All Things Newz
Law \ Legal

Data Privacy Comparative Guide –

[ad_1]


To print this article, all you need is to be registered or login on Mondaq.com.

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data
privacy in your jurisdiction?

Data privacy in Greece is mainly regulated by:

  • the EU General Data Protection Regulation (Regulation
    2016/679);

  • Law 4624/2019, which sets out implementation measures on the
    GDPR and integrates EU Directive 2016/680 into Greek law; and

  • Law 3471/2006, which integrates EU Directive 2002/58/EC into
    Greek law.

The GDPR and Law 4624/2019 are supplemented by a web of other
national laws that:

  • regulate specific sectoral data protection/privacy issues;

  • include specific provisions which require data controllers to
    process personal data in a specific way, enabling them to use the
    legal bases of Articles 6.1.c and/or 6.1.e of the GDPR; or

  • provide for specific additional technical/organisational
    measures which must be applied to specific types of personal data
    processing.

Additionally, while they constitute guidance instruments and do
not directly have legally binding effects, the opinions and
instructions of the Hellenic Data Protection Authority (HDPA)
provide invaluable insight on how the legal framework will be
enforced in specific situations. The following HDPA instructions
bear increased significance in the implementation of privacy law in
Greece:

  • Instruction 115/2001 on Data Protection in the Context of
    Employment;

  • Instruction 01/2011 on the Use of Closed-Circuit Television
    (CCTV) Systems;

  • Instruction 02/2011 on the Provision of Digital Consent for
    Data Processing through Cookies and Similar Technologies; and

  • Guidelines 02/2020 and 01/2021 on Data Protection in the
    Context of Remote Working.

1.2 Do any special regimes apply in specific sectors (eg,
banking, insurance, telecommunications, healthcare, advertising) or
to specific data types (eg, biometric data)?

Several special regimes apply in specific sectors. Perhaps the
most influential of these regimes is Law 3471/2006, which:

  • introduces specific requirements and obligations for personal
    data processing in the telecommunications sector; and

  • specifies additional requirements for:

    • the legal processing of data through cookies and similar
      technologies; and

    • the processing of data for purposes of direct marketing
      communications through telephone, emails, and other digital
      means.

Additionally, in some cases, data processing rules in specific
market sectors might be affected by sectoral codes of conduct which
have been passed into law or special legal and regulatory regimes
that apply to specific professions. Examples of specific sectors
which are affected by such legislation include:

  • banking;

  • stock exchanges and brokers;

  • insurance; and

  • legal services.

Lastly, there are provisions in certain statutes which may
provide for a special legal basis or additional data protection
requirements for certain processing activities. For example, such
provisions are included in:

  • Law 3850/2010 for the Protection of Employees’ Health and
    Safety, which governs the competencies and obligations of
    occupational doctors;

  • Law 4727/2020 on Digital Governance, which also contains
    provisions on access to open data; and

  • Article 5 of the Code of Administrative Procedure (Law
    2690/1999), which regulates access to public and private documents
    in the filing systems of Greek public bodies.

1.3 Do any bilateral and multilateral instruments on data
privacy have effect in your jurisdiction?

Greece is a signatory to the Council of Europe’s Convention
108+ for the protection of individuals with regard to the
processing of personal data. Although most of the convention’s
provisions are already deeply embedded in EU and Greek law, the
convention itself still stands as the only legally binding
international convention on data protection.

The Greek data privacy regime is also affected by any bilateral
agreements which have been signed between the European Union and
third countries, whose execution might require the processing of
personal data. Examples of such bilateral agreements include:

  • the passenger name record(PNR) bilateral agreements between the
    European Union and Australia, as well as between the European Union
    and the United States; and

  • the bilateral mutual legal assistance agreements which the
    European Union has concluded with the United States, Japan, Iceland
    and Norway.

1.4 Which bodies are responsible for enforcing the data privacy
legislation in your jurisdiction? What powers do they have?

The following bodies are responsible for the enforcement of data
privacy legislation in Greece:

  • the HDPA;

  • the administrative courts;

  • the civil courts; and

  • the criminal courts.

The competences and powers of each body, in terms of
enforcement, are as follows.

HDPA: The HDPA is tasked, among other things,
with:

  • supervising and enforcing the application of national and EU
    personal data protection law in Greece;

  • promoting public awareness of personal data protection and
    privacy;

  • providing advice and guidance to Parliament and other public
    bodies about personal data protection;

  • conducting investigations into potential breaches of data
    protection law;

  • adopting and reviewing all relevant instruments which are
    provided for by the GDPR (standard contractual clauses, binding
    corporate rules, codes of conduct); and

  • handling data protection complaints filed by data
    subjects.

It possesses both investigative, advisory and corrective powers.
Its corrective powers include:

  • issuing a warning or reprimand;

  • ordering the data controller or processor to cease data
    processing within Greece; and

  • imposing a ban or a fine of up to €20 million or, in the
    case of an undertaking, 4% of the data controller’s or
    processor’s total global worldwide annual turnover in the
    preceding financial year.

Administrative courts: The administrative
courts are tasked with examining appeals against decisions of the
HDPA.

Civil courts: The civil courts examine civil
data protection lawsuits and claims, filed under Article 79 of the
GDPR and Article 40 of Law 4624/2019.

Criminal courts: The criminal courts examine
criminal data protection cases brought before them under Article 38
of Law 4624/2019

1.5 What role do industry standards or best practices play in
terms of compliance and regulatory enforcement?

Best practices, as outlined in question 1.1, play an important
role in the day-to-day application of data protection and privacy
laws in Greece. These best practices usually come in the form
of:

  • instructions, guidance and opinions of the HDPA; and

  • guidelines of the European Data Protection Board.

