On Aug. 27, the Greek Parliament passed national legislation supplementing the EU General Data Protection Regulation. The long-awaited bill was enacted nearly 15 months after the GDPR went into force and after the European Commission's referral of Greece to the Court of Justice of the European Union for failing to transpose the Law Enforcement Directive before May 6, 2018. Under Law 4624/2019, the Greek Supervisory Authority has been reestablished, provisions of the GDPR are supplemented by additional measures and provisions of Directive (EU) 2016/680 have been transposed into Greek law. The law repeals prior Law 2472/1997 excluding certain provisions regarding the public disclosure of a suspect’s data by law enforcement authorities in case of specific offenses, the use of closed-circuit TV material from public gatherings and the opt-out register for commercial communications by mail.

Structure

Utilizing the “opening clauses” of the GDPR provided to member states, the new law supplements the GDPR in three significant ways. First, it supplements the GDPR on general issues that are left to the discretion of member states. Second, it regulates special cases of processing, which are considered important for the national legislator. Third, the law imposes restrictions on the rights of data subjects when necessary and proportionate for purposes of public interest. Specifically, Section Α of the law stipulates its objective and scope, the definitions of public and private entities, and the role of the data protection officer in public bodies. Section B includes provisions regarding the organization and operation of the Hellenic Data Protection Authority. In Section C, supplemental measures for the application of the GDPR are implemented, whereas Section D incorporates the LED Directive into Greek law.

Main provisions and highlights

The main provisions of the law concern the following regulatory issues:

  • Greek authority: The HDPA is established as the supervisory authority of the GDPR in Greece.
  • Age of consent: If a minor is 15 years old and provides consent, their data in relation to information society services can be lawfully processed. If a minor is under the age of 15, the consent of parent or guardian is required.
  • Special categories of data: Apart from the legal basis of Article 9 of the GDPR, processing special categories of data by public and private entities is permitted without the consent of the data subject, when it is mandatory for health care, social care, Social Security and assessment of the individual’s ability to work and on the condition measures to safeguard data subject interests are taken. Processing special categories of data by public entities for further purposes is permitted, in cases of public interest, the necessity of preventing a significant threat for public safety and the necessity to take humanitarian measures. Nevertheless, processing genetic data for health and life insurance is expressly prohibited.
  • Processing for further purposes: The processing of personal data by public entities for purposes other than those for which they have been collected is permitted in cases in which it is necessary for the prosecution of offenses, public safety reasons and prevention of harm of another person. Similarly, the processing by private entities is permitted in cases in which they are subject to national security issues or for the foundation, exercise or support of their legal claims. Such processing by private entities is permitted in order to prevent threats against national security or public health after a public entity’s request for either the prosecution of criminal offenses or the establishment, exercise or defense of legal claims, unless the interest of the data subject to his/her data not to be processed is outweighed.

Limitations on the rights of data subjects

The law provides for exceptions from the obligation to inform data subjects when such information would jeopardize the proper performance of the controller’s duties, public security or the establishment or exercise or defense of legal claims.  The exercise of the right of access is also restricted when there is not any obligation to inform the data subject or when their data has been recorded and cannot be deleted due to regulatory provisions about their obligation to retain or control them, such as when their information is stored on tax documents, fingerprints, passports, etc. The right to erasure of personal data does not apply in cases of non-automated processing, when erasure is impossible due to the special nature of their storage or requires a disproportionate effort and where it is contrary to conventional or legal retention periods. In certain cases of automated processing, the right to erasure may also be lawfully replaced by restrictions to processing of the relevant data. Finally, the right to object before public entities may not be applicable if processing is required for the public interest, when the latter prevails over the interests of the data subject.

Special cases of processing

The law stipulates specific provisions about the cases of processing related to the freedom of expression and information, the context of employment, and archiving purposes in the public interest, as well as scientific purposes and purposes of historical research or purposes related to the collection or retention of statistics. In the particular issue of employment, the law delimits the lawful purposes of processing to only those which are necessary for the recruitment, the performance and execution of the employment contract. If the processing is based on the legal grounds of the employee’s consent, the validity of consent is evaluated according to the circumstances of the specific employment contract and the conditions of consent pursuant to Article 7 of the GDPR. The processing of personal data is also permitted on the basis of collective labor agreements. Finally, the surveillance through CCTV systems in the workplace is only permitted when it is necessary for the protection of persons and goods and when written or electronic notice is provided to employees.

Penalties and judicial remedies

The law leaves the provisions of the GDPR regarding administrative sanctions unchanged for private entities. Fines to public entities are, however, capped by the law up to 10,000,000 euros depending on the severity and duration of the breach.

Under the law, anyone who interferes with a system of archiving personal data, deletes it, copies it and generally uses it illegally is punished with one-year imprisonment. Regarding special categories of data, imprisonment of at least one year and a fine up to 100,000 euros will be imposed. On the contrary, if the offender intends to unlawfully gain economic benefit for either themselves or others or to cause property damage and the total benefit thereof exceeds 120,000 euros, they can be punished with imprisonment reaching up to 10 years. These offenses are prosecuted proprio motu.

Judicial remedies filed by data subjects shall be filed before the court of the registered seat of the controller/processor or its representative, if any or in the court in the district the data subject resides. Lack of relevant provisions in the law makes representation by collective associations in judicial remedies against data controllers/processors more difficult.

Photo by Matt Artz on Unsplash