October 2023

1. Governing Texts

In Greece, the protection of a person's personal data against any collection, processing, and use, has been constitutionally safeguarded (see Article 9A of the Constitution of Greece, as revised in 2001 (only available in Greek here). Pursuant to said provision, an independent authority shall ensure the protection of personal data.

The Hellenic Data Protection Authority ('HDPA') assumes the role of the competent national regulatory authority and is entitled to supervise the application of data protection rules in the Greek territory. The main legal framework consists of the rules under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the national implementation law. In addition, the HDPA also follows EU guidance (e.g. guidelines and recommendations by the European Data Protection Board ('EDPB')) when exercising its powers.

In 2023, the HDPA issued a series of decisions involving inter alia;

• the non-satisfaction of data subjects' rights (in anticipation of the HDPA's forthcoming decision on the Google LLC case, which involves the failure to satisfy the right to be forgotten. This decision follows a referral to HDPA plenary.));
•  the failure to notify data breaches;
• the non-compliance with the HDPA's rules on proper CCTV installation and functioning etc..

Among the highest fines by the HDPA (of €50,000 and €210,000) have been for failure to cooperate with the HDPA during an investigation launched by the latter and for non-satisfaction of data subjects' rights.

Based on statistics data that were released by the HDPA for the period between January 17, 2023, to July 10, 2023, the number of complaints filed before the HDPA amounted to 715, whereas 113 data breach incidents were notified to the HDPA.

1.1. Key acts, regulations, directives, bills

Law No. 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions (only available in Greek here) ('the Data Protection Law') which implements certain provisions of the GDPR, is the basic national legal framework on personal data protection in Greece along with the GDPR.

Apart from the Data Protection Law, Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector ('the Electronic Communications Law'), as in force, incorporates the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the e-Privacy Directive') and provides specific rules on the protection of personal data in the field of electronic communications.

1.2. Guidelines

The HDPA has released guidance addressed to data controllers concerning different topics of the GDPR, such as:

• principles relating to the processing of personal data, only available in Greek here, including on the conditions for the lawful processing, only available in Greek here, and conditions for consent, only available in Greek here;
• guide with the general obligations under the GDPR (only available in Greek here);
• records of processing activities and relevant templates for both data controllers and data processors (both only available in Greek here);
• security of processing (only available in Greek here);
• personal data breach notification (only available in Greek here);
• personal data breach notification form to be submitted to the HDPA in an encrypted form (only available in Greek here);
• codes of conduct (only available in Greek here);
• obligations relevant to electronic communications (only available in Greek here);
• data protection officer ('DPO') (only available in Greek here);
• DPO appointment notification form to be filled in and submitted electronically to the HDPA (only available in Greek here) ('the Form');
• HDPA Frequently asked questions on DPOs (only available in Greek here);
• designation of a lead authority (only available in Greek here);
• certification (only available in Greek here);
• Data Protection by Design and by Default (only available in Greek here);
• accountability principle (only available in Greek here);
• transfers of personal data (only available in Greek here);
• data protection impact assessment ('DPIA') (only available in Greek here);
• HDPA list of processing operations requiring a DPIA (only available in Greek here);
• prior consultation (only available in Greek here);
• 'registry of Article 13' of the authority (only available in Greek here);
• the CCTV templates (only available in Greek here);
• HDPA DPIA Guidelines; and
• Guidelines on submitting prior consultation request to the HDPA ('the Prior Consultation Guidelines').

The HDPA also refers to the various guidelines that were issued by the EDPB, which replaced the Article 29 Working Party.

