The Hellenic data protection authority (‘HDPA’) issued, on 27 January 2020, its opinion (‘the Opinion’) of 24 January 2020 on the compatibility of Law No. 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions (‘the Law’) with the General Data Protection Regulation (Regulation (EU) 2016/679 (‘GDPR’) and the EU Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680).

Beyond Article 6 of the GDPR: additional national legal bases for processing

The Opinion states that Articles 24-26 of the Law are incompatible with the GDPR as they provide additional legal bases for processing data which have not been envisaged by Article 6 of the GDPR. Spiros Tassis, IT and Privacy lawyer, and Chairman of the Hellenic Association for Data Protection and Privacy, told OneTrust DataGuidance “The addition of additional, to [Article 6 of the GDPR], legal bases for processing data […] may be very problematic […] there is a wide use of national security and public order, as a legal base to limit some of the data subjects and expand processing activities beyond subjects’ awareness […] The HDPA clarified that, despite [the vagueness of Article 27(2) of the Law] the use of the legal basis of consent in the processing [of] employees’ personal data should be exceptional and duly justified, in view of the imbalance of the parties.”

Furthermore, Nikolaos Theodorakis, Of Counsel at Wilson Sonsini Goodrich & Rosati, told OneTrust DataGuidance, “It is not permissible for EU Member States to coin new national legal bases for data processing [and] the HDPA considers that it is against the Constitution of Greece to delegate core state powers, such as crime prevention and national security to companies.”

Protection of data subject rights

According to the Opinion, Articles 31-35 of the Law do not address the rules of [Article] 23(2) of the GDPR which refer to, amongst other things, the risks to the rights and freedoms of data subjects and the scope of restrictions. Theodorakis continues, “The HDPA suggested that Articles 31-35 of the Law significantly restrict data subject rights, without introducing the safeguards required in Article 23(2) of the GDPR […] The Opinion found that these provisions violate the GDPR, the EU Charter of Fundamental Rights, and the European Convention on Human Rights.” With regards to companies, Theodorakis stated “Companies should be particularly mindful if they wish to use one of the data subject rights exceptions introduced in the Greek law.”

In addition, Tassis highlighted, “Companies cannot be sure whether to follow the clear GDPR provisions on serving data subject’s requests or claim technical difficulties and escape their obligations […] Companies will seek to limit their [overhead expense] by narrowing data subject’s rights to the least costly procedures claiming disproportionately large effort.”

HDPA Criticism of the Law

Theodorakis outlined that “The Opinion is quite critical about the Greek law and states that the HDPA will not apply certain provisions that violate the GDPR. Overall the Opinion voices that the Law creates confusion (this exact word is mentioned four times in the Opinion), and that certain articles violate the GDPR and EU law.”

What are the next steps?

In light of the HDPA’s finding that the Law does not comply with the GDPR, Tassis stated, “The only way seems to be a clear amendment of the problematic articles.”

Theodorakis also noted, “These smaller and larger findings signal that a complete revamp of the Law should be a governmental priority […] Companies should continue providing privacy notice and fulfilling data subject rights using the high GDPR standard […] The Greek Parliament may consider establishing an expert committee, involve relevant stakeholders and consult the HDPA.”

Finally, Tassis concluded, “Overall the DPA’s opinion conveys the message that either the non-confronting articles will be amended to be compliant with the GDPR or they will be interpreted as non-compliant when a case is brought in from of it. The question, of course, remains how a court will deviate from a national law and decide based only on the GDPR!”

SUZANNA GEORGOPOULOU Privacy Analyst

Comments provided by:

NIKOLAOS THEODORAKIS Of Counsel

Wilson Sonsini Goodrich & Rosati

SPIROS TASSIS Lawyer

Spiros Tassis Law Office

Hellenic Association for Data Protection and Privacy