This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Greece.
This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
The legal framework governing privacy in Greece is as follows:
- Article 9A of the Constitution which is the first constitutional text recognizing explicitly the right of individuals to the protection of their personal data and providing explicitly for the function of an independent authority entrusted with an audit role,
- The General Data Protection Regulation 2016/679 (hereinafter, ‘’GDPR’’),
- Law No 2472/1997 on the protection of individuals with regard to the processing of personal data, which implemented into the Greek legal order the Directive 95/46 /EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter, “Directive 95/46/EC”). The Hellenic Data Protection Authority (hereinafter, “HDPA”) is appointed as enforcer of the relevant provisions and supervisor of their implementation.
- Law No 3471/2006 on the protection of personal data and privacy in electronic communications amending Law No 2472/1997, implementing Directive 2002/58/EC on privacy and electronic communications, (hereinafter, “Directive 2002/58/EC”), whereas certain provisions stipulate the competence of Hellenic Authority for Communication Security and Privacy (ADAE).
Given the fact that to date there is no national law implementing the provisions of the GDPR requiring so -only a relevant Draft Law- the GDPR constitutes, both at European and national level, the fundamental and most modern piece of legislation for data protection in Greece. However, the provisions of Law No 2472/1997 remain valid at a national level, as long as they are not contrary to the GDPR. Law 3471/2006 also remains valid and applies as lex specialis in relation to the GDPR on certain matters.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
Following the application of the GDPR certain obligations under the previous Law 2472/1997 were abolished. For instance, under the previous legal framework, there was an obligation to notify the HDPA for establishing and operating a non-sensitive personal data file and for performing such processing. Moreover, article 7 of Law 2472/1997 provided for a licensing procedure on the processing of sensitive personal data.
In addition, according to the decision No 46/2018 of the HDPA «the provisions of Article 7 of Law 2472/1997, insofar as they provide for an authorization of the (Hellenic) Data Protection Authority, are no longer applicable from 25.05.2018 onwards as contrary to the GDPR, which is directly applicable, given that the categories of data, referred to in this Article of the national law, do not coincide with those referred to in Article 9 (4) of the GDPR. Therefore, the Authority is no longer competent to issue authorizations for the processing and for the establishment and operation of a file based on Article 7 of Law 2472/1997».
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
According to article 4 of the GDPR, as well as article 3 par. 1 (a) of the Greek draft law, personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Furthermore, according to article 9 par. 1 of the GDPR, as well as article 3 par. 1 (ja) of the Greek draft law, special categories of personal data (‘sensitive’ personal data) refer to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Finally, article 3 par. 1 of the Greek draft law includes definitions of genetic data (par. jb), biometric data (par. jc) and health data (par. jd).
Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
Principles relating to processing of personal data are provided in article 5 of the GDPR and concern:
- lawfulness, fairness and transparency,
- purpose limitation,
- data minimization,
- storage limitation, and
- integrity and confidentiality
Another principle which should be also mentioned concerns accountability, which refers to the explicit liability of the controller to demonstrate compliance with all the aforementioned principles.
In order to comply with the principle of lawfulness, processing activities must be based on one of the legal bases under article 6 referring to personal data or article 9 referring to special categories of personal data of the GDPR.
Moreover, the HDPA adopted, before the entry into force of the GDPR, certain regulatory acts, directives, opinions and decisions in order to regulate specific personal data processing across various business sectors. The directives and opinions serve as interpretational guidance of the existing legal framework, further specifying certain provisions. The most important among these are the following:
- Regulatory Act No 1/1999 on the obligation of the controllers to inform the data subjects,
- Directive No 115/2001 on the processing of personal data of employees,
- Directive No 1/2005 on the safe destruction of personal data,
- Directive No 1/2011 on the use of CCTV systems for the protection of persons and goods,
- Directive No 2/2011 on electronic consent,
- Opinion No 6/2013 on the access of third parties to public documents containing personal data,
- Opinion No 1/2016 on the terms and conditions of ‘opt-out’ of unwanted communication for direct marketing or for other advertising purposes.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
According to the GDPR, consent is required in the following cases:
A) When there is processing of special categories of personal data. In such a case, consent is used as one of the legal bases that justifies the processing of the aforementioned categories of personal data.
