Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Comprehensive law

The Law on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act) was approved by the Parliament in April 1997.1 Greece was the last member of the European Union (EU) to adopt a data protection law and its law was written to directly transpose the EU Data Protection Directive (1995/46/EC) into the Greek legal system. The Act's passage was also required for Greece to join the Schengen Agreement. Greece has incorporated into its national law all of the EU data protection directives in the telecommunications sector with the exception of the 2006 Data Retention Directive.2

The first major amendment to the Data Protection Act of 1997 came in 2006.3 The amendment refined the term "personal data" and adds provisions concerning the transfer of data to third countries.4

A second significant amendment came in 2007 as a consequence of a dispute that took place between the Data Protection Authority and the Police Authority that planned to use CCTV cameras (originally installed to monitor traffic during the Athens Olympics) to monitor public gatherings such as protests. In October 2007, the Supreme Court ruled in favour of the police authority's plan.5 Thus, later, Law No. 3625/2007 amending the Data Protection Act was passed with the aim of excluding CCTV cameras from the scope of the Act.6 In practice, the 2007 amendment was far more substantial, as it practically excluded from the Data Protection Act's scope all crime-related personal data processing. The amendment, although inspired by the need to use already installed CCTV cameras for purposes other than traffic control (i.e., during public protests), eventually placed outside the data protection provisions all processing of personal data undertaken by (public) crime prosecution authorities when performed in the process of prosecuting a wide list of crimes (for instance, against human life or property, drug