News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | GDPR incorporated into Greek law Related reading: Reducing risks and valuing compliance with the European Data Protection Seal under the GDPR 

rss_feed

""

On Aug. 27, the Greek Parliament passed national legislation supplementing the EU General Data Protection Regulation. The long-awaited bill was enacted nearly 15 months after the GDPR went into force and after the European Commission's referral of Greece to the Court of Justice of the European Union for failing to transpose the Law Enforcement Directive before May 6, 2018. Under Law 4624/2019, the Greek Supervisory Authority has been reestablished, provisions of the GDPR are supplemented by additional measures and provisions of Directive (EU) 2016/680 have been transposed into Greek law. The law repeals prior Law 2472/1997 excluding certain provisions regarding the public disclosure of a suspect’s data by law enforcement authorities in case of specific offenses, the use of closed-circuit TV material from public gatherings and the opt-out register for commercial communications by mail.

Structure

Utilizing the “opening clauses” of the GDPR provided to member states, the new law supplements the GDPR in three significant ways. First, it supplements the GDPR on general issues that are left to the discretion of member states. Second, it regulates special cases of processing, which are considered important for the national legislator. Third, the law imposes restrictions on the rights of data subjects when necessary and proportionate for purposes of public interest. Specifically, Section Α of the law stipulates its objective and scope, the definitions of public and private entities, and the role of the data protection officer in public bodies. Section B includes provisions regarding the organization and operation of the Hellenic Data Protection Authority. In Section C, supplemental measures for the application of the GDPR are implemented, whereas Section D incorporates the LED Directive into Greek law.

Main provisions and highlights

The main provisions of the law concern the following regulatory issues:

  • Greek authority: The HDPA is established as the supervisory authority of the GDPR in Greece.
  • Age of consent: If a minor is 15 years old and provides consent, their data in relation to information society services can be lawfully processed. If a minor is under the age of 15, the consent of parent or guardian is required.
  • Special categories of data: Apart from the legal basis of Article 9 of the GDPR, processing special categories of data by public and private entities is permitted without the consent of the data subject, when it is mandatory for health care, social care, Social Security and assessment of the individual’s ability to work and on the condition measures to safeguard data subject interests are taken. Processing special categories of data by public entities for further purposes is permitted, in cases of public interest, the necessity of preventing a significant threat for public safety and the necessity to take humanitarian measures. Nevertheless, processing genetic data for health and life insurance is expressly prohibited.
  • Processing for further purposes: The processing of personal data by public entities for purposes other than those for which they have been collected is permitted in cases in which it is necessary for the prosecution of offenses, public safety reasons and prevention of harm of another person. Similarly, the processing by private entities is permitted in cases in which they are subject to national security issues or for the foundation, exercise or support of their legal claims. Such processing by private entities is permitted in order to prevent threats against national security or public health after a public entity’s request for either the prosecution of criminal offenses or the establishment, exercise or defense of legal claims, unless the interest of the data subject to his/her data not to be processed is outweighed.

Limitations on the rights of data subjects

The law provides for exceptions from the obligation to inform data subjects when such information would jeopardize the proper performance of the controller’s duties, public security or the establishment or exercise or defense of legal claims.  The exercise of the right of access is also restricted when there is not any obligation to inform the data subject or when their data has been recorded and cannot be deleted due to regulatory provisions about their obligation to retain or control them, such as when their information is stored on tax documents, fingerprints, passports, etc. The right to erasure of personal data does not apply in cases of non-automated processing, when erasure is impossible due to the special nature of their storage or requires a disproportionate effort and where it is contrary to conventional or legal retention periods. In certain cases of automated processing, the right to erasure may also be lawfully replaced by restrictions to processing of the relevant data. Finally, the right to object before public entities may not be applicable if processing is required for the public interest, when the latter prevails over the interests of the data subject.

Special cases of processing

The law stipulates specific provisions about the cases of processing related to the freedom of expression and information, the context of employment, and archiving purposes in the public interest, as well as scientific purposes and purposes of historical research or purposes related to the collection or retention of statistics. In the particular issue of employment, the law delimits the lawful purposes of processing to only those which are necessary for the recruitment, the performance and execution of the employment contract. If the processing is based on the legal grounds of the employee’s consent, the validity of consent is evaluated according to the circumstances of the specific employment contract and the conditions of consent pursuant to Article 7 of the GDPR. The processing of personal data is also permitted on the basis of collective labor agreements. Finally, the surveillance through CCTV systems in the workplace is only permitted when it is necessary for the protection of persons and goods and when written or electronic notice is provided to employees.

Penalties and judicial remedies

The law leaves the provisions of the GDPR regarding administrative sanctions unchanged for private entities. Fines to public entities are, however, capped by the law up to 10,000,000 euros depending on the severity and duration of the breach.

Under the law, anyone who interferes with a system of archiving personal data, deletes it, copies it and generally uses it illegally is punished with one-year imprisonment. Regarding special categories of data, imprisonment of at least one year and a fine up to 100,000 euros will be imposed. On the contrary, if the offender intends to unlawfully gain economic benefit for either themselves or others or to cause property damage and the total benefit thereof exceeds 120,000 euros, they can be punished with imprisonment reaching up to 10 years. These offenses are prosecuted proprio motu.

Judicial remedies filed by data subjects shall be filed before the court of the registered seat of the controller/processor or its representative, if any or in the court in the district the data subject resides. Lack of relevant provisions in the law makes representation by collective associations in judicial remedies against data controllers/processors more difficult.

Photo by Matt Artz on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Author
Headshot Antonios Broumas, CIPP/E IAPP Member Contributor
Tags
Government
Europe
Enforcement
Privacy Law
Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Tags
Government
Europe
Enforcement
Privacy Law
Recent Comments