1.3. Case law

The HDPA's case law concerning the GDPR is steadily developing with respect to different topics, including the following:

• principles relating to the processing of employees' data, (see HDPA Decision 49/2022 only available in Greek here);
• infringement of Article 5 of the GDPR regarding principles relating to the processing of personal data (see HDPA Decision 5/2023 here, HDPA Decision 11/2023 here, HDPA Decision 12/2023 here, HDPA Decision 13/2023 here, HDPA Decision 16/2023 here, HDPA Decision 20/2023 here, HDPA Decision 23/2023 here, all only available in Greek);
• processing of data through CCTV system (HDPA Decision 1/2023, only avaliable in Greek, here);
• non-compliance with the exercise of data subject's rights, namely the right to information access, the right to erasure, and the right to object (see HDPA Decision 5/2023 here, HDPA Decision 11/2023 here, HDPA Decision 12/2023 here, HDPA Decision 13/2023 here, HDPA Decision 25/2023 here  all only available in Greek);
• unsolicited commercial communication, (through electronic means, such as SMS, email etc.) (see HDPA Decision 24/2023, only available in Gree, here); and
• failure to notify of an incident of personal data breach (see HDPA Decision 4/2023 here, HDPA Decision 7/2023 here, both only available in Greek).

2. Scope of Application

2.1. Personal scope

No national law variations exist.

2.2. Territorial scope

The Data Protection Law has a similar material scope to the GDPR but distinguishes between public bodies and private entities that process personal data (Article 2 of the Data Protection Law).

2.3. Material scope

The provisions of the Data Protection Law apply to public bodies. With regard to private bodies, these apply provided that (Article 3 of the Data Protection Law):

• the data controller or data processor is processing personal data within the Greek territory;
• the personal data is subject to processing in the context of the activities of an establishment of the data controller or the data processor within the Greek Territory; or
• the data controller or data processor falls within the GDPR scope even if not established in an EU Member State or another country of the European Economic Area ('EEA').

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The HDPA is responsible for monitoring the implementation of the GDPR provisions, the Data Protection Law, and other provisions related to the protection of persons against the processing of personal data in the Greek territory.

3.2. Main powers, duties and responsibilities

Besides its powers under Article 58 of the GDPR, the HDPA has been provided with the following investigative and corrective powers under Article 15 of the Data Protection Law:

• to carry out, ex officio or following a complaint, investigations, and audits over compliance with the provisions of the Data Protection Law in the context of which technological infrastructure and other, automated or not means, that support the processing of personal data are also investigated;
• to address warnings to the data controller or data processor that intended processing operations are likely to infringe provisions of the Data Protection Law;
• to order the data controller or data processor to bring processing operations into compliance with the provisions of the Data Protection Law, in a specified manner and within a specified period, particularly by means of an order for the rectification or erasure of personal data;
• to order and impose a temporary or definitive limitation and/or ban on the processing of personal data;
• to order and impose the delivery to the authority of documents, filing systems, equipment, or processing means of personal data and their content;
• to seize any documents, information, filing systems of any equipment and means of a personal data breach, including their content, that comes to its attention when exercising its investigatory powers and be declared as a sequestrator until issuance of a decision by competent judicial authorities;
• to order the data controller or data processor to interrupt the processing of personal data, to return or 'freeze' the relevant data, or to destroy the filing system or relevant data;
• to impose administrative sanctions under Article 83 of the GDPR and Article 39 of the Data Protection Law;
• to impose administrative sanctions under Article 82 of the GDPR;
• to issue a provisional order for the immediate, whole, or partial, temporary limitation of the processing or of the file operation until issuance of a final decision; and
• to issue administrative regulatory acts in order to regulate specific, technical, and detailed matters.

4. Key Definitions

Data controller: There is no national variation to this definition.

Data processor: There is no national variation to this definition.

Personal data: There is no national variation to this definition.

Sensitive data: There is no national variation to this definition.

Health data: There is no national variation to this definition.

Biometric data: There is no national variation to this definition.

Pseudonymization: There is no national variation to this definition. It is noted that, although no national law variations exist, the distinction is made under the Data Protection Law between public and private entities when acting as controllers, as different treatment applies with regard to the restrictions imposed on personal data processing depending on the type of organization.