B) When there is transfer of personal data to a non-EU country for which there is no adequacy decision under article 45 (3) or appropriate safeguards under article 46, including Binding Corporate Rules (hereinafter, “BCRs”). In such a case, consent is used as one of the appropriate legal bases of data transfer.
Moreover, an indicative example where consent is required is Law 3471/2006 which prohibits unwanted communication with the data subject by electronic means, without human intervention, for purposes of direct marketing of products or services or for any other advertising purposes, unless the data subject has given his/her consent to this respect.
Another indicative example where consent is required is the example of potential borrowers, who have to give their consent to the bank in order for the latter to have access to the ‘’white list’’ of the data system ‘’Tiresias’’, including loans, credit cards etc.
Consent can be provided in a hard copy or electronic version.
With regards to the content of the consent and the minimum requirements that must be met in order for it to be ‘’informed’’, Working Party 29 (hereinafter, “WP 29”) supports that it is necessary to inform the data subject about certain elements that are crucial to make a choice. Therefore, the minimum information required for obtaining a valid consent is the following:
(i) the controller’s identity,
(ii) the purpose of each of the processing operations for which consent is sought,
(iii) what (type of) data will be collected and used,
(iv) the existence of the right to withdraw consent,
(v) information about the use of the data for automated decision-making in accordance with article 22 (2)(c)34 where relevant, and
(vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in article 46.
Regarding other information about the processing of personal data, reference can be made to the data controller’s Privacy Notice.
Finally, the data controller shall record, in a secure manner, the information necessary to demonstrate the consent of the data subject. At the same time, in case of electronic consent for sending emails, the controller shall follow specific procedures to confirm the subject's consent, such as the consent procedure with additional information and the double opt-in, as detailed below.
Furthermore, the right of a data subject to opt-out from unsolicited calls with human intervention is safeguarded, provided that the subscriber has notified the respective provider with his intention not to receive such calls. Provided that such notification has not taken place, providers can make unsolicited calls with human intervention, however the right to object is always possible during any received call.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Article 9 par. 1 of the GDPR introduces a general prohibition on the processing of special categories of personal data. However, par. 2 of the above article provides for the specific requirements that must be met in order for the processing to be legal. Explicit consent by the data subject, carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, protecting the vital interests of the data subject or of another natural person, processing which is necessary in the course of legitimate activities with appropriate safeguards by a foundation, association any other not-profit body, processing relating to personal data which are manifestly made public by the data subject, the establishment, exercise or defense of legal claims, substantial public interest, the provision of health or social care or treatment, public interest in the area of public health, archiving in the public interest, scientific or historical research purposes or statistical purposes, are all legal bases which can justify processing of special categories of personal data.
Moreover, article 9 par. 4 of the GDPR provides for the possibility of Member States to maintain or introduce further conditions, including limitations, with regards to the processing of genetic data, biometric data or data concerning health.
Pursuant to the aforementioned possibility provided by the GDPR, article 7 of the Greek draft law, introduces a general prohibition on the processing of genetic data as well as on genetic testing for health and life insurance purposes. Furthermore, it is not allowed to process personal data arising from genetic tests involving family members of the data subject.
How do the laws in your jurisdiction address children’s PII?
Law 2472/1997 on data processing does not explicitly address children’s data protection.
With regards to the conditions applying on child’s consent in relation to information society services, the threshold of sixteen (16) years old introduced by the GDPR is in force in Greece. More specifically, consent of a child above sixteen (16) is deemed valid, whereas below sixteen (16) years old, such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child. It should be highlighted that the Greek draft law -which once finalized and published will repeal and replace the existing national framework- in its publicly available version lowers the age of valid digital consent to fifteen (15) years old. According to the GDPR, Member States may provide by law for a lower age for those purposes provided that such lower age is not below thirteen (13) years.
