Data Privacy Comparative Guide

• Published date: 03 November 2022
• Subject Matter: Privacy, Data Protection, Privacy Protection
• Law Firm: Skopa-Zanganas & Associates
• Author: Mr Christos Zanganas

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Data privacy in Greece is mainly regulated by:

• the EU General Data Protection Regulation (Regulation 2016/679);
• Law 4624/2019, which sets out implementation measures on the GDPR and integrates EU Directive 2016/680 into Greek law; and
• Law 3471/2006, which integrates EU Directive 2002/58/EC into Greek law.

The GDPR and Law 4624/2019 are supplemented by a web of other national laws that:

• regulate specific sectoral data protection/privacy issues;
• include specific provisions which require data controllers to process personal data in a specific way, enabling them to use the legal bases of Articles 6.1.c and/or 6.1.e of the GDPR; or
• provide for specific additional technical/organisational measures which must be applied to specific types of personal data processing.

Additionally, while they constitute guidance instruments and do not directly have legally binding effects, the opinions and instructions of the Hellenic Data Protection Authority (HDPA) provide invaluable insight on how the legal framework will be enforced in specific situations. The following HDPA instructions bear increased significance in the implementation of privacy law in Greece:

• Instruction 115/2001 on Data Protection in the Context of Employment;
• Instruction 01/2011 on the Use of Closed-Circuit Television (CCTV) Systems;
• Instruction 02/2011 on the Provision of Digital Consent for Data Processing through Cookies and Similar Technologies; and
• Guidelines 02/2020 and 01/2021 on Data Protection in the Context of Remote Working.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Several special regimes apply in specific sectors. Perhaps the most influential of these regimes is Law 3471/2006, which:

• introduces specific requirements and obligations for personal data processing in the telecommunications sector; and
• specifies additional requirements for:
• • the legal processing of data through cookies and similar technologies; and
  • the processing of data for purposes of direct marketing communications through telephone, emails, and other digital means.

Additionally, in some cases, data processing rules in specific market sectors might be affected by sectoral codes of conduct which have been passed into law or special legal and regulatory regimes that apply to specific professions. Examples of specific sectors which are affected by such legislation include:

• banking;
• stock exchanges and brokers;
• insurance; and
• legal services.

Lastly, there are provisions in certain statutes which may provide for a special legal basis or additional data protection requirements for certain processing activities. For example, such provisions are included in:

• Law 3850/2010 for the Protection of Employees' Health and Safety, which governs the competencies and obligations of occupational doctors;
• Law 4727/2020 on Digital Governance, which also contains provisions on access to open data; and
• Article 5 of the Code of Administrative Procedure (Law 2690/1999), which regulates access to public and private documents in the filing systems of Greek public bodies.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Greece is a signatory to the Council of Europe's Convention 108+ for the protection of individuals with regard to the processing of personal data. Although most of the convention's provisions are already deeply embedded in EU and Greek law, the convention itself still stands as the only legally binding international convention on data protection.

The Greek data privacy regime is also affected by any bilateral agreements which have been signed between the European Union and third countries, whose execution might require the processing of personal data. Examples of such bilateral agreements include:

• the passenger name record(PNR) bilateral agreements between the European Union and Australia, as well as between the European Union and the United States; and
• the bilateral mutual legal assistance agreements which the European Union has concluded with the United States, Japan, Iceland and Norway.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The following bodies are responsible for the enforcement of data privacy legislation in Greece:

• the HDPA;
• the administrative courts;
• the civil courts; and
• the criminal courts.

The competences and powers of each body, in terms of enforcement, are as follows.

HDPA: The HDPA is tasked, among other things, with:

• supervising and enforcing the application of national and EU personal data protection law in Greece;
• promoting public awareness of personal data protection and privacy;
• providing advice and guidance to Parliament and other public bodies about personal data protection;
• conducting investigations into potential breaches of data protection law;
• adopting and reviewing all relevant instruments which are provided for by the GDPR (standard contractual clauses, binding corporate rules, codes of conduct); and
• handling data protection complaints filed by data subjects.

It possesses both investigative, advisory and corrective powers. Its corrective powers include:

• issuing a warning or reprimand;
• ordering the data controller or processor to cease data processing within Greece; and
• imposing a ban or a fine of up to €20 million or, in the case of an undertaking, 4% of the data controller's or processor's total global worldwide annual turnover in the preceding financial year.

Administrative courts: The administrative courts are tasked with examining appeals against decisions of the HDPA.

Civil courts: The civil courts examine civil data protection lawsuits and claims, filed under Article 79 of the GDPR and Article 40 of Law 4624/2019.

Criminal courts: The criminal courts examine criminal data protection cases brought before them under Article 38 of Law 4624/2019

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Best practices, as outlined in question 1.1, play an important role in the day-to-day application of data protection and privacy laws in Greece. These best practices usually come in the form of:

• instructions, guidance and opinions of the HDPA; and
• guidelines of the European Data Protection Board.

The HDPA, to date, has not approved any additional tools provided by the GDPR, such as codes of conduct, certification schemes or binding corporate rules. However, several sectoral codes of conduct – such as the code of conduct for the insurance sector and the code of conduct for personal data processing by attorneys and law firms – are currently under review by the HDPA.

Industry standards play a limited role in data protection compliance in Greece – mainly due to:

• confusion as to which specific standard would prove more effective in demonstrating a company's or organisation's compliance; and
• the lack of sufficient case law on this issue to date.

However, many players in the market adhere to the ISO 27000 family of standards and the BS 10012 standard as proof of compliance with the GDPR obligation to establish technical measures for the protection of personal data.

Lastly, on the 20th of October 2022, the Europrivacy Certification was the first Privacy Seal to be recognised by the European Data Protection Board pursuant to Article 42.5 GDPR. It is still too early to assess the impact of this Certification in Greece, but it is highly probable that it will play an influential role in terms of compliance.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

Any entity – private or public – company and/or organisation which processes personal data within the Greek territory falls within the scope of the Greek data privacy/data protection framework. The material scope of the framework extends to:

• the processing of personal data wholly or partly by automated means; and
• the processing other than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

Since the term 'filing system' is interpreted extremely widely, most personal data processing activities in Greece fall within the scope of Greek data protection law.

Instances where the scope of the framework extends beyond the territory of Greece are discussed in question 2.3.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The following exemptions from the data protection/privacy regime apply in Greece.

Household exemption: Greek data protection law does not apply to the processing of personal data in the course of purely personal or household activities. However, both EU and Greek case law has adopted a narrow definition of 'personal and/or household activities'; as such, this exemption may only be used exclusively in specific instances. For example, sharing or resharing a picture which was shot in a private setting on social media – especially publicly, but in some cases even within a private group – does not always fall within the exemption.

Partial exemptions for processing for journalistic, academic or artistic purposes: Article 28 of Law 4624/2019 introduces a partial exemption from some provisions of the data protection regime for specific processing activities which take place for journalistic, academic or artistic purposes. The exemption spans the application of Chapters II, III, IV, V, VII, and IX of the General Data Protection Regulation (GDPR), except for Articles 5, 28, 29, and 32. This exemption is valid only to the extent that the processing of a data subject's personal data, and the violation of his or her corresponding rights to the protection of such data, is necessary to safeguard the rights of...