I. Legal framework
The Law on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act) was approved by the Parliament in April 1997.1 Greece was the last member of the European Union (EU) to adopt a data protection law and its law was written to directly transpose the EU Data Protection Directive (1995/46/EC) into the Greek legal system. The Act's passage was also required for Greece to join the Schengen Agreement. Greece has incorporated into its national law all of the EU data protection directives in the telecommunications sector with the exception of the 2006 Data Retention Directive.2
A second significant amendment came in 2007 as a consequence of a dispute that took place between the Data Protection Authority and the Police Authority that planned to use CCTV cameras (originally installed to monitor traffic during the Athens Olympics) to monitor public gatherings such as protests. In October 2007, the Supreme Court ruled in favour of the police authority's plan.5 Thus, later, Law No. 3625/2007 amending the Data Protection Act was passed with the aim of excluding CCTV cameras from the scope of the Act.6 In practice, the 2007 amendment was far more substantial, as it practically excluded from the Data Protection Act's scope all crime-related personal data processing. The amendment, although inspired by the need to use already installed CCTV cameras for purposes other than traffic control (i.e., during public protests), eventually placed outside the data protection provisions all processing of personal data undertaken by (public) crime prosecution authorities when performed in the process of prosecuting a wide list of crimes (for instance, against human life or property, drug-related crimes, crimes against the public order, crimes against minors etc.).
Some specific provisions regarding processing of personal data are contained in sector-based legislation such as, for example, the Penal Law.7
Data protection authority
Implemented to ensure basic privacy protection, the Data Protection Act established the Hellenic Data Protection Authority (HDPA),8 The HDPA was established in November 1997 as an independent authority to monitor privacy violations in Greece. It was created to supervise the implementation of the Data Protection Act and all regulations referring to the protection of personal data.9 It also exercises other powers delegated to it from time to time.
The HDPA is composed of a president, assisted by a secretariat that operates at the directorate level. The president is a judge of a rank corresponding at least to that of a Conseiller dâ€™Ã‰tat.10 The secretariat consists of three departments: a) auditors' department, b) communications department, c) department of administration and budgetary affairs. Each of these departments has a supervisor. All departments are supervised by the director.11
The HDPA enforces the Act. The Authority may impose both administrative and penal sanctions on controllers or their representatives. Administrative sanctions range from a warning with an order requiring the violation to cease within a specified time limit to requiring the destruction of the file or a ban on further processing and require the destruction of the relevant data.12 The penal sanctions include: punishment by imprisonment for up to three years and a fine of â‚¬1,000 to â‚¬150,000.13
The HDPA is responsible for archival audits, issuing regulatory acts arising from legislation on data protection, and providing information and recommendations to interested parties to ensure compliance with the data protection regulations. Its mandate includes issuing directives to enhance uniformity in implementation and to protect personal data vis-Ã -vis technological developments; assisting controllers in drafting codes of conduct; examining complaints; reporting violations; and issuing decisions related to the right to access information. The HDPA grants permits for the collection and processing of sensitive personal data and is accountable for the interconnection of files, including sensitive data, and the trans-border flow of personal data. The HDPA's communications office is in charge of all public relations and communication with private and public services and institutions, the media, foreign data protection authorities, European Union authorities, and international organisations and institutions.14
The HDPA has issued directives relating to direct marketing, CCTV, DNA testing, and workplace surveillance. The HDPA has also issued guidelines covering data protection in the workplace, in particular surveillance of phone calls and emails.15
In 2004, the year of the Athens Olympic Games, privacy issues handled by the HDPA mostly related to the Games' security. All together,16 the Greek Data Protection Authority received 626 complaints, 682 questions regarding data protection matters, and 663 registrations for Robinson's List (the list of persons who do not wish data relating to them to be submitted for processing for the promotion of sales and long distance services), conducted 36 controls to files, and issued 66 decisions and three opinions.17 The majority of the complaints are examined by the Auditors Department. Some are also examined by the internal HDPA Board,18 which issues a decision or answer and notifies the interested parties.19
In 2005, the HDPA refused to give permission to the Minster of National Defence to publish the names of the persons who were illegally disqualified from military service. The Minister wanted to publish the names as a public example in order to avoid similar situations in the future. The HDPA concluded that the purpose could be more appropriately served by publishing statistics on the number of cases that were examined and sanctioned.20 An appeal by the Minister of National Defence to the Supreme Administrative Court (Simvoulio tes Epikrateas) against the HDPA was rejected.
In 2006, the Hellenic Data Protection Authority paid particular attention to the credit reporting sector. The HDPA issued several decisions reiterating the basic data protection principle of keeping personal data for only as long as needed for the purposes for which they were collected.21 The Authority also issued an order prohibiting the posting of tenants' debts for operational costs in their blocks of flats.22 Schengen-related issues were also popular with the HDPA.23
In 2007, DPA's members collectively resigned after a heated dispute with the police, the Attorney General of the Supreme Court, and the Ministry of Justice regarding the application of the Data Protection Act to personal information gathering by CCTV cameras.24 The HDPA issued a statement "charging that the police 'flagrantly violated' the data protection regulations, which require the cameras to be used only for monitoring traffic and not people."25 New HDPA members, including a new director, were elected in early 2008.