Moreover, the HDPA in line with the interpretation provided so far by WP 29 as also approved by the European Data Protection Board, further underlines that in cases of a child’s consent, the language addressed to data subjects should be simple, explicit and understandable. Furthermore, under the light of the GDPR’s Preamble and the Guidelines, automated decision-making, including profiling having legal effects on children or significantly affecting them is prohibited, although certain exceptions are allowed when appropriate safeguards have been put in place. Additionally, children’s vulnerability should not be taken into advantage and children should always benefit from the absolute right to object to profiling for purposes of commercial promotion.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Most companies/organizations are required to keep a record of processing activities, which is a requirement under article 30 of the GDPR and is used as an accountability tool. The record of processing activities is also a useful tool for properly recording and organizing the company's processing activities.
Both the data controller and the data processor are required to maintain a record of processing activities with different data for each. The mandatory elements are described in detail in article 30 par. 1 of the DGPR as regards the controllers and in article 30 par. 2 with regards to the processors.
In addition to the aforementioned elements, additional information which is considered by the controller or processor as appropriate to facilitate their compliance may be included in the record of processing activities.
Any controller or processor may choose how to maintain the record of processing activities, provided that the obligation under article 30 of the GDPR is satisfied.
Furthermore, additional documentation, such as a Data Retention Policy or a Policy and Procedure on Personal Data Breach Notification, is necessary for businesses’ compliance with the GDPR.
The maintenance of the record of processing activities is not easy. Depending on the nature and the area of expertise of a company, an internal project shall be initiated to detect and record all data flows, namely the sources of data collection, data transfer channels, recipients of personal data, etc. Next, a legal audit of the flows shall take place and the legal bases shall be identified in order to be added to the record of processing activities.
Finally, the HDPA provides indicative examples of a record of processing activities on excel format in order to assist small and medium-sized enterprises in their compliance with the GDPR.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
Article 36 of the GDPR refers to the controller’s obligation to consult the supervisory authority. More precisely, article 36 par. 1 provides that the controller shall consult the supervisory authority prior to processing where a data protection impact assessment (hereinafter, “DPIA”) indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Article 13 par. 1 of the draft law provides for an explicit obligation to consult the supervisory authority about any provision to be included in a law or a delegated act which concerns the processing of personal data.
Paragraph 2 of the aforementioned article refers to specific examples where the consultation of the supervisory authority is obligatory. Such examples include: the introduction and processing of a national identity number or of other identity identifier of general application or a change in the terms and conditions of such processing and use of the above and related with the above personal data, the systematic processing on a large-scale of personal data concerning health and public health in the public interest, the systematic processing on a large-scale of personal data concerning health for health or social care systems and services management purposes, the systematic processing on a large scale of genetic or biometric personal data, the systematic processing on a large scale of personal data with the purpose of introduction, organization, provision and control over the e-government services as well as the systematic processing on a large scale of personal data concerning the financial situation and behavior and the creditworthiness of natural persons.
In addition to the above, obligatory consultation of the supervisory authority may arise under article 31 of the GDPR, as well as in the case of a personal data breach under article 33 par. 3 (b) of the GDPR.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
Article 35 par. 1 of the GDPR provides for a controller’ s obligation to conduct prior to processing a DPIA where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
Article 35 par. 3 of the GDPR indicates certain types of processing which shall be regarded as ‘’resulting in high risk’’.
The HDPA, in the exercise of its competences and pursuant to the relevant provisions, issued its Decision No 65/2018 by which it drew up and published a list of the types of processing which are subject to the requirement for a DPIA. It is noted, however, that the above list is not exhaustive and therefore, in case the requirements of article 35 par. 1 of the GDPR are met, the controller must conduct a DPIA and comply with all obligations arising from the GDPR. This list further supplements and specifies the respective Guidelines issued on DPIAs.