The HDPA, to date, has not approved any additional tools
provided by the GDPR, such as codes of conduct, certification
schemes or binding corporate rules. However, several sectoral codes
of conduct – such as the code of conduct for the insurance
sector and the code of conduct for personal data processing by
attorneys and law firms – are currently under review by the
HDPA.

Industry standards play a limited role in data protection
compliance in Greece – mainly due to:

  • confusion as to which specific standard would prove more
    effective in demonstrating a company’s or organisation’s
    compliance; and

  • the lack of sufficient case law on this issue to date.

However, many players in the market adhere to the ISO 27000
family of standards and the BS 10012 standard as proof of
compliance with the GDPR obligation to establish technical measures
for the protection of personal data.

Lastly, on the 20th of October 2022, the Europrivacy
Certification was the first Privacy Seal to be recognised by the
European Data Protection Board pursuant to Article 42.5 GDPR. It is
still too early to assess the impact of this Certification in
Greece, but it is highly probable that it will play an influential
role in terms of compliance.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in
your jurisdiction?

Any entity – private or public – company and/or
organisation which processes personal data within the Greek
territory falls within the scope of the Greek data privacy/data
protection framework. The material scope of the framework extends
to:

  • the processing of personal data wholly or partly by automated
    means; and

  • the processing other than by automated means of personal data
    which forms part of a filing system or is intended to form part of
    a filing system.

Since the term ‘filing system’ is interpreted extremely
widely, most personal data processing activities in Greece fall
within the scope of Greek data protection law.

Instances where the scope of the framework extends beyond the
territory of Greece are discussed in question 2.3.

2.2 What exemptions from the data privacy regime, if any, are
available in your jurisdiction?

The following exemptions from the data protection/privacy regime
apply in Greece.

Household exemption: Greek data protection law
does not apply to the processing of personal data in the course of
purely personal or household activities. However, both EU and Greek
case law has adopted a narrow definition of ‘personal and/or
household activities’; as such, this exemption may only be used
exclusively in specific instances. For example, sharing or
resharing a picture which was shot in a private setting on social
media – especially publicly, but in some cases even within a
private group – does not always fall within the
exemption.

Partial exemptions for processing for journalistic,
academic or artistic purposes:
Article 28 of Law 4624/2019
introduces a partial exemption from some provisions of the data
protection regime for specific processing activities which take
place for journalistic, academic or artistic purposes. The
exemption spans the application of Chapters II, III, IV, V, VII,
and IX of the General Data Protection Regulation (GDPR), except for
Articles 5, 28, 29, and 32. This exemption is valid only to the
extent that the processing of a data subject’s personal data,
and the violation of his or her corresponding rights to the
protection of such data, is necessary to safeguard the rights of
freedom of expression and access to information. As such, a strict
proportionality assessment must be conducted, on an ad hoc
basis, to ensure that this exemption applies to a specific
processing activity.

2.3 Does the data privacy regime have extra-territorial
application?

The Greek data protection regime extends to controllers and
processors of personal data globally, regardless of whether they
are established within Greece or the European Union, where such
controllers or processors carry out processing activities related
to:

  • the offering of goods or services, irrespective of whether a
    payment of the data subject is required, to data subjects in
    Greece; or

  • the monitoring of data subjects’ behaviour, insofar as
    their behaviour takes place in Greece.

3 Definitions

3.1 How are the following terms (or equivalents) defined in
your jurisdiction? (a) Data processing; (b) Data processor; (c)
Data controller; (d) Data subject; (e) Personal data; (f) Sensitive
personal data; and (g) Consent.

(a) Personal Data processing

Any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by
automated means, such as collection, recording, organisation,
structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction,
erasure or destruction.

(b) Data processor

A natural or legal person, public authority, agency or other
body which processes personal data on behalf of the controller.

(c) Data controller

A natural or legal person, public authority, agency or other
body which, alone or jointly with others, determines the purposes
and means of the processing of personal data.

(d) Data subject

The natural person to whom the personal data relates.

(e) Personal data

Information relating to an identified or identifiable natural
person. An ‘identifiable natural person’ is one who can be
identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location
data, an online identifier or one or more factors specific to the
physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person.

(f) Special categories of personal
data

  • Personal data revealing racial or ethnic origin, political
    opinions, religious or philosophical beliefs or trade union
    membership;

  • Genetic data;

  • Biometric data;

  • Data concerning health; and

  • Data concerning sex life or sexual orientation.

(g) Consent

Any freely given, specific, informed and unambiguous indication
of the data subject’s wishes by which he or she, through a
statement or through a clear affirmative action, signifies
agreement to the processing of personal data relating to him or
her.

3.2 What other key terms are relevant in the data privacy
context in your jurisdiction?

Personal data breach: A breach of security
leading to the accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to, personal data
that is transmitted, stored or otherwise processed.

Biometric data: Personal data resulting from
specific technical processing relating to the physical,
physiological or behavioural characteristics of a natural person,
which allows or confirms the unique identification of that natural
person, such as facial images or dactyloscopic data.

Profiling: Any form of automated processing of
personal data consisting of the use of personal data to evaluate
certain personal aspects relating to a natural person, in
particular to analyse or predict aspects concerning that natural
person’s performance at work, economic situation, health,
personal preferences, interests, reliability, behaviour, location
or movements.

Data protection impact assessment (DPIA): An
assessment of the impact of the envisaged processing operations on
the protection of personal data, which must be carried out by the
data controller when a type of processing in particular using new
technologies, and taking into account the nature, scope, context
and purposes of the processing, is likely to result in a high risk
to the rights and freedoms of natural persons.