Public bodies: the public authorities, the independent and regulatory administrative authorities, the public entities (i.e., legal persons of public law), local authorities (municipalities, etc.) of the first and second degree and their legal entities and their undertakings, the state and public undertakings and public bodies, the legal entities of private law which belong to the state or which are subsidized by 50% at least of their annual budget by the state or their management is appointed by the state.

Private bodies: the natural or legal person or association of persons without a legal entity, that does not fall within the notion of 'public body'.

5. Legal Bases

5.1. Consent

The GDPR allows for EU Member States to lower child's consent age below 16 for online service providers offering services directly to children. The Data Protection Law lowers the age of child consent to 15 years (see Article 21 of the Data Protection Law).

5.2. Contract with the data subject

No national law variations exist.

5.3. Legal obligations

No national law variations exist.

5.4. Interests of the data subject

No national law variations exist.

5.5. Public interest

No national law variations exist.

5.6. Legitimate interests of the data controller

No national law variations exist.

5.7. Legal bases in other instances

Not applicable.

For direct marketing cases, the HDPA would apply the provisions under the Electronic Communications Law.

Processing of employee data

Article 27 of the Data Protection Law sets out provisions that apply to the processing of personal data of employees in the context of employment.

In particular, it is specified that the provisions under the Data Protection Law apply to all employees, regardless of the specific type of employment relationship, of the validity of the contract, and irrespective of whether processing involves applicants' or former employees' personal data.

Further, the Data Protection Law provides that employees' personal data may be subject to processing for the purposes of the employment contract, so long as this is strictly necessary for the decision of conclusion of the employment contract or following the employment contract's conclusion for its performance (Article 27(1) of the Data Protection Law).

According to the HDPA Opinion (see pages 16 to 19 of the HDPA Opinion), to the extent that Article 27(1) of the Data Protection Law introduces a sole legal basis of processing in the employment context, in which all legal bases of Article 6(1) of the GDPR are merged, such provision is in contradiction to the provisions of Article 88(1) of the GDPR allowing for the provision of more specific national rules and not for the creation of a new legal basis or for the exclusion of legal bases under the GDPR. Hence, the HDPA has considered that Article 27(1) of the Data Protection Law is not in line with the GDPR.

By way of exception, the Data Protection Law provides that the processing of employees' personal data may be based, in exceptional circumstances, on consent, so long as such consent has been the result of free choice, taking into account in particular:

• the existing dependence under the employment contract; and
• the circumstances under which consent was given.

Under the Data Protection Law, consent is provided either in written form or electronically and must be clearly distinguished from the employment contract. The employer should inform the employee either in written form or electronically of the processing purpose and of employees' right to withdraw their consent in accordance with Article 7(3) of the GDPR.

Notwithstanding specific provisions under Article 9(1) of the GDPR, the processing of special categories of personal data for the purposes of the employment contract is permitted provided it is necessary for the exercise of the rights, or the carrying out of the lawful obligations arising from employment law, as well as social security and social protection law, and there is no reason to consider that data subjects' legitimate interests prevail.

Under the Data Protection Law, the employer has to take appropriate measures to ensure compliance with the principles for the processing of personal data under Article 5 of the GDPR.

Finally, special rules are provided for regarding the processing of employees' personal data through a closed-circuit recording system in the workplace, including the requirement to inform employees in a written form respectively.

Processing of personal data for other purposes

The processing of personal data by public entities for purposes other than those for which they were initially collected is permitted if the processing is necessary for the fulfillment of their duties and if necessary:

• to check the information provided by the data subject, because there are reasonable indications that said information is incorrect;
• for the avoidance of risks to national safety, national defense, or public safety, or to ensure tax or customs income;
• for the prosecution of criminal offenses;
• for the prevention of harm to another; and
• for the production of official statistics.

Processing for other purposes by private entities is permitted if necessary:

• for the avoidance of threats to national or public security following a request from a public entity;
• for the prosecution of criminal offenses; and
• for the establishment, exercise, or defense of legal claims, unless data subjects' interests override.