With regards to the method of conducting a DPIA, the GDPR provides certain flexibility in defining its exact structure and form, as it is not specified by detailed provisions. The same logic has been followed by the Greek draft law. Nevertheless, article 35 par. 7 of the GDPR provides that the assessment shall contain at least a systematic description of the envisaged processing operations and the purposes of the processing, an assessment of necessity and proportionality of the processing operations, an assessment of the risks to the rights and freedoms of data subjects, as well as the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
Although Directive 95/46/ EC (article 18) included a reference on the Data Protection Officer (hereinafter, “DPO”), Law 2472/1997 implementing the Directive did not include relevant provisions. However, in the Greek draft law following GDPR, appointment of a DPO is further clarified to some extent, in addition to the general criteria introduced by the GDPR. The provisions of the Greek draft law (article 14) invoke the national list of processing activities, involving regular and systematic data subjects monitoring on a large scale as issued by the HDPA in order to establish relevant obligation of a DPO’s appointment for entities conducting such processing.
However, as to date the HDPA has not specified large scale in terms of respective numerical thresholds. The formality of a DPO’s appointment before the HDPA is satisfied by an electronic submission of a specific form provided by the HDPA to this respect.
Moreover, the HDPA under the light of the GDPR has repeated that the role of a DPO is advisory and not determining and that the DPO does not have personal liability for non-compliance with the requirements of the GDPR. Appointment is concluded in writing, whereas the relevant tasks and role should be framed in accordance with the GDPR’s relevant provisions. Amongst the DPO’s tasks the HDPA has identified raising awareness and data protection culture within the entity concerned, informing and consulting the entity as per its obligations arising from the legal framework. The DPO should also monitor internal compliance, undertake personnel’s training, conduct internal audits, advise on DPIAs and follow up their implementation. Furthermore, the DPO should serve as the contact person for both supervisory authorities and data subjects and should further cooperate with the supervisory authority.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Law 2472/1997 explicitly provides for the right to information of the data subjects (article 11). According to this framework the data controller should inform the data subjects already upon collection of their data in a clear and appropriate way for at least its identity or its representative’s identity, the purpose of processing, the recipients or the categories of recipients, the existence of the right of access and other rights available i.e. objection and judicial protection. The Greek draft law (article 31) under the GDPR includes more details and further differentiates the level of information depending on the collection from the data subject itself, without however precising on the manner of provision i.e. through the website.
Under the GDPR the right to inform the data subjects is subject to more fairness and transparency as part of the accountability principle applying on data controllers. The HDPA has already conducted ex-officio investigations on the compliance of data controllers with the requirements of the GDPR and data protection in electronic communications. Within this context the HDPA checked the information provided to data subjects on the websites through relevant privacy notices sections, as per their content, in accordance with articles 13 and 14 of the GDPR. Therefore, it has pointed out in practice that websites are subject to compliance with the information obligation towards the data subjects.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
It is clear from the wording of article 3 paras 1 and 2 of the GDPR that the latter applies directly to both the data controller and the data processor.
Moreover, at national level, article 3 par. 3 of L. 2472/1997, as well as article 1 par. 8 of the Greek draft law provide for the direct applicability of their provisions to both the data controller and the data processor.
However, there are both national and GDPR provisions that, taking into consideration the nature and scope of each role, distribute specific responsibilities and distinct obligations upon the data controller and the data processor.
In addition, and in accordance with article 28 of the GDPR, a contractual relationship between the controller and the processor, the exact content of which is specified in the above article, is required and includes the details mentioned above, in previous question.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
Law 2472/1997 (article 10) provides that when data processing is conducted on behalf of the data controller by an entity non depending by the latter, the respective assignment should -by way of obligation- be made in writing. This assignment safeguards that the data processor proceeds only upon relevant orders of the data controller and that similar obligations on confidentiality and security of data processing respectively apply upon the former. The Greek draft law (article 38) further provides, under the light of GDPR specific requirements that should be fulfilled in order to engage data processors in processing activities.