Employee: Any person occupied, under any
employment relationship or work contract or contract for the
provision of services, by public and/or private sector entities,
regardless of the integrity of any such contracts, as well as
candidate employees and ex-employees.

Transfers to third countries or international
organisations:
Any transfer of personal data whose
recipient is located or established outside the European Economic
Area.

4 Registration

4.1 Is registration of data controllers and processors
mandatory in your jurisdiction? What are the consequences of
failure to register?

No such obligation exists under Greek law.

4.2 What is the process for registration?

No such obligation exists under Greek law.

4.3 Is registered information publicly accessible?

No such obligation exists under Greek law.

5 Data processing

5.1 What lawful bases for processing personal data are
recognised in your jurisdiction? Do these vary depending on the
type of data being processed?

Most categories of personal data can be processed under the
following legal bases:

  • The data subject has consented to the specific processing
    purposes;

  • The processing is necessary for the performance of a contract
    to which the data subject is party or in order to take steps at the
    request of the data subject prior to entering into a contract;

  • The processing is necessary for compliance with a legal
    obligation to which the data controller is subject. This basis may
    be used only if the legal obligation derives from EU or member
    state law;

  • The processing is necessary to protect the vital interests of
    the data subject or of another natural person;

  • The processing is necessary for the performance of a task
    carried out in the public interest or in the exercise of official
    authority vested in the data controller, which derives directly
    from EU or member state law; or

  • The processing is necessary to safeguard a specific legitimate
    interest of the data controller or a third party, except where such
    interests are overridden by the interests or fundamental rights and
    freedoms of the data subject.

The processing of special categories of personal data is
generally prohibited. Such data can only be processed if the data
controller establishes the co-existence of:

  • at least one of the abovementioned legal bases; and

  • one of the derogations established by Article 9.2 of the EU
    General Data Protection Regulation (GDPR) (eg, explicit consent,
    execution of employment or social security legal obligations,
    exercise/defence of legal claims, substantial public interest,
    preventive and occupational medicine).

5.2 What key principles apply (eg, notice) when processing
personal data in your jurisdiction? Do these vary depending on the
type of data being processed? Or on whether it is outsourced?

The key principles of EU law apply directly in Greece. As such,
the following principles will apply to any personal data processing
within Greece:

  • Lawfulness, fairness and transparency: Personal data must be
    processed lawfully, fairly and transparently in relation to the
    data subject. To this end, obligations for the provision of
    information to the data subjects are in place.

  • Purpose limitation: Personal data must be collected for
    specified, explicit and legitimate purposes, and must not be
    processed further in a manner that is incompatible with those
    purposes.

  • Data minimisation: The personal data collected must be
    adequate, relevant and limited to what is necessary in relation to
    the purposes for which they are processed.

  • Accuracy: Personal data must be accurate and, where necessary,
    kept up to date; and every reasonable step must be taken to ensure
    that personal data which is inaccurate, having regard to the
    purposes for which it is processed, is erased or rectified without
    delay.

  • Storage limitation: Personal data must be kept in a form which
    permits the identification of the data subjects for no longer than
    is necessary for the purposes for which the personal data is
    processed.

  • Integrity and confidentiality: Personal data must be processed
    in a manner that ensures appropriate security of the personal data,
    using appropriate technical and organisational measures.

  • Accountability: It is the data controller’s responsibility
    to be able to demonstrate compliance with the above principles. To
    this end, several optional and obligatory record-keeping and
    accountability tools are in place (eg, records of processing
    activities, data protection impact assessments).

5.3 What other requirements, restrictions and best practices
should be considered when processing personal data in your
jurisdiction?

  • Increased importance will be given to compliance with the
    principles of data protection by design and by default (Article 25
    of the GDPR). This requires controllers to ensure that, both during
    the design and during the implementation phase of any processing
    activity, technical and organisational measures are in place that
    are designed to practically implement data protection principles
    and to ensure that – by default – only personal data
    necessary for each specific purpose of the processing is processed.
    To this end, it is imperative – especially when designing new
    products, services and software – for controllers to ensure
    that data protection advice is available and data protection by
    design and by default is taken into account.

  • As a continual increase in personal data breaches has been
    observed in the last few years, it is important for data
    controllers and processors to constantly update and evaluate their
    technical and organisational measures in accordance with Article 32
    of the GDPR.

  • Valid consent from minors for the processing of their personal
    data by information society services can be obtained directly from
    them only when they are at least 15 years old.

  • Greek law completely prohibits the processing of genetic data
    for life and health insurance purposes.

  • Under Greek law, the processing of employees’ personal data
    falls within the scope of the data protection rules, even when the
    processed data is not a part of, or intended to form a part of, a
    filing system. In such cases, Greek law is stricter than EU law,
    since it even extends to oral communications.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of
data to third parties?

The basic requirement for a transfer of data to a third party to
take place is that the transfer is completed in a way which
respects all the data protection principles, mentioned in question
5.2.

Where the third party is located in Greece or the European
Union, the main requirements are as follows:

  • A legal basis for the transfer was identified before the data
    was collected by the disclosing party; and

  • The data subjects were informed of the transfer, as per
    Articles 12–14 of the General Data Protection Regulation
    (GDPR).

However, if a transfer was not foreseen or intended when the
data was initially collected, an assessment of whether such a
transfer is allowed must be made against the criteria set out in
Article 6.4 of the GDPR.

Where the third party is located or established in a third
country or in an international organisation, additional
restrictions apply to the transfer (see question 6.2).