In 2008, the HDPA fined an insurance company â‚¬60.000 for illegally accessing the personal records of a gay man and deciding against providing him with life insurance. The HDPA considered this to be a breach of the person's privacy.26 It also fined Microsoft for not following the lawful procedure in establishing a database of copyright infringers of its software packages. Probably the HDPA's most notable decision was issued in March 2008, allowing crime prevention authorities (this time, the port police) to acquire phone records from telecommunications operators while carrying out their investigations without notifying the individuals concerned.27
In 2009, in its Opinion 3/2009, the HDPA attempted to address the issue of the conditions under which copies of public documents containing personal information may be disclosed if so ordered by the public attorney. In practice, this decision takes one of the following forms. Either: state authorities deny access to public documents to individuals on the grounds that the requested documents include personal information about third parties and the applicants then request the intervention of the public attorney. This path leads to uncertainty on the part of those same state authorities about how to respond. Or: state authorities do grant access to public documents including personal information of third parties to those lawfully requesting them, but the third parties affected then refer the matter to the HDPA because their right to data protection has been infringed. In its legal opinion the HDPA acknowledged the binding effect of orders issued by the public attorney; however, it requested that state authorities, when in doubt, should consult the HDPA before granting applicants any access to any personal information, especially if sensitive personal data have been divulged in any way.
Major privacy and data protection case law
The relevant case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.
- 1. Law No. 2472 on the Protection of Individuals with regard to the Processing of Personal Data, available at http://www.dpa.gr/portal/page?_pageid=33,43560&_dad=portal&_schema=PORTAL.
- 2. Directive 1997/66/EC was transposed into national law through Law No. 2774/1999, that later was replaced by Law No. 3471/2006, whose first part transposed Directive 2002/58/EC into the national legal order. The transposition of Directive 2006/24/EC on data retention is still pending. See infra in this report.
- 3. Law No. 3471/2006 on the Protection of Personal Data and Privacy in Electronic Communications Sector and Amendment of Law 2472/1997, 28 June 2006, available at http://www.dpa.gr/portal/page?_pageid=33,43560&_dad=portal&_schema=PORTAL.
- 4. Id.
- 5. Christine Pirovolakis, "Greek Privacy Chief Resigns in Protest Over Camera Monitoring of Demonstrators," BNA. Privacy Law & Security, Volume 6, Number 47, 3 December 2007, available at http://www.bna.com.
- 6. Law No. 3625/2007.
- 7. See infra the text and footnotes.
- 8. Data Protection Act, supra.
- 9. Homepage at http://www.dpa.gr/home_eng.htm.
- 10. Data Protection Act, Chapter D, Article 16 (Composition of the Authority),. See generally http://www.dpa.gr/portal/page?_pageid=33,43430&_dad=portal&_schema=PORTAL.
- 11. Email from Amalia Logiaki, Hellenic Data Protection Authority, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center, 31 May 2005 (on file with EPIC). For detailed information on Departments staff, see http://www.dpa.gr/portal/page?_pageid=33,43456&_dad=portal&_schema=PORTAL.
- 12. Data Protection Act, Chapter E, Sanctions, Article 21. Other administrative sanctions include: a fine, a temporary or definitive revocation of the different permit that HDPA granted to data controllers (sensitive data processing permit and interconnection permit).
- 13. Id., Article 22.
- 14. See http://www.dpa.gr/portal/page?_pageid=33,43482&_dad=portal&_schema=PORTAL.
- 15. Article 29 Data Protection Working Party, Fifth Annual Report for the year 2000, Part II, 6 March 2002, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
- 16. Compared to 2001 and 2002, the total number of complaints submitted to the HDPA for the year 2003 decreased to reach 228. 23 were against banks, 129 for access to files, 16 against creditworthiness ascertainment companies, 22 against telecommunications companies, 15 against hospitals, ten against CCTV, 11 against marketing companies and two against Schengen Information System.
- 17. Email from Amalia Logiaki, supra.
- 18. See http://www.dpa.gr/portal/page?_pageid=33,43430&_dad=portal&_schema=PORTAL.
- 19. Email from Amalia Logiaki, supra.
- 20. Article 29 Data Protection Working Party, 9th Annual Report for the year 2005, 14 June 2006 at 48, available at http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....
- 21. HDPA, Decisions 12 to 18/2006 on data controllers who did not delete personal information according to the Data Protection Act, available in Greek at http://www.dpa.gr/decs.htm.
- 22. Decision 35/2006, available in Greek at http://www.dpa.gr/decs.htm.
- 23. Decisions 19, 20, 46, 51/2006, available in Greek at http://www.dpa.gr/decs.htm.
- 24. See supra and infra in the text.
- 25. Christine Pirovolakis, supra.
- 26. "Insurance Firm Fined for Using Records to Deny Coverage to Gay Manâ€, Kathimerini, 15 March 2008, available at http://www.ekathimerini.com/4dcgi/_w_articles_politics_100028_15/03/2008....
- 27. Decision No. 19/2008, available in Greek at http://www.dpa.gr/decs.htm.