In Greece, provisions on the respective requirements in cases of processing carried out on behalf of the data controller are specified under the GDPR. The data processors should guarantee the implementation of appropriate technical and organizational measures along with the confidentiality obligation of the persons authorized to process the data, the assistance in the exercise of rights from the data subjects, provisions on deletion or return of personal data following termination of service provision, making available to the controller all information necessary to demonstrate compliance, prior general or specific authorization for further engagement of data sub processors and performance only upon relevant orders and instruction of the data controller. Furthermore, assistance of the controller is also foreseen with respect to the obligations relating to data breach incidents and DPIAs. The respective assignment is concluded in writing and should precise the scope, duration, nature, purpose of processing, type of data, categories of data subjects, relevant obligations and rights of the contracting parties.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Transfers to third countries can take place if there is a Commission Adequacy Decision or other appropriate safeguards such as BCRs, standard contractual clauses duly adopted and approved, legally binding and enforceable instruments between authorities or bodies, approved code of conducts or certification mechanisms. In the absence of an adequacy decision or of appropriate safeguards, derogations can be used to frame the data transfers as below mentioned:
-consent of data subject,
-performance of a contract, with further nuances to this respect,
-the transfer is necessary for important reasons of public interest,
-the transfer is necessary for the establishment, exercise or defence of legal claims,
-transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent,
-the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case. As an exception to the previously mentioned derogations compelling legitimate interests are also foreseen in cases when transfer is not repetitive and concerns a limited number of data subjects.
Under the GDPR, the HDPA has clarified that the issuance of a national license is not required when transfers are governed by Commission Adequacy Decisions or by appropriate safeguards as aforementioned, unless they are ad hoc contractual clauses between data importers and data exporters, or they concern administrative provisions between public authorities, also including enforced and substantial rights of the data subjects, such as Memorandum of Understanding. In the last case, a license is required, since the administrative arrangements of such kind are not legally binding. Furthermore, for the BCRs, since they are now approved under the cooperation mechanism on a European level, in accordance with the GDPR provisions, a national license is not required. Furthermore, the HDPA has specified that the derogations stipulated in the GDPR as a tool to govern international transfers should be interpreted strictly, without the requirement of issuing a license to this respect. However, if the transfer is based on the compelling legitimate interests of the data controller provided that all conditions foreseen to this respect are fulfilled, the HDPA should be informed on the transfer and extra information should be further provided to the data subject to this respect. Furthermore, the HDPA has also specified that any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer.
Under the previous regime a notification of the transfers based on a Commission Adequacy Decision or Standard Contractual Clauses was required before the HDPA and for the BCRs a national license was required to be issued. In legal practice, the most common tool to address intragroup data transfers across the world is the BCRs. In the event where transfers take place in a more limited way, standard contractual clauses are also used in their current form without prejudice to any future update, they may be subject to.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
The HDPA refers to the provisions of the GDPR on the obligations of the controller and the processor regarding security of processing. These obligations are explicitly defined in article 32 of the GDPR. In addition, article 24 of the GDPR provides for the overall responsibility of the controller to identify and implement appropriate technical and organizational measures. The objective of the security measures is to maintain confidentiality, integrity and availability of personal data.
The GDPR suggests "appropriate" technical and organizational security measures such as the pseudonymization and encryption of personal data, adherence to an approved code of conduct or an approved certification mechanism to demonstrate compliance, procedures on how to handle data breach cases, etc.
Security measures can be documented in individual procedures or in more general security policies. The choice of appropriate security measures shall be made taking into consideration the latest developments, the cost of implementation, the processing features, the scope and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons.
With regards to the individual security measures and the security policies and procedures that an organization must follow, it should be noted that the HDPA, in an earlier text of informative nature, suggests a code of conduct, a security policy, a security plan and/or a disaster recovery plan. Finally, the ‘’ex officio’’ investigations conducted by the HDPA on the security measures of various websites include the https protocol settings, the validity of digital certificates, the password security criteria, and so on.
Does your jurisdiction impose requirements of data protection by design or default?
Regarding the protection of personal data by design and by default, the HDPA refers to article 25 of the GDPR in conjunction with Recital 78 of the GDPR’s Preamble.