6.2 What requirements and restrictions apply to the transfer of
data abroad? Do these vary depending on the destination?

If the transfer’s recipient is located or established
outside the European Economic Area or is an international
organisation, additional requirements apply on top of those
mentioned in question 6.1).

More specifically, such transfers may only be legal:

  • if at least one of the transfer tools, described in Articles
    45–49 of the GDPR, is in place; and

  • in specific transfer scenarios, if additional safeguards have
    been introduced to ensure that the transferred personal data will
    be subject to an equivalent level of protection once the data
    transfer is concluded.

The fastest route to ensure that a third country data transfer
is legal is to use an existing adequacy decision of the European
Commission for the specific destination country. However, since
such adequacy decisions have currently been issued only for 14
countries, most data controllers will need to use other transfer
mechanisms to ensure the legality of the transfer.

It may be inferred from the above that the requirements and
options available to the disclosing entity may vary greatly,
depending on the transfer’s destination. After the Schrems
II
decision of the Court of Justice of the European Union
(C-311/18), especially strict restrictions apply to data transfers
from Greece/the European Union to the United States.

Due to the abovementioned framework – and in line with the
Schrems II decision, the latest European Data Protection
Board guidelines on the subject and the principle of accountability
– it is imperative for data controllers to carry out a
transfer impact assessment (TIA) to assess the legality of a
transfer to third countries without an active adequacy
decision.

6.3 What other requirements, restrictions and best practices
should be considered when transferring personal data, both within
your jurisdiction and abroad?

  • Consider informing data subjects, at the time of data
    collection, of all foreseeable data transfers that your company or
    organisation usually performs during its day-to-day functioning.
    This approach will allow you to comply with transparency
    obligations and saves time which would otherwise be spent informing
    data subjects about ad hoc data transfers.

  • Always examine ad hoc/unforeseen data transfer
    requests under the scope of the principle of proportionality. If
    the purposes for which the transfer is sought can be achieved by
    transferring less data or anonymised/statistical data, this is the
    type of data that should be transferred.

  • Even where the legality of a transfer has been examined and
    ascertained, do not forget to ensure the application of technical
    and organisational measures (eg, encryption) to ensure that the
    transferred personal data will exclusively reach the intended
    recipient.

  • When designing new tech projects or global projects, or
    contemplating the possibility of expanding your activities to new
    jurisdictions outside Greece and the European Union which would
    require regular transfers of personal data to those jurisdictions,
    ensure that a TIA containing an assessment of the data protection
    regimes of the target jurisdictions has been carried out before you
    finalise your decisions on the issue. This approach both ensures
    the protection of your organisation’s personal data and
    potentially drastically reduces compliance expenses for your
    organisation down the line.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the
processing of their personal data? Do any exemptions apply?

  • Right to be informed: Data subjects must be informed about the
    processing information, listed in Articles 12–14 of the EU
    General Data Protection Regulation (GDPR).

  • Right to access personal data: Data subjects may:

    • request confirmation as to whether data concerning them is
      being processed;

    • access information about the related processing activities;
      and

    • access a copy of the data.


  • Right to the rectification of inaccurate or outdated data.

  • Right to erasure/right to be forgotten: Data subjects may,
    under specific circumstances, request that their data be
    irrevocably erased.

  • Right to restriction of processing.

  • Right to object to the processing of personal data: This may be
    invoked only if:

    • the data processing takes place under the legal basis of
      pursuance of legitimate or public interest; and

    • the request is based on grounds relating to the data
      subject’s particular situation.


  • Right to portability: This can only be validly exercised for
    automatic processing activities which take place under the legal
    basis of consent or the execution of a contract.

  • Right to withdraw consent.

  • Right not to be subject to automated decision making.

All restrictions of the abovementioned rights, which are
provided by the GDPR, also apply in Greece. Law 4624/2019 provides
for some additional ‘national’ restrictions; however, the
Hellenic Data Protection Authority (HDPA), through Opinion 01/2020,
has expressed its doubts as to the legality and applicability of
these national restrictions.

Unlike in other jurisdictions, the HDPA’s recent case law
establishes that, in Greece, requests may not be deemed excessive
solely on the basis that the real purpose behind the data
subject’s request was not exclusively data privacy related.

7.2 How can data subjects seek to exercise their rights in your
jurisdiction?

Data subjects may choose to exercise their rights in Greece
through their preferred channel and/or communication methods. This
means that data controllers may choose to establish official
channels to attempt to streamline data subject requests; but this
does not release the controller from its responsibility to
establish efficient organisational measures which will allow it to
monitor all incoming communication channels for such requests.

Recently, a large Greek retail group and a Greek bank were fined
by the HDPA for their lack of such organisational measures
(Decision 36/2021).

7.3 What remedies are available to data subjects in case of
breach of their rights?

Data subjects may:

  • lodge a complaint with the HDPA; or

  • file legal proceedings in the civil courts to request the
    imposition of judicial remedies against the controller and/or
    compensation for material and/or non-material damages which the
    data subject has suffered.

Denial, delayed response and mishandling of various types of
data subject right requests are among the most common reasons for
the imposition of administrative fines by the HDPA.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory
in your jurisdiction? If so, what are the consequences of failure
to do so?

  • For public authorities and public bodies in Greece, the
    appointment of a data protection officer (DPO) is mandatory.

  • The appointment of a DPO is mandatory for private entities only
    where the requirements of Article 37 of the General Data Protection
    Regulation (GDPR) are met – that is, where:

    • the core activities of the data controller or the processor
      consist of processing operations which, by virtue of their nature,
      scope and/or purposes, require regular and systematic monitoring of
      data subjects on a large scale; or

    • the core activities of the data controller or the processor
      consist of processing on a large scale of special categories of
      data and personal data relating to criminal convictions and
      offences.


