On March 3, 2023, the Law on emerging information technology and communication technologies, strengthening digital governance and other provisions, entered into effect, following its passage on July 25, 2022, by the Hellenic Parliament.

Scope

In particular, the Law outlines its aim to provide appropriate guarantees to ensure the rights of natural persons and legal entities, strengthening accountability and transparency in the use of artificial intelligence (AI) systems, and complementing the existing institutional framework for cybersecurity.

AI obligations

Notably, the Law outlines obligations for public bodies that use AI systems to be transparent and publish publicly available information on the system-start-up time, the operating parameters and capabilities of the AI system, and the categories of decisions taken by or with the support of the AI system. The Law also provides mandatory conditions for the provision of AI services to public bodies, including that the public body may study the way the AI system operates, taking into account the intended purpose of the system, among other things. Likewise, every public sector body under the Law is required to keep a record of AI systems used, updated annually by March 1.

Public sector bodies are also required to conduct an algorithmic impact assessment before the operation of an AI system, which must take into account:

• the intended purpose;
• the capabilities and technical characteristics;
• type and categories of decisions taken or supported by the AI system;
• the categories of data collected and subject to processing; and
• the risks that may rise to the rights, freedoms, and legal interests of natural or legal persons whom the decision concerns or who are affected by the decision.  

Regarding the private sector, when using AI systems that affect any decision-making process concerning employees or prospective employees and that have an impact on working conditions, organizations must provide sufficient and clear information to each employee or potential employee. Such notice must include information on parameters on which a decision is based and compliance with equal treatment and combating discrimination in employment. Private sector organizations which constitute a medium or large entity that uses an AI system in the context of consumer profiling or in assessing employees must also keep a register of AI systems used.

Authorities

The Law establishes the creation of a Coordinating Committee for AI, responsible for the application of the National Strategy for the development of AI (the National AI Strategy) among other things. Likewise, the Law creates an AI Observatory in the Ministry of Digital Governance, responsible for the data collection on the National AI Strategy, drawing up key indicators on AI activities in Greece, best practices for the use of AI in the private and public sectors, and the effects of AI on the fundamental rights of natural persons.

On the other hand, the Law also establishes a Committee of Data Protection Officers (DPOs), whose mission is to coordinate actions and adopt best practices for the exercise of DPO duties in government bodies.

Internet of Things (IoT)

The Law also outlines obligations for IoT devices, which should be designed and developed under the Law to achieve an appropriate level of cyber security throughout their life cycle to prevent unauthorized access by third parties. IT operators are similarly subject to obligations under the Law, with IT technology devices being required to comply with technical safety specifications. Operators are also required to keep a register of IT technology devices used, which should be updated on an annual basis, and develop incident or vulnerability management procedures for IT technology devices.

You can read the Law, only available in Greek, here.