Privacy Law at Greece
Privacy Law in Greece is governed by a robust legal framework that aligns with the European Union’s General Data Protection Regulation (GDPR) and is supported by national legislation. Greece takes data protection seriously, and the country has implemented both constitutional protections and detailed statutory regulations to safeguard personal data and privacy rights.
Here’s a comprehensive look at privacy and data protection law in Greece:
1. Constitutional Protections
The Constitution of Greece (1975, revised multiple times) provides a strong basis for privacy protection:
Article 9A explicitly recognizes the protection of personal data as a fundamental right, stating that everyone has the right to be protected from the collection, processing, and use of their personal data, especially by electronic means, without consent or lawful basis.
This article serves as a constitutional guarantee of privacy and data protection, placing an obligation on both public and private entities to respect individuals’ personal data.
2. General Data Protection Regulation (GDPR)
As an EU Member State, Greece fully implements and enforces the GDPR, which came into effect on May 25, 2018.
The GDPR is a comprehensive regulation that governs how organizations collect, process, store, and transfer personal data across the European Union.
Key rights and obligations under the GDPR in Greece:
Lawful Basis for Processing: Organizations must have a legal reason to process personal data (e.g., consent, contract, legal obligation).
Consent: Must be freely given, specific, informed, and unambiguous.
Data Subject Rights:
Right to access data
Right to rectification
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Data Breach Notification: Organizations must report serious data breaches to the regulator within 72 hours and inform affected individuals when necessary.
Data Protection by Design and Default: Systems and processes must be built with privacy in mind.
Cross-Border Data Transfers: Personal data transfers outside the EU must ensure adequate protection (e.g., SCCs, adequacy decisions).
3. National Law: Greek Data Protection Law (Law 4624/2019)
To supplement and implement the GDPR, Greece enacted Law 4624/2019, which provides additional national rules, especially in areas where the GDPR gives countries discretion.
Highlights of Law 4624/2019:
Public Sector Rules: Sets out specific provisions for how public authorities handle personal data.
Processing for Criminal Offenses: Implements rules under Directive (EU) 2016/680, which governs the processing of personal data in criminal matters by authorities.
Age of Consent for Children: Greece sets the minimum age for a child to consent to data processing in information society services (e.g., apps, websites) at 15 years old, higher than the GDPR minimum of 13.
Employee Data: Establishes guidelines for processing personal data in employment contexts, such as monitoring, background checks, and HR systems.
Fines and Enforcement: Aligns with GDPR's penalty structure — fines can reach up to €20 million or 4% of global annual turnover, whichever is higher.
4. Hellenic Data Protection Authority (HDPA / DPA)
The Hellenic Data Protection Authority (HDPA) is the independent supervisory authority responsible for monitoring and enforcing data protection laws in Greece.
Key roles and responsibilities:
Investigating complaints and conducting audits.
Issuing fines and corrective measures.
Providing guidance to organizations on GDPR compliance.
Raising public awareness about data protection rights.
The HDPA is considered one of the more active data protection authorities in the EU and has issued several notable decisions regarding:
Illegal surveillance and employee monitoring
Unlawful marketing and use of cookies
Non-compliant data transfers
Website: www.dpa.gr
5. Telecommunications and Online Privacy
Greece also implements the EU ePrivacy Directive, which governs:
Cookies and online tracking (requires user consent).
Electronic marketing (opt-in is required for most communications).
Confidentiality of electronic communications (e.g., SMS, phone, email).
The Hellenic Telecommunications and Post Commission (EETT) oversees some aspects of electronic communications privacy, especially related to telecom providers.
6. Surveillance, National Security, and Law Enforcement
Any state surveillance or interception of communications in Greece is subject to strict judicial control and oversight.
The Hellenic Authority for Communication Security and Privacy (ADAE) ensures that communications privacy is protected and that state agencies follow lawful procedures when intercepting or accessing private communications.
All surveillance activities must comply with:
The Constitution
The GDPR and Law 4624/2019
National security and public safety exceptions, which are interpreted narrowly and require judicial review.
7. Challenges and Recent Developments
Cookie Compliance: The HDPA has been strict about enforcing rules regarding the use of tracking technologies, especially non-compliant cookie banners.
Artificial Intelligence and Biometric Data: As Greece increases digital services and AI use in both the public and private sectors, concerns around facial recognition, biometric scanning, and automated decision-making are growing.
Cross-border Data Processing: With many companies in Greece using cloud and software services hosted abroad, ensuring GDPR-compliant international data transfers is a continuing issue.
8. Conclusion
Greece has a strong legal framework for privacy and data protection, firmly rooted in its Constitution and aligned with the EU’s GDPR. The Hellenic Data Protection Authority plays a proactive role in enforcement and public guidance, while Law 4624/2019 fills in the national-level details allowed under EU law.
As privacy challenges evolve—particularly around digital services, AI, and data transfers—Greece continues to refine its approach to ensure personal data is protected effectively in both public and private sectors.
RELATED Blog
0 comments