  • Failure to appoint a DPO, where the relevant legal obligation
    exists, constitutes an independent infringement of data protection
    legislation and may lead to administrative fines of up to €10
    million or, in case of an undertaking, up to 2% of its total
    worldwide annual turnover. The data controller/processor may also
    be liable to compensate, following a civil law procedure, the data
    subjects for any material or non-material damages that they
    suffered due to the data controller’s/processor’s failure
    to appoint a DPO.

8.2 What qualifications or other criteria must the data
protection officer meet?

The DPO should possess all necessary professional qualities to
fulfil the tasks and responsibilities mentioned in Article 39 of
the GDPR (and question 8.3).

In practice, the DPO should, at minimum, have expert and
specific knowledge of the GDPR, Law 4624/2019 and all the
supportive and complementary Greek data privacy laws. Additionally,
knowledge of other Greek and EU laws which may affect the data
controller’s implementation of the data protection legislation
must be considered a strong asset.

Knowledge of and experience with the state of the art and
international standards/best practices for information security, as
well as tech savviness and experience with the data
controller’s/processor’s market sector, may also be
considered to be qualifications of a good DPO.

Once appointed, data controllers/processors must ensure that the
DPO is:

  • involved properly and in a timely manner in all data protection
    issues;

  • able to operate independently, without receiving any
    instruction regarding the exercise of his or her tasks;

  • provided with all resources necessary to carry out his or her
    tasks; and

  • available to data subjects.

8.3 What are the key responsibilities of the data protection
officer?

  • To inform and advise the data controller or processor and
    employees who carry out processing of their obligations pursuant to
    the Greek and EU data protection legal Framework;

  • To monitor compliance with the GDPR, Law 4624/2019 and other
    data protection provisions, and with the policies/procedures of the
    controller or processor in relation to the protection of personal
    data, including:

    • the assignment of responsibilities;

    • awareness raising and training of staff involved in processing
      operations; and

    • the performance of related audits;


  • To advise on data protection impact assessments (DPIAs) and
    monitor their performance, pursuant to Article 35 of the GDPR;

  • To cooperate with the supervisory authority (the Hellenic Data
    Protection Authority (HDPA));

  • To act as the contact point for the supervisory authority on
    issues relating to processing, including the prior consultation
    referred to in Article 36 of the GDPR, and to consult, where
    appropriate, with regard to any other matter; and

  • To act as a contact point with data subjects.

8.4 Can the role of the data protection officer be outsourced
in your jurisdiction? If so, what requirements, restrictions and
best practices should be considered in this regard?

Yes, the role of the DPO can be outsourced in Greece. There are
no official requirements for the outsourcing of this role.

However, the proper documentation on the appointment and the
signing of a written outsourcing agreement, which will also
regulate data processing issues, are de facto
mandatory.

To ensure the data controller or processor’s compliance with
its obligations to provide the DPO with independence and not to
dismiss or penalise him or her for performing his or her tasks, the
contract period of the external DPO contract cannot be too short.
To this end, it is suggested that the initial term of an external
DPO contract should be a minimum of one or two years; if the
contract is extended, it is suggested that the term of the extended
contract –and all further extensions – be three years
at minimum.

8.5 What record-keeping and documentation requirements apply in
the data privacy context?

Due to the prevalence of the principle of accountability within
the Greek data protection regime, several formal and informal
recordkeeping and documentation requirements are in place. More
specifically, data controllers and processors are often required,
among other things, to:

  • develop and maintain a record of processing activities;

  • document and keep updated versions of DPIAs;

  • document a comprehensive list of the technical and
    organisational measures applicable in the organisation;

  • keep records of data breach notifications to the HDPA and
    communications to the data subjects;

  • maintain internal reports for the handling of potential data
    breaches;

  • develop a system of written data protection
    policies/procedures; and

  • store copies of all data protection notices and consent forms
    used, as well as older versions of such documents which were used
    by the data controller or processor in the past.

8.6 What other requirements, restrictions and best practices
should be considered from a compliance perspective in the data
privacy context?

The DPO should be free of conflicts of interest in the
performance of his or her tasks – especially in light of
other roles or responsibilities that he or she might be performing
on behalf of the data controller or processor. This means, in
particular, that the DPO cannot hold a position within the
organisation that leads him or her to determine the purposes and
the means of the processing of personal data. Due to the specific
organisational structure in each organisation, this must be
considered on a case-by-case basis.

This restriction should be seriously considered by data
controllers and processors, since non-compliance has already led to
the imposition of several fines by European data protection
authorities. For example:

  • the Belgian DPA imposed a €75,000 fine on a bank because
    its appointed DPO was also acting as head of risk management,
    information risk management departments and special investigation
    unit; and

  • Berlin’s data protection authority imposed a €525,000
    fine on the subsidiary of a Berlin-based retail group because the
    appointed DPO was monitoring decisions he had made in his capacity
    as the managing director of two service companies under the same
    group, which processed personal data on behalf of the company for
    which he was a DPO.

In general, the positions that typically conflict with the role
of the DPO include:

  • senior management positions;

  • chief executive officer;

  • chief operating officer;

  • chief financial officer;

  • chief medical officer.

  • heads of departments; and

  • other roles lower down in the organisational structure which
    determine the purposes and means of data processing.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors
to preserve the security of personal data?