Processing for scientific or historical research purposes

Pursuant to Article 30 of the Data Protection Law, and notwithstanding Article 9(1) of the GDPR, the processing of special categories of data is permitted, without the data subject's consent, provided that it is necessary for scientific or historical research purposes or for purposes related to the collection or retention of statistics and data controller's interest overrides the data subject's interests. In this respect, the data controller must take appropriate and specific measures for the protection of the data subject's interests, including restrictions of access to the data controller and/or data processor, pseudonymization, encryption, and the appointment of a DPO.

In addition, notwithstanding the provisions of Articles 15, 16, 18, and 21 of the GDPR, data subjects' rights are restricted, if their exercise could make impossible or significantly impede the performance of the scientific or historical research and so long as these restrictions are deemed necessary for their performance.

Apart from the above, special categories of data when processed for the above purposes must be anonymized, once the scientific or statistical purposes allow it, unless contrary to data subject's legitimate interest.

Finally, the data controller may publish personal data that are processed in the context of the research, so long as data subjects have consented in writing or publication is necessary for the presentation of the results of the research, in which case the publication must take place only by means of pseudonymization.

6. Principles

No national law variations exist.

7. Controller and Processor Obligations

7.1. Data processing notification

Following the entry into effect of the GDPR, there is no longer an obligation to notify the HDPA with regard to the processing of personal data, recordkeeping, or CCTV. In addition, the granting of licenses by the HDPA for the processing of sensitive data has been also abolished (See HDPA Decision 46/2018, only available in Greek here).

7.2. Data transfers

No national law variations exist.

Under Data Protection Law (see Article 28(2)(d)), certain GDPR provisions, including Chapter V of the GDPR on the transfer of personal data to third countries, do not apply to the extent necessary in order to reconcile personal protection rights with the right to freedom of expression and information, including processing for journalistic purposes or academic, artistic, or literary expression.

In this respect, the HDPA issued in 2021, guidance on the latest Standard Contractual Clauses ('SCCs') issued by the European Commission for transfers to third countries (only available in Greek here) as well as with regard to the new SCCs of the European Commission to be signed between data controllers and data processors pursuant to Article 28(7) of the GDPR (only available in Greek here).

7.3. Data processing records

No national law variations exist.

7.4. Data protection impact assessment

Under Article 35(4) of the GDPR, the supervisory authority establishes and makes public a list of the kinds of processing operations which are subject to the requirement of a DPIA.

Pursuant to the above rule, the HDPA has issued a blacklist of the kind of processing operations which are subject to the requirement for a data protection impact assessment. This list was adopted by means of HDPA's Decision 65/2018 (only available in Greek here).

The blacklist includes processing activities relating to:

• systematic evaluation, scoring, prediction, prognosis, and profiling, especially of aspects concerning the data subject's economic situation, health, personal preferences, or interests, reliability or behavior, location or movements, or the credit rating of data subjects;
• systematic processing of personal data that aims at taking automated decisions producing legal effects concerning data subjects or similarly significantly affects data subjects and may lead to the exclusion or discrimination against individuals;
• systematic processing of personal data which may prevent the data subject from exercising their rights or using a service or a contract, especially when data collected by third parties are taken into account;
• systematic processing of personal data concerning profiling for marketing purposes when the data are combined with data collected from third parties;
• large scale systematic processing for monitoring, observing, or controlling natural persons using data collected through video surveillance systems, through networks, or by any other means over a public area, publicly accessible area, or private area accessible to an unlimited number of persons. It includes the monitoring of movements or location/geographical position on real time or not real time of identified or identifiable natural persons;
• large scale systematic processing of personal data concerning health and public health for public interest purposes as is the introduction and use of electronic prescription systems and the introduction and use of electronic health records or electronic health cards;
• large scale systematic processing of personal data with the purpose of introducing, organizing, providing, and monitoring the use of electronic government services;
• large scale processing of special categories of personal data referred to in Article 9(1) of the GDPR, including genetic data and biometric data for the purpose of uniquely identifying a natural person, and of personal data referred to in Article 10 of the GDPR;
• large scale systematic processing of data of high significance or of a highly personal nature;
• systematic monitoring, provided that it is fair, of the position/location of employees as well as of the content and of the metadata of employee communications with the exception of logging files for security reasons provided that the processing is limited to the absolutely necessary data and is specifically documented;
• innovative use or application of new technological or organizational solutions, which can involve novel forms of data collection and usage, possibly with a high risk to individuals' rights and freedoms;
• matching and/or combining personal data originating from multiple sources or third parties, or for two or more data processing operations performed for different purposes and/or by different data controllers in a way that would exceed the reasonable expectations of the data subjects; and
• in case the processing concerns personal data that has not been obtained from the data subject and the information to be provided to data subjects pursuant to Article 14 of the GDPR proves impossible or would require a disproportionate effort or is likely to render impossible or seriously impair the objectives of the processing.

