Greece and the GDPR, New Data Privacy Law in Europe

Greek’s Data Protection Law is a data privacy law that was passed in 2016. As Greece is one of the many nations that comprise the European Union, Greek’s Data Protection Law was enacted for the purpose of implementing various provisions of the EU’s GDPR law into Greek law. As such, Greek’s Data Protection Law is the foremost national legal framework for personal data protection in Greece, in conjunction with the EU’s GDPR law. To this end, while the two pieces of legislation are largely similar in nature, there are some variations between the two laws as it relates to the requirements of data controllers and processors within Greece, as well as the potential punishments that can be levied against these parties should they fail to comply with the provision of both laws.

What is the scope and application of Greek’s Data Protection Law?

In terms of the scope and application of Greek’s Data Protection Law, there are no variations between the law and the EU’s GDPR law as it pertains to the personal scope of the law. However, the territorial scope of the law does distinguish between private entities and public bodies that collect or process personal data, in contrast with the EU’s GDPR law. Moreover, the material scope of the law is applicable under the following circumstances:

• The data controller or data processor is processing personal data within the Greek territory;”
• “The personal data is subject to processing in the context of the activities of an establishment of the data controller or the data processor within the Greek Territory; or
• The data controller or data processor falls within the GDPR scope even if not established in an EU Member State or another country of the European Economic Area (‘EEA’).

What are the requirements of data controllers and processors under Greek’s Data Protection Law?

Under Greek’s Data Protection Law, data controllers and processors are responsible for adhering to the same data protection principles as is required by the EU’s GDPR law. These principles include but are not limited to storage limitation, accuracy and integrity, and accountability concerning all personal data that is collected, processed, or disclosed. Despite this, there are some variations between the requirements of data controllers and processors under Greek’s Data Protection Law when compared with the EU’s GDPR law. One of these variations is the requirements concerning Data Protection Impact Assessments or DPIAs for short.

Under Greek’s Data Protection Law, data controllers and processors are responsible for carrying out DPIA’s concerning their operations, permitting their processing activities are related to certain aspects of data processing which include but are not limited to the following:

• Systematic evaluation, scoring, prediction, prognosis, and profiling, especially of aspects concerning the data subject’s economic situation, health, personal preferences, or interests, reliability or behavior, location or movements, or the credit rating of data subjects;
• The systematic processing of personal data that aims at taking automated decisions producing legal effects concerning data subjects or similarly significantly affects data subjects and may lead to the exclusion or discrimination against individuals;
• The systematic processing of personal data which may prevent the data subject from exercising their rights or using a service or a contract, especially when data collected by third parties is taken into account;
• The systematic processing of personal data concerning profiling for marketing purposes when the data are combined with data collected from third parties;

What are the rights of Greek citizens under Greek’s Data Protection Law?

Under Greek’s Data Protection Law, Greek citizens have the same rights that are afforded to other citizens residing within EU member states under the EU’s GPDR law. These rights include but are not limited to the right to be informed, the right to access, and the right to data portability. In terms of the enforcement of these various rights, Greek’s Data Protection Law is enforced by the Hellenic Data Protection Authority, or the HDPA for short. To this point, individuals and organizations who violate Greek’s Data Protection Law are subject to a monetary penalty ranging from €100,000 ($113,378) to €10 million ($11,337,500), depending on the scope and severity of the violation, as well as a term of imprisonment of up to one year.

Within the country of Greece, the EU’s GDPR law and the Data Protection Law serve as the primary legal basis that governs the collection, processing, and ultimate use of personal data within the country. As the Data Protection Law and the General Data Protection Regulation also allow for violators of such legislation to be punished severely, Greek citizens can rest assured that their personal data is being protected at the highest level possible. As such, Greece has joined the list of nations around the world that have taken to legislative measures to ensure that the personal data of their respective citizens is safeguarded at all times.