Article 32 of the General Data Protection Regulation (GDPR)
oblige data controllers and processors to:

  • implement appropriate technical and organisational measures to
    ensure a level of security appropriate to the risk presented to the
    rights and freedoms of the data subjects by the data processing;
    and

  • protect against the accidental or unlawful destruction, loss or
    alteration of, and unauthorised disclosure of or access to,
    personal data.

The GDPR provides examples of some such measures, such as:

  • the pseudonymisation and encryption of personal data;

  • the ability to ensure the ongoing confidentiality, integrity,
    availability and resilience of processing systems and
    services;

  • the ability to restore the availability of, and access to,
    personal data in a timely manner in the event of a physical or
    technical incident; and

  • a process for regularly testing, assessing and evaluating the
    effectiveness of technical and organisational measures for ensuring
    the security of the processing.

However, this list is not exhaustive and there is no ‘one
size fits all’ approach to compliance with these obligations.
Technical and organisational measures can vary widely and must be
determined on an ad hoc basis, in cooperation with the DPO
and other expert consultants.

Data controllers and processors are also under an obligation to
constantly assess and re-evaluate the effectiveness of the
implemented measures. To comply with these obligations, and with
the principle of accountability, organisations may choose to
implement methods such as recurring audits and awareness trainings,
as well as the drafting of ad hoc legal and technical
opinions on new processing activities.

9.2 Must data breaches be notified to the regulator? If so,
what information must be provided and what is the process for doing
so? If not, under what circumstances is voluntary notification of a
data breach expected?

A data controller must notify the Hellenic Data Protection
Authority (HDPA) of a data breach when the breach is likely to
present any level of risk for the rights and freedoms of natural
persons.

Notification must be provided within 72 hours of the controller
becoming aware of the data breach. If a data processor becomes
aware of a breach, it is under a legal obligation to notify the
controller without delay.

Notifications to the HDPA must at minimum:

  • describe the nature of the personal data breach, including,
    where possible:

    • the categories and approximate number of data subjects
      concerned; and

    • the categories and approximate number of personal data records
      concerned;


  • communicate the name and contact details of the data protection
    officer (DPO) or other contact point where more information can be
    obtained;

  • describe the likely consequences of the personal data breach;
    and

  • describe the measures taken or proposed to be taken by the data
    controller to address the personal data breach, including, where
    appropriate, measures to mitigate its possible adverse
    effects.

9.3 Must data breaches be notified to the affected data
subjects? If so, what information must be provided and what is the
process for doing so? If not, under what circumstances is voluntary
notification of a data breach expected?

The data controller must communicate, without undue delay, with
the affected data subjects about a data breach if the breach is
likely to result in a high risk to their rights and freedoms.

Such communications aim to provide the data subjects with
knowledge and information that will allow them to reduce the
potential risks and implications that the breach could have on
their rights and freedoms.

Such communications must be drafted in a clear and precise
language and must, at minimum:

  • describe the nature of the personal data breach;

  • communicate the name and contact details of the DPO or other
    contact point where more information can be obtained;

  • describe the likely consequences of the personal data
    breach;

  • describe the measures taken or proposed to be taken by the data
    controller to address the personal data breach, including, where
    appropriate, measures to mitigate its possible adverse effects;
    and

  • describe any additional proposed measures which could be taken
    by the data subjects to further contain the risks created by the
    breach.

Communications to the data subjects are not required if:

  • the data controller has implemented appropriate measures to
    render the affected personal data unintelligible to any person not
    authorised to access it;

  • the data controller has already taken subsequent measures to
    ensure that the high risk of the breach is no longer likely to
    materialise; or

  • it would involve disproportionate effort to issue individual
    communications. In this case, the data controller can inform the
    data subjects through a public communication.

9.4 What other requirements, restrictions and best practices
should be considered in the event of a data breach?

  • Providers of publicly available communication services are
    subject to more specific/stricter notification and communication
    obligations under Law 3471/2006.

  • The 72-hour deadline to notify the HDPA begins from the moment
    that the data controller becomes aware of the breach. According to
    WP29’s guidelines on data breaches, the controller becomes
    ‘aware’ of the breach when the controller “has a
    reasonable degree of certainty that a security incident has
    occurred that has led to personal data being
    compromised”.

  • The handling of all security incidents, regardless of whether
    they were personal data breaches or not, must be documented by the
    controller, in compliance with the principle of
    accountability.

  • Data controllers are obliged to have technical and
    organisational measures in place to ensure the timely detection and
    management of data breaches. Thus, it is recommended that internal
    policies and procedures for the identification and management of
    potential data breaches be introduced and that a data breach
    response team – comprised of the DPO and legal, cybersecurity
    and forensic experts – be established.

10 Employment issues

10.1 What requirements and restrictions apply to the personal
data of employees in your jurisdiction?

In general, the Hellenic Data Protection Authority (HDPA) and
the Greek courts take a strict approach to the implementation of
data protection rules in the workplace environment. This is mostly
explained by the increased need for protection of employees’
rights and freedoms in the workspace due to:

  • the power imbalance between employees and employers; and

  • the fact that new technologies allow employers to access
    increasingly invasive tools for the surveillance of employees.

The specific rules applicable to employment relationships are
extensive and cannot be completely covered within this Q&A.
However, the main compliance issues include the following:

  • The legal basis of employee consent should be avoided if
    possible, since it usually cannot be considered to be freely given
    and valid, due to the imbalance of power between employer and
    employee.

  • Under Greek law, the legal basis of the performance of the
    employment contract can only be used for tasks which are absolutely
    necessary for the performance of the contract. Data processing for
    auxiliary tasks which are not a core part of the employment
    contract should be performed under a different legal basis.

  • Special rules on closed-circuit television (CCTV) are in place
    (see also question 10.2).