The HDPA's list is subject to regular revisions every two years or to an unscheduled revision due to significant developments in technology or in operational models, as well as in the case of a change in the purposes of the processing when these new purposes present a high risk.

Finally, according to information available on the HDPA's website, the above list is not exhaustive and, as such, the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, if the conditions of Article 35(1) of the GDPR are met, has not been removed.

The HDPA has not issued a list of the kind of processing operations for which no DPIA is required pursuant to Article 35(5) of the GDPR (GDPR Whitelist). However, the HDPA outlines in the HDPA DPIA Guidelines, that it is not necessary to carry out a DPIA:

• for processing activities for which an authorization to establish and operate the relevant file containing sensitive personal data has been granted under Article 7 of Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data, provided that such authorization is in force and there has been no change which may result in a high risk to the rights and freedoms of data subjects, taking into account the nature, scope, context, and purposes of the processing; and
• where the processing activity pursuant to Article 6(1)(c) or (e) of the GDPR has a legal basis in EU or Member State law where that law regulates the specific processing activity, and a DPIA has already been carried out as part of the establishment of that legal basis, except if it is deemed necessary to carry out such an assessment prior to processing activities.

In addition, the HDPA outlines in the Prior Consulation Guidelines, that to submit a prior consultation to the HDPA, the controller must fill in a form and submit it electronically through the HDPA online poral. In this submission, the relevant DPIA provided for above, must be included, alongside other documentation necessary to the DPIA.

7.5. Data protection officer appointment

The Data Protection Law provides for specifications with regard to the appointment of a DPO by public entities, including:

• DPO's appointment (Article 6 of the Data Protection Law), (e.g., one person may serve as a DPO for several public bodies, a choice is made on the basis of professional qualifications, an employee of the public entity may be appointed as a DPO, provision for the notification of appointment to the HDPA, unless not permitted for national security reasons or secrecy duties etc.);
• DPO's position (Article 7 of the Data Protection Law), (e.g., participation in all matters related to data privacy; provision of necessary resources, etc.); and
• DPO's duties (Article 8 of the Data Protection Law), (e.g., to cooperate with the HDPA; to act as the contact point with the HDPA, etc.).

In addition, data controllers and processors must inform the HDPA of the appointment or replacement of a data protection officer ('DPO') by sending the Form via email to [email protected]. Any statement of DPO appointment sent to the HDPA before 25 May 2018, or in any other form will not be valid. The removal of a DPO must also be communicated to the HDPA via email to [email protected] (DPO Information).

On the topic of the DPO's conflict of interest, the HDPA has issued a statement on 23 January 2020 on the representation of data controllers and data processors by DPOs before the HDPA. The HDPA highlighted that DPOs should be independent and impartial and, therefore, cannot represent data controllers and data processors when data protection issues arise before the HDPA.

7.6. Data breach notification

There are no variations with regard to the notification of a personal data breach to the HDPA.