According to the data protection by design principle, both while determining the means of processing and at the time of the processing itself, the data controller shall introduce and implement appropriate measures and use technology designed to implement data-protection principles. Such measures are pseudonymization of personal data which should take place as soon as possible (namely replacement of personal data with artificially identifying data), encryption (encryption of personal data so that only the authorized persons can read it), minimization of data processing and introduction of necessary safeguards, in a manner that the requirements set by the GDPR are met and the protection of the rights of the data subjects is ensured.
Moreover, according to the data protection by default principle, the data controller shall implement appropriate technical and organizational measures for ensuring that, by default, privacy is ensured and only personal data which necessary for each specific purpose of the processing are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Such measures shall ensure that by default, personal data are not made accessible without the individual’ s intervention to an indefinite number of natural persons.
In addition, the HDPA mentions two examples of measures designed to implement the data protection by design and by default principles. In particular:
a) A social networking platform should be encouraged to define user profile settings in order to protect privacy as much as possible. Such protection is ensured when the user profile is by default not accessible by indefinite number of people and
b) The need for transparency with regards to the functions and processing of personal data in order for the data subject to monitor data processing and for the controller to create and improve security features.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
The HDPA, when it comes to personal data breach incidents, refers to the provisions of the GDPR and to articles 33 and 34 of the GDPR regarding the obligation to notify the breach to the supervisory authority and to communicate the breach to the data subject.
A personal data breach is defined by the GDPR as follows: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Law 2472/1997 do not include any provision concerning personal data breach incidents. The only exception is Law 3471/2006 which provides for a special data breach notification procedure to the HDPA and the Hellenic Authority for Communication Security and Privacy (ADAE) followed by providers of publicly available electronic communications services.
According to Law 3471/2006 a personal data breach is a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed in relation to the provision of publicly available electronic communications services.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
The HDPA, when it comes to a personal data breach, refers to the provisions of the GDPR and in particular, to articles 33 and 34 of the GDPR regarding the obligation of the controller to notify the breach to the supervisory authority and to communicate the breach to the data subject.
According to article 33 of the GDPR, data controllers, in the case of a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons shall without delay notify the breach to the supervisory authority.
Moreover, according to article 34 of the GDPR, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The latter communication of the breach to the data subject is irrespective of the aforementioned notification of the breach to the supervisory authority (which shall take place even when the risk cannot be considered as ‘’high’’). The communication to the data subject shall take place, as much as possible, in an appropriate and effective way, in the form of personalized information rather than a general communication.
It should be noted that in any case, the supervisory authority can order the controller to communicate a personal data breach to the data subject (article 58 par 2 (e) of the GDPR).
Finally, any company can download the official notification form from the website of the HDPA, which shall be completed and sent to it in the case of a personal data breach.
Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
Law 2472/1997 provides the right to be informed, the right of access (article 12), the right to object (article 13) and the right to judicial protection (article 14). All rights mentioned above are enhanced and further supplemented by the GDPR provisions calling for more fairness and transparency. The rights briefly described are as follows:
- Right to information: right to precise information about data processing;
- Right of access: confirmation about processing of personal data and access to specific relevant information;
- Right to rectification: rectification of inaccurate data and complete incomplete data;
- Right to erasure: erasure of data which is no longer necessary under certain circumstances;
- Right to restriction of processing: when data accuracy is challenged, processing is unlawful, data is no longer necessary or when the data subject objects to processing;
- Right to data portability: the data subjects can request under certain conditions to either receive in a specific format the data belonging to them or to directly transfer it to another data controller;
- Right to object: the data subject can object to processing when this relies upon the legitimate interests of the data controller or public interest;
- Right to human intervention: in cases where exclusively automated processing takes place, including profiling, the data subject may express one’s point of view and contest the decision taken based on this processing.
The deadline provided under the GDPR for replying to such requests is one month from the submission of the request, which can be further extended for two more months, where necessary, considering the complexity and number of the requests. All information and communications made to this purpose by data controllers shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.