  • Data loss prevention systems (DLP) may only be used once a data
    protection impact assessment (DPIA) has been carried out to assess
    whether the system involves disproportionate surveillance.

  • Candidate employee data may only be retained for short periods
    (eg, six months under the original legal basis and a further year
    with the consent of the data subject).

10.2 Is the surveillance of employees allowed in your
jurisdiction? What requirements and restrictions apply in this
regard?

The surveillance of employees is strictly forbidden in Greece.
To this end, rules governing specific processing activities have
been introduced through the HDPA’s opinions and guidance and
the case law of the courts. Examples include the following:

  • CCTV: CCTV systems may only be used in the workplace for the
    purpose of protecting people and property. CCTV surveillance of
    workstations, corridors, eating spaces and toilets is strictly
    prohibited. If an employer believes that there are special
    circumstances allowing it to circumvent these rules, a strict
    proportionality analysis must be carried out, as part of a DPIA,
    before the CCTV system is used.

  • Access to emails of former employees: Access to emails of
    former employees is allowed only when absolutely necessary for
    reasons of business continuity or for the support and defence of
    the data controller’s legal claims. Even then, a
    proportionality assessment of whether such access is necessary must
    be carried out based on the specific role or position of the
    employees. A strict requirement for the legality of former employee
    email access is the prior notification of the employee about the
    possibility of the abovementioned email access by the employer and
    the reasoning behind it; this notification must take place before
    the employee begins using his or her corporate account.

  • DLP: The use of DLP systems for employee surveillance purposes
    is strictly prohibited.

10.3 What other requirements, restrictions and best practices
should be considered from an employment perspective in the data
privacy context

  • In general, increased transparency is expected by the employer
    in terms of data processing activities at work.

  • Health data must almost exclusively be handled by the
    occupational doctor.

  • Given the sensitive nature of data subjects/employees, the
    employer is often obliged to conduct a DPIA whenever new
    technological or organisational measures and procedures that affect
    employees will be introduced in its day-to-day functioning.
    Examples of such processing purposes/activities may include:

    • remote working

    • a change in corporate electronic infrastructure used by
      employees; or

    • the implementation of COVID-19-related policies


  • Greek labour law provides for the notification of, and
    discussion with, employee councils in relation to several
    employment issues which may have data protection implications.

  • Due to the sensitive nature of the relationship, it is
    recommended that employers – and their data protection
    officers – thoroughly document the decision-making process
    behind data protection decisions that affect employees, for
    accountability reasons.

11 Online issues

11.1 What requirements and restrictions apply to the use of
cookies in your jurisdiction?

The use of cookies and similar technologies is allowed,
regardless of whether cookies process personal data, only once the
user has provided his or her explicit consent to their use.

The sole exception to this rule is the use of cookies which are
strictly necessary for the operation of the website and its main
functions. According to the guidance of the Hellenic Data
Protection Authority, the following categories of cookies
constitute ‘strictly necessary’ cookies:

  • security cookies used for the protection of users;

  • cookies used for load balancing;

  • cookies used to recognise and store the user’s choices
    during a specific session and provide a smooth session user
    experience;

  • cookies used for authentication; and

  • cookies which store a user’s interface choices (ie, choice
    of language).

Analytics, advertising and marketing cookies do not constitute
strictly necessary cookies and explicit user consent is required
for their use.

In general, transparent and coherent information about each
cookie must be provided to the user before he or she decides to
accept or decline the use of specific cookies. The user’s
consent must be given by a positive action of the user.
‘Pre-ticked’ consent boxes and UI choices which attempt to
prejudice the user towards accepting the use of all or some cookies
are considered ‘dark patterns’ and non-compliant.

11.2 What requirements and restrictions apply to cloud
computing services in your jurisdiction from a data privacy
perspective?

No specific restrictions apply to cloud computing services in
Greece.

However, some basic requirements to use such services include
the following:

  • As most cloud service providers will be functioning as data
    processors on behalf of your organisation (the data controller), it
    is important for a proper data processing agreement, containing at
    minimum the terms mentioned in Article 28 of the General Data
    Protection Regulation, to be in place between the two parties.

  • It is also common for cloud providers to have increased
    negotiation power compared to the data controller. This does not
    release the controller from its obligation to ensure that its
    chosen data processors comply with their data protection
    obligations. To achieve compliance, the controller must always
    attempt to conduct due diligence between competing cloud service
    providers and only choose those that offer appropriate technical
    and contractual guarantees for the protection of personal
    data.

  • Since most cloud service providers are established outside the
    European Union (primarily in the United States) and strict
    restrictions apply to the transfer of data to US-based cloud
    providers (see question 6.2), it is advisable to perform a transfer
    impact assessment before choosing to use a non-EU cloud service
    provider.

  • The use of cloud services which integrate advanced and
    pioneering technologies in combination with large-scale data
    processing or the processing of sensitive or special categories of
    personal data may require the data controller to conduct a data
    protection impact assessment.

11.3 What other requirements, restrictions and best practices
should be considered from a marketing perspective in the online and
networked context?

Additional rules apply to the transmission of marketing messages
through SMS, email and similar communication methods (eg,
over-the-top communications apps such as Viber and WhatsApp). More
specifically, marketing communications cannot be sent to a
user’s email, phone or communication app, unless:

  • the data controller has obtained the user’s prior consent
    to receive such marketing communications; or

  • the recipient’s contact information was obtained legally in
    the context of a previous similar transaction between the sender
    and the recipient (ie, a previous sale of similar
    products/services).