Data breaches can be notified electronically, (only available in Greek here). In this respect, data controllers are required to complete and submit a specific form which is available on the HDPA's website here.

Although no variations are provided with regard to notification of the data breach to the authority, the Data Protection Law provides for an exception to the obligation of data controllers to communicate a personal data breach to the data subject, in particular, when and to the extent that by means of this communication, certain information which is protected by secrecy rules would be revealed (Article 33(5) of the Data Protection Law).

Providers of publicly available electronic communications services must notify the Hellenic Authority for Communication Security and Privacy ('ADAE') and the HDPA in case of a personal data breach via the ADAE's online notification form, (only available in Greek here) (Article 12(5) of the Electronic Communications Law).

7.7. Data retention

The Data Protection Law does not include any data retention provisions. For the data subject's right to erasure, see below under the section on the right to erasure as regards timeframes for retaining data (although not provided in Data Protection Law), statutory (general/ specific prescription rules), or contractual retention periods would also apply.

7.8. Children's data

Under Article 21 of the Data Protection Law, the processing of personal data belonging to a child, in relation to the offer of information society services, is lawful only if the child is at least 15 years old and provides their consent. Otherwise, children under the age of 15 must have parental or guardian's consent to be offered information society services.

7.9. Special categories of personal data

Notwithstanding Article 9(1) of the GDPR, the Data Protection Law stipulates that the processing of special categories of data by public and private bodies is permitted, so long as it is necessary for (Article 22(1) of the Data Protection Law):

• the exercise of rights resulting from the social security and social care right and for the performance of relevant obligations;
• the purposes of preventive medicine, the assessment of an employee's ability to work for medical diagnosis, the provision of health and social care or the management of health and social care systems and services, or by means of an agreement with a health care professional or another person also bound by professional secrecy or is under latter's supervision; or
• for the purposes of public interest in the field of public health.

In addition, processing of special categories of personal data, within the notion of Article 9(1) of the GDPR, by public entities is permitted, if (Article 22(2) of the Data Protection Law):

• absolutely necessary for reasons of public interest;
• necessary for the prevention of a significant threat for national or public safety; or
• necessary in order to take humanitarian measures, in which case the interest for the processing overrides the data subject's interest.

In all the above cases, all appropriate and special measures to safeguard data subjects' interests must be taken, taking into account the state of the art, implementation costs, the processing's context and purposes, and the severity of the risk to natural persons' rights and freedoms the processing poses, including technical and organizational measures (Article 22(3) of the Data Protection Law). In addition, the Data Protection Law also allows employers, in the capacity of data controllers, to process special categories of personal data if they meet certain conditions (see Article 27(3) of the Data Protection Law).

With regard to the processing of criminal conviction data, this is not addressed by the Data Protection Law.

Processing of genetic data

Under Article 23 of the Data Protection Law and pursuant to Article 9(4) of the GDPR, the processing of genetic data for health and life insurance purposes is expressly prohibited.

7.10. Controller and processor contracts

No national law variations exist.

8. Data Subject Rights

8.1. Right to be informed

When personal data is collected from the data subject, the data controller is exempt from the obligation to inform data subjects of further processing of personal data pursuant to Article 13(3) of the GDPR in the following cases (Article 31(1) of the Data Protection Law):

• the processing purpose of the further processing of personal data which the data controller stores in written form directly addressed to the data subject is compatible with the initial purpose, the communication with the data subject is not conducted via digital means and the data subject's interest to be informed is not particularly high; or
• when, in the case of a public body, such information would compromise:
  • the proper performance of the data controller's duties;
  • the national or public security and the data controller's interests not to provide the information override the data subject's interests;
  • the establishment, exercise, or defense of legal claims and the data controller's interests not to provide the information override the data subject's interests; or
  • the confidential transfer of personal data to public bodies.

The data controller must:

• take appropriate measures for the protection of data subject's legitimate interests, including the provision of information outlined in Article 13(1) and (2) of the GDPR in an accurate, transparent, intelligible, and easily accessible manner, in a clear and plain language; and
• in most cases notify the data subject in writing of their reasons for not providing the information.

