Greek Law 4624/2019: Data Protection in Greece

Introduction to Greek Law 4624/2019

Greek Law 4624/2019 is a landmark legislation designed to implement and supplement the General Data Protection Regulation (GDPR) in Greece. Passed in August 2019, this law governs the processing of personal data and provides additional clarifications tailored to the national context. By aligning Greece’s legal framework with the GDPR, Law 4624/2019 emphasizes the protection of individual privacy, the rights of data subjects, and the obligations of organizations handling personal data. 

The law also reaffirms the role of the Hellenic Data Protection Authority (HDPA) as the supervisory authority overseeing compliance.

Key Objectives of Greek Law 4624/2019

Greece privacy law 4624/2019 aims to:

1. Harmonize national law with GDPR: The law fills gaps in the GDPR to address specific Greek cultural, economic, and administrative considerations.
2. Regulate the public sector: It includes detailed provisions governing the processing of data by public authorities, reflecting Greece’s administrative structure.
3. Enhance personal data protection in Greece: The law strengthens the mechanisms for enforcing data subject rights, particularly in cases of sensitive personal data.
4. Provide specific exemptions: Greek Law 4624/2019 specifies circumstances where data processing obligations may differ, such as for journalistic purposes or scientific research.

Who Does the Greek Law 4624/2019 Apply To?

Greek Law 4624/2019 applies broadly to:

1. Public authorities and bodies: Specific provisions guide how public institutions process personal data in compliance with the GDPR.
2. Private sector organizations: Any company, nonprofit, or entity processing the personal data of individuals in Greece must comply.
3. Data subjects in Greece: Individuals whose data is processed, regardless of whether the processing occurs within Greece or by entities outside the EU targeting Greek residents.

Exemptions apply in limited scenarios, such as data processing purely for personal or household activities.

Core Provisions of Greek Law 4624/2019

Greek Law 4624/2019 contains several critical provisions:

1. Data Processing by Public Authorities

The law details how public bodies must process data while balancing transparency and the confidentiality required in specific administrative functions. Notably, public authorities cannot rely on consent as a legal basis for processing personal data.

2. Processing of Special Categories of Data

Greek Law permits processing sensitive personal data under stricter conditions, such as when necessary for public health, employment law compliance, or legal claims.

3. Children’s Data Protection

The law establishes an age threshold of 15 for valid consent to data processing, deviating slightly from GDPR recommendations.

4. Hellenic Data Protection Authority (HDPA)

The HDPA retains its pivotal role in monitoring compliance, investigating complaints, and issuing penalties. Greek Law 4624/2019 enhances the HDPA’s authority, ensuring it operates independently to safeguard personal data rights.

5. Scientific and Journalistic Exemptions

To balance privacy and freedom of expression, the law permits exceptions in journalistic, artistic, literary, and scientific research contexts.

How Does Greek Law 4624/2019 Relate to GDPR?

While the GDPR provides a robust EU-wide framework, Greek Law 4624/2019 tailors these regulations to Greece’s unique context. Key alignments and distinctions include:

• Alignment with GDPR Principles: The law adopts GDPR’s core principles, such as lawfulness, fairness, transparency, and accountability in data processing.
• National Adjustments: It incorporates additional protections for sensitive data categories and provides guidance for public-sector processing.
• Enhanced Enforcement Powers: The HDPA’s authority under Greek Law 4624/2019 is expanded to enforce GDPR more effectively within Greece.

Despite these distinctions, entities operating in Greece must adhere to both GDPR and Greek-specific provisions, creating a dual compliance obligation.

The Role of the Hellenic Data Protection Authority (HDPA)

The Hellenic Data Protection Authority (HDPA) is the primary regulator overseeing the enforcement of data protection laws in Greece. Established as an independent public authority, the Greece Data Protection Authority ensures compliance with GDPR and Greek Law 4624/2019. It handles complaints, conducts audits, and imposes penalties for violations. Beyond enforcement, the HDPA provides guidelines and advice on best practices for data controllers and processors.

The HDPA has been particularly active in addressing privacy issues related to emerging technologies, making Greece a key player in European data protection discussions.

Complementary Legislation: Sector-Specific Provisions

In addition to Law 4624/2019, Greece has enacted several laws addressing data protection in specific contexts:

• Law 5002/2022: Governs communication confidentiality and cybersecurity, enhancing safeguards for citizen data.
• Law 4961/2022: Focuses on emerging ICT technologies and strengthens digital governance.
• Law 4577/2018: Implements the EU NIS Directive, mandating security measures for critical infrastructure sectors like energy, transport, and healthcare.

These sector-specific laws align with GDPR principles while addressing unique privacy challenges in their respective domains.

Individual Rights Under Greek Data Protection Laws

Greek data protection laws, aligned with GDPR, provide robust rights to individuals (data subjects), including:

1. Right to Access: Individuals can request access to their personal data and obtain information on how it is processed.
2. Right to Rectification: Corrections can be requested for inaccurate or incomplete data.
3. Right to Erasure (“Right to Be Forgotten”): Individuals may request deletion of their personal data under certain conditions, such as when the data is no longer necessary.
4. Right to Data Portability: Individuals can receive their data in a structured, commonly used format and transfer it to another controller.
5. Right to Object: Individuals can object to data processing based on legitimate interests or for direct marketing purposes.

The HDPA ensures these rights are respected, with specific penalties for violations.

Data Protection Officer (DPO) Requirements in Greece

Businesses and public authorities that process significant amounts of personal data must appoint a Data Protection Officer (DPO). The DPO’s role includes monitoring compliance with GDPR and Greek data protection laws, conducting data protection impact assessments, and acting as a point of contact for the HDPA.

The requirement applies to organizations engaged in:

• Regular and systematic monitoring of individuals on a large scale.
• Processing of sensitive data categories, such as health or biometric data.

Failure to appoint a DPO, when required, can result in fines and reputational damage.

What Are the Penalties for Violating Greek Law 4624/2019?

Non-compliance with Greek Law 4624/2019 can lead to severe penalties, including:

1. Administrative Fines: The HDPA can impose fines aligned with GDPR’s structure, reaching up to €20 million or 4% of a company’s global annual revenue, whichever is higher.
2. Legal Consequences: Individuals and organizations may face lawsuits or criminal penalties in cases of egregious violations, such as data breaches due to negligence.
3. Reputational Damage: Beyond financial penalties, organizations risk significant reputational harm, impacting customer trust and business operations.

Final Thoughts

Greek Law 4624/2019 solidifies Greece’s commitment to protecting personal data in line with GDPR. With its nuanced provisions tailored to national needs, the law underscores the importance of compliance for both public and private sector entities. As the digital landscape evolves, staying informed about legal obligations and fostering a culture of privacy will be crucial for maintaining trust and minimizing risks in Greece’s dynamic regulatory environment.