Additionally, all marketing communications must be accompanied
by:

  • information on the identity and contact details of the sender;
    and

  • a mechanism which allows the recipient to easily and
    efficiently object to receiving further communications by the
    sender after each message is in place.

12 Disputes

12.1 In which forums are data privacy disputes typically heard
in your jurisdiction?

Most data privacy disputes are typically heard before the
Hellenic Data Protection Authority (HDPA). The second relevant
forum is the civil courts.

12.2 What issues do such disputes typically involve? How are
they typically resolved?

Disputes may involve any data privacy issue. However, in recent
years, there has been a considerable increase in disputes relating
to:

  • the mishandling of personal data of employees;

  • denial or mishandling of data subject rights requests;

  • the processing of data without or with an incorrect legal
    basis; and

  • data breach incidents.

The use of alternative/extra-judicial dispute resolution methods
is not that common in Greece. As a result, most data protection
disputes in Greece are resolved by decision of the HDPA or the
competent courts.

12.3 Have there been any recent cases of note?

Several decisions of note have been issued during the last 12
months. The following examples made headlines in Greece due to the
size of the fines imposed.

Hellenic Data Protection Authority (HDPA) Decision
4/2022:
A €9 million fine was imposed on one of the
biggest telecommunications groups in the Greek market.
Interestingly, the HDPA’s investigation in this case began as a
result of a data breach notification. The HDPA considered the
group’s response to the data breach sufficient. However, the
HDPA decided to investigate further into the internal decisions,
policies and procedures that had led to the data breach and
identified multiple violations of data privacy law which took place
during the telecommunications group’s handling of location and
traffic data from user devices.

The HDPA found violations such as:

  • the lack of a sufficient legal basis for the data
    processing;

  • failure to conduct a data protection impact assessment;

  • failure to provide sufficiently transparent information to data
    subjects; and

  • insufficient anonymisation and technical measures in
    general.

The HDPA considered that the lack of sufficient organisational
and contractual measures to ensure that the data processing roles
within the corporate group were transparent led to uncertainty as
to the extent of each company’s liability for the violations.
As a result, the HDPA imposed fines on both companies for their
respective involvement.

HDPA Decision 35/2022: In a case brought by a
civil society organisation, the HDPA imposed a €20 million
fine on Clearview AI, a US-based company offering face recognition
identification services based on more than 20 billion scraped
pictures from the Internet. In addition to the fine, the HDPA
banned Clearview from collecting and processing personal data in
Greece and ordered it to delete all personal data of Greek data
subjects.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape
and prevailing trends in your jurisdiction? Are any new
developments anticipated in the next 12 months, including any
proposed legislative reforms?

With each passing year, we have noticed both:

  • heightened enforcement action on the part of the Hellenic Data
    Protection Authority (HDPA); and

  • an increase in the number of data protection civil lawsuits
    being filed by individuals, mostly due to growing awareness of
    personal data protection rights within Greek society.

We believe that this trend will continue and an increasing
number of decisions will be issued, by the regulator and the
courts, in 2022 and 2023.

The HDPA has issued several decisions based around the
mishandling of data subject requests. We foresee that this trend
will continue to gain traction and we strongly recommend that data
controllers and processors must ensure that proper communication
channels and training, for the handling of such requests, are in
place.

Another key issue is the lack of HDPA decisions on violations
relating to international data transfers. Although this has been
the centre of attention for several data protection authorities
across the European Union, since the Schrems II decision,
the HDPA has de facto given controllers and processors a
grace period on this issue until today. This approach might be
explained by the complexities involved with complying with the
Schrems II ruling. However, we believe that in the next 12
months, the HDPA will change this approach and decisions on
international transfer violations will begin to emerge. Thus, it is
imperative for organisations to ensure that their international
data transfers are compliant.

14 Tips and traps

14.1 What are your top tips for effective data protection in
your jurisdiction and what potential sticking points would you
highlight?

  • Trap: Data controllers that plan to carry out processing
    activities in Greece must be conscious of the fact that the
    Hellenic Data Protection Authority (HDPA) expects them to use only
    one legal basis for each processing purpose. This means that
    – contrary to what may apply in other EU countries – a
    controller may not legally use more than one legal basis (ie, both
    execution of an agreement and his/her legal interest) for the same
    processing purpose.

  • Tip: Proper response to data subjects’ requests is
    currently one of the most active enforcement areas for the HDPA.
    Data controllers must ensure that proper communication channels and
    employee training are in place to ensure proper management of data
    subjects’ requests. Timely response to such requests (ie,
    within one month of receipt) also falls within the definition of
    ‘proper management’.

  • Tip: Controllers must be especially careful when using the
    legal basis of consent or legitimate interest in situations where
    there is an imbalance of power between them and the data subject
    (eg, employment relationships, public authorities interacting with
    citizens or even companies with significant market power when
    interacting with their users). In most such situations, consent
    will not be considered to be freely given and the use of legitimate
    interest may not be proportionate; a legitimate interest assessment
    (LIA) may thus need to be carried out.

  • Tip: Accountability, accountability, accountability! Make sure
    that all your assessments (eg, data protection impact assessments,
    LIAs, transfer impact assessments), policies, audits,
    investigations and the reasoning behind tough privacy decisions are
    fully documented and available to you. By following this approach,
    you can both:

    • ensure the continuity of your privacy/data protection
      programme, regardless of who is currently running it; and

    • be in a position to constantly prove your compliance with the
      relevant legislation to the competent authorities.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

[ad_2]

Source link

Related posts

La Marque SPINNING Continue De Rouler – Trademark

Supreme Court Signals Move Away From Judicial Deference To Administrative Agencies – Healthcare

Stealing dog offences in New South Wales – Crime