In addition, broader exceptions apply for public bodies when personal data have not been obtained from the data subject, under Article 32 of the Data Protection Law.

8.2. Right to access

Under Article 33(1) of the Data Protection Law, the right of access is restricted when:

• there is no obligation to inform data subjects; or
• when data subjects' data:
  • was recorded only because it could not have been deleted due to regulatory provisions of obligatory retention; or
  • serve exclusively for purposes of protection or control of data,
• and the provision of information would require a disproportionate effort and the necessary technical and organizational measures to make processing impossible for other purposes.

The reasons for refusing to provide access to the data subject must be documented. Refusal to provide information should be justified to the data subject unless there is a risk to compromise the purpose sought by means of refusing to provide access to the information (Article 33(2) of the Data Protection Law).

The data subject's right applies only if the data subject provides enough information to allow retrieval of data and the required effort would not be disproportionate to the data subject's interest to be informed (Article 33(3) of the Data Protection Law).

The data subject's right to be informed pursuant to Article 15 of the GDPR does not apply when the information to be disclosed to the data subject should remain confidential by law or by reason of its nature, in particular, due to third parties overriding legitimate interests.

8.3. Right to rectification

The Data Protection Law does not include general variations regarding the data subject's right to rectification. However, it includes limitations on the exercise of such right in the context of particular processing purposes (i.e., processing and freedom of expression and information of Article 28 of the Data Protection Law, processing for archiving purposes in the public interest under Article 29 of the Data Protection Law and processing for scientific or historical research or statistical purposes under Article 30 of the Data Protection Law).

8.4. Right to erasure

Under Article 34 of the Data Protection Law, the right to erasure does not apply, in cases of non-automated processing, when due to the special nature of storage, erasure is impossible or is possible only following a disproportionate effort and the data subject's interest for the erasure is not considered important. Also, the right to erasure does not apply when the data controller no longer needs the personal data for the collection purpose under Article 17(1)(a) of the GDPR or the personal data was unlawfully processed under Article 17(1)(d) of the GDPR, but the data controller has reason to believe that erasure would be prejudicial to the data subject's legitimate interests. In both cases, erasure is substituted by restriction of the processing. The same exception applies where erasure would be contrary to statutory or contractual retention periods. The above does not apply in case of unlawful processing.

8.5. Right to object/opt-out

Under Article 35 of the Data Protection Law, the right to object may not be applicable before a public entity, if the processing is required for the public interest, when the latter prevails over data subjects' interests or the processing is obligatory under a legal provision.

8.6. Right to data portability

There are no variations under the Data Protection Law. However, the Data Protection Law permits data controllers to restrict data subjects' right to data portability in the following cases:

• when necessary to reconcile the right to data protection with the right to freedom of expression and information, including when processing for journalistic purposes or academic, artistic, or literary expression (Article 28(2) of the Data Protection Law); and
• when the data subject's exercise of the right likely renders impossible or seriously impairs the objectives of processing for archiving purposes in the public interest and restricting the right is necessary to achieve those purposes (Article 29(4) of the Data Protection Law).

8.7. Right not to be subject to automated decision-making

There are no variations with regard to profiling under the Data Protection Law.

8.8. Other rights

Right to restriction of processing

There are no variations under the Data Protection Law.

9. Penalties

Administrative sanctions

In addition to the corrective powers provided under Article 58(2) of the GDPR, the Data Protection Law further specifies that public entities will be subject to the imposition of administrative fines of up to €10 million by the HDPA for the infringements included in Article 83(4), (5), and (6) of the GDPR (with a few exceptions).

The Data Protection Law introduces no variations with regard to private entities.

Criminal sanctions

The Data Protection Law provides for the imposition of criminal sanctions and, in particular, punishment by imprisonment of up to one year, to anyone who interferes with a filing system containing personal data and by means of this act obtains knowledge thereof, copies, and generally processes personal data included therein.

Furthermore, if personal data is used, transmitted, disseminated, disclosed by transmission, made available, or communicated to unauthorized persons or the offender allows unauthorized persons to obtain knowledge of said data, the offender may be punished by imprisonment.

In the case of special categories of personal data, the Data Protection Law provides for the following criminal sanctions:

• imprisonment of at least one year; and
• a fine of up to €100,000.

In addition, if the offender of the above acts had the intent to unlawfully gain an economic benefit for himself or for another person or to cause property damage to another person or harm another person and the total benefit thereof exceeds €120,000, then the offender may be punished with imprisonment of up to ten years.

Finally, if from the above acts national security or the democratic functioning of the state has been put at risk, imprisonment and a fine of up to €300,000 may be imposed.

9.1 Enforcement decisions

HDPA Decision 2/2023

By Decision 2/2023 (only available in Greek here), the HDPA imposed a fine of €50,000 on Intellexa S.A. (a company providing services related to the design and development of applications, networks, and systems, software, and technological solutions in general, as well as data processing services) for failure to cooperate during HDPA's investigation. The HDPA initiated an ex officio investigation, following press reports on the use of spying software "Predator" to monitor personal terminals within the Greek territory. In particular, the HDPA has, since July 2022, been investigating cases of installation of monitoring software on users' mobile terminals (spyware), and subsequent unlawful collection and processing of personal data.

The HDPA launched an administrative investigation over Intellexa S.A. in September 2022, with a dawn raid being carried out both at the company's registered office (Chalandri) and at the company's other premises (Elliniko). As per HDPA's decision, the company unduly delayed responding to the HDPA's inquiries, taking 40 days to reply, and refused to provide information, which was considered to be indisputably at its possession, thus violating its obligation under Article 31 of the GDPR requiring controllers and processors to cooperate with the supervisory authority. Furthermore, the HDPA ordered Intellexa S.A. to immediately produce specific information necessary for the conduct of the investigation.

It is noted that, subsequently, Intellexa S.A. filed an application for reparation, by which it sought the revocation or amendment of the contested decision, invoking that the decision erroneously concluded that it had failed to cooperate with the HDPA and had infringed Article 31 of the GDPR, and requesting the reassessment of the imposition of the relevant sanctions. After considering the relevant facts of the case and having considered that Intellexa S.A. had acted in bad faith, the HDPA rejected the application for remedy and upheld its decision imposing the fine.

HDPA Decision 25/2023

By Decision 25/2023, a fine of €210,000 was imposed on Piraeus Bank, by the HDPA for unlawful processing of personal data and non-satisfaction of data subject’s right of access (only available in Greek here). The HDPA carried out an investigation upon a complaint, according to which;

• Piraeus Bank erroneously transferred the complainant’s personal data to a servicing firm (Alternative Financial Solutions), without any legal reason or right, as allegedly no outstanding claim existed; and
• the rights of access and information were not satisfied.

The HDPA found that the Piraeus Bank, as data controller, carried out an automated processing of a large number of natural persons' personal data, namely of 23,259 individuals, without a legitimate justification. Specifically, due to the 'systemic' parameterization of the lists of recipients of personalized letters produced by the Bank itself, a list of recipients was inadvertently and systematically produced, including customers and other persons who, although not involved in the portfolio under management (as they had no outstanding debt obligation), were included in the recipients’ list and received the Bank’s letter informing them that their data would be transferred to the servicing firm.

In addition, the HDPA found a lack of implementation of appropriate measures and that it was not ensured that only the necessary personal data would become subject to processing in violation of data processing principles (Article 5(1)(a) and Article 25(1) of the GDPR).

Based on the above, the HDPA imposed an administrative fine of a total EUR 210,000 against the Bank, for violation of Articles 5(1)(a), 6, 25(1), and 15(1) of the GDPR, while ordering it to duly satisfy the complainant's right of access.