The right to be informed, right of access and right to object are also provided in HDPA’s Directive for the use of CCTV (Directive 1/2011) with respect to the protection of persons and goods regarding personal data collected by CCTV systems. The time limit to satisfy the right of access in this case, in both the HDPA’s Directive and the Greek draft law is fifteen (15) days. The HDPA has further specified how the right to be informed can be satisfied through relevant signs, whereas it has also underlined that when for instance a copy of the footage is provided to data subjects exercising their right of access, third parties should be covered, i.e. by partially blurring the image, provided that their right to privacy is violated.
Moreover, rights arise from Law 3471/2006, such as the right of data subjects to be informed with respect to call recording, and the right of data subjects to be informed about processing of location and traffic data on the basis of consent. Furthermore, the data subjects have the right to object the inclusion of their personal details on a hard copy or electronic public registry and rights related to call identification and potential restrictions thereof. Moreover, the data subjects reserve the right not to receive detailed accounts and to impede the automatically forwarded calls from third parties to their device, while specific provisions apply with respect to cookies.
Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
Data subjects are entitled to exercise their rights before the data controllers, and they are also entitled to lodge complaints before the HDPA in case a violation takes place. This can further trigger the investigative powers of the Authority -which also acts ex officio- and can consequently lead to the imposition of fines on data controllers or their representatives, along with further administrative sanctions. Violation of respective obligations arising from the existing framework may also entail further criminal sanctions.
Moreover, data subjects are entitled to file before the competent Court a request to immediately suspend or not to execute an act or decision affecting the data subject on the basis of exclusively automated processing, provided that this processing aims at assessing the personality of data subject, or one’s performance at work, financial credibility and behavior in general, according to article 14 of Law 2472/1997. It is worth mentioning that such right can be satisfied, even if the other substantial conditions of temporary judiciary protection are not fulfilled. Additionally, article 23 of the Law 2472/1997 as currently in force stipulates that any natural or legal person of private law causing financial damage, is obliged to pay full compensation. If injury of feelings of the data subject takes place, an obligation for compensation for injury of feelings also arises. Compensation for injury of feelings is awarded to data subjects irrespectively of any potential financial damage requested.
Furthermore, according to Law 3471/2006, data subjects whose rights are violated may ask for compensation for any financial damage caused to them. If injury of feelings takes place, an obligation for compensation for injury of feelings also arises. According to article 14 of Law 3471/2006 and similarly to Law 2472/1997, compensation for injury of feelings is awarded irrespectively of any potential financial damage requested.
This establishes the presumption of civil liability of the data controller when a violation of the legal framework takes place, further leading to compensation of data subjects for injury of feelings. This was very recently confirmed in the Case 415/2019 issued by the District Court of Athens, following the beginning of the implementation of the GDPR (relating however to an unsolicited call made before the GDPR starts applying), where the Court identified that the obligation for compensation for injury of feelings is sufficiently triggered by the violation of the legal provisions concerning data protection on electronic communications, since such action directly undermines the right of privacy and the protection of data subject’s personality.
The same rationale has been echoed in recent judgments of the Greek Supreme Court (C. 252/2018 and C. 1079/2018), where it has been confirmed that the violation of the Law 2472/1997 itself, suffices for compensation of injury of feelings and it is not necessary to prove further harm of the unlawful processing on either the income or any other ramifications on personality aspects, qualifying for legal protection, such as the honor and reputation of the individual. This reasoning accepts that once the unlawful activity against the provisions of the existing national legal framework is proved along with the respective fault of the data controllers for violating the legal framework of Law 2472/1997, then the adverse effects on personality rights, including the information self-determination and right to privacy are established.
It should be noted that in accordance with article 23 of Law 2472/1997 the amount of 6.000 euros is introduced as the minimum compensation for injury of feelings, except if the applicant requested for a lower amount or the violation was the outcome of negligence. Respectively, for violations of the Law 3471/2006 the amount of 10.000 euros is introduced as the minimum compensation for injury of feelings, except if the applicant requested for a lower amount. However, both provisions have been challenged as unconstitutional, on the basis that they do not consider the proportionality principle when framing the minimum amount of the compensation to be awarded to data subjects for injury of feelings.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
According to Law 2472/1997 and article 57 of the GDPR, as well as article 62 of the Greek draft law, the HDPA is entrusted with supervisory and sanctioning powers related to the application of the rules on the protection of personal data.
