GDPR, Article 18(1)(b) GDPR, Article 18(1)(d) GDPR, Article 20 GDPR and Article 21 GDPR for archiving purposes in public interest .
Article 30 of the Data Protection Act 2019 sets exceptions in Article 9(1) GDPR, Article 15 GDPR, Article 16 GDPR, Article 18 GDPR and Article 21 GDPR for scientific or historical research purposes or for the collection and maintenance of statistical data.
Other relevant national provisions and laws
1) L. 2472/1997 former law on the protection of personal data which has been repealed except for Articles 2, 3(2)(b), 13(3), 15(1), 18(2) and (3) and 21 which remain in force according to Article 84 L. 4624/2019;
2) L. 4579/2018 on the obligations of air operators regarding passengers' details;
3) L. 3783/2009 on the identification of owners and users of mobile phone equipment and services and other provisions;
4) L. 3917/2011 on the retention of data that is produced or processed based on the provision of publicly available electronic communication services or public communication networks, use of audio or video surveillance systems in public places and relevant provisions;
5) L. 4070/2012 on electronic communications, transport, public works and other provisions;
6) L. 3051/2002 on the constitutionally established independent authorities, amendment and completion of the hiring system in public sector and relevant arrangements;
7) L. 3144/2003, Art. 8 on the sanctions from the DPA for the protection of employees' personal data;
8) Regulations issued by the DPA No. 408/1998, 1/1999, 121/2001, 24/2004, 25/2004, 26/2004, Γ/ΕΞ/6220 - 13/7/2018;
10) Opinions issued by the DPA and
11) Joint regulations from the DPA alongside AADE (Independent Authority for Public Revenue) No. ΦΕΚ Β' 3433/31.12.2013.
National ePrivacy Law
ePrivacy Directive is implemented with L. 3471/2006. Relevant provisions can be found in L. 3431/2006, L. 3674/2008, L. 3783/2009, L. 3917/2011 and L. 4070/2012.
Data Protection Authority
The Hellenic Data Protection Authority (Αρχή προστασίας δεδομένων προσωπικού χαρακτήρα) is the national data protection authority for Greece. It is in charge of enforcing the GDPR in Greece, the Greek Data Protection Act 2019, the ePrivacy Directive implementation law and other provisions regarding the protection of personal data.
It was first established in 1997 and it resides in Athens, Greece. Its role as an independent guardian of the protection of personal data is constitutionally established in Article 9A.
→ Details see HDPA (Greece)
According to Article 40(1) of the Data Protection Act 2019, lawsuits against data controllers or processors for violations of the GDPR or this law shall be brought before the civil court of the district in which the data controller or processor has its establishment or in which the data subject usually resides.
When these lawsuits are brought against public authorities, when the latter exercise official authority, then the competent court is the administrative court of the district in which this authority is established.
According to Article 20 of the Data Protection Act 2019, all HDPA's decisions and acts shall be challenged by action of annulment before the Council of State (Συμβούλιο της Επικρατείας).
The competent Minister is also entitled to file such an annulment against HDPA's decisions and acts.
According to Article 93(4) of the Constitution, any court in Greece may refuse to enforce a law if it finds it unconstitutional. This declaration of unconstitutionality of the law is effective only in the case at stake.
In case two of the three Supreme Courts of Greece (Συμβούλιο της Επικρατείας, Άρειος Πάγος, Ελεγκτικό Συνέδριο) issue contradictory judgements on the constitutionality of a particular law, the Supreme Special Court (Ανώτατο Ειδικό Δικαστήριο) shall be convened to deliver a final judgement on the matter.