With regard to the extent of the administrative fines threatened, the delimitation of which depends on the nature and specific circumstances of each infringement, the GDPR provides the amount of up to EUR 20,000,000 or, in the case of enterprises, the amount of up to 4% of the total world annual turnover of the preceding financial year, whichever is higher. The orders of the regulators are subject to appeal before the competent administrative Courts.
Furthermore, with regards to the criminal sanctions provided for in article 22 of Law 2472/1997, these vary in terms of severity depending on the specific circumstances of each offense. Article 23 of the same law provides for civil liability as explained above.
In addition, article 78 of the GDPR and article 66 of the Greek draft law explicitly provide for the possibility of a natural or legal person to lodge a judicial remedy against a legally binding decision of a supervising authority concerning them.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
In addition to the derogations, exclusions or limitations described above there are also general limitations of the material scope of the GDPR. In particular, the GDPR does not apply to the processing of personal data:
a) in the course of an activity which falls outside the scope of Union law,
b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU,
c) by a natural person in the course of a purely personal or household activity,
d) By competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Finally, the scope of the GDPR does not apply on anonymous data. More precisely, information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identified, is not subject to the GDPR provisions. The above exception does not cover cases of pseudonymous data, which are still subject to EU data protection laws.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
In addition to the GDPR provisions on monitoring and profiling, at national level, HDPA regulates and further interprets through its Directives specific aspects of these matters, such as Directive 115/2001 which defines monitoring at the workplace and Directive 1/2011 on CCTV monitoring. Moreover, with regards to the use of tracking technologies such as GPS, the HDPA by a set of decisions has defined the framework of GPS operation and use by data controllers, while with regards to cookies, the provisions of Law 3471/2006 remain in force.
Article 4 par. 5 of Law 3471/2006 stipulates that installation of cookies is only allowed if the subscriber or user "has given his/her consent after having been clearly and extensively informed in accordance with paragraph 1 of article 11 of Law 2472/1997, as in force".
Therefore, according to the above, the provider of an online service (for example an e-shop) or a third party (for example, an advertising site which promotes products through a website of an e-shop) may install cookies only if the subscriber or user has given his/her consent to this after having been duly informed (with the exception of the technically necessary cookies).
Please describe any laws addressing email communication or direct marketing?
Marketing purposes justify processing of personal data -in principle- on the basis of data subject’s consent. According to Law 3471/2006, as further explained in Directive 2/2011 of the HDPA and by way of a derogation, e-mail details which were lawfully obtained within the context of products or services sales or any other transaction, can be used for direct marketing of similar products or services of the supplier or in order to serve similar purposes, even when the recipient of such e-mail has not previously provided one’s consent, under the condition that it is provided to the latter in an explicit and distinct way the possibility to easily opt-out, free of charge to the collection and use of one’s details either upon the collection of the data or in any other message received, in case where the user had not initially disagreed to such use.
In Directive 2/2011 of the HDPA certain provisions further explain and clarify how consent provided by electronic means within this context fulfills the conditions of validity. Amongst others and with regards to consent for receipt of emails through internet certain examples are provided as guidance. Data controllers should confirm that the user has access to this email address, either through an initial informative email to the email submitted as contact email, which contains certain information such as the purpose, the origin and all relevant information etc. Another option is the double opt-in which is recommended in cases where the consent provided also includes receipt of further services by the user, such as subscription to a webpage with password and username. In this scenario, certain details such as identity and origin of the sender should be included, in the initial confirmation email, along with the activation of consent for instance through an email to a specific address of the data controller, or through a respective URL. Validity of consent depends on activation of consent by the user. Withdrawal of consent should be possible. In this case, new confirmation of the user’s access to the email is not required. Such consent should be recorded in a safely manner for purposes of evidence. Withdrawal of consent should be always available either via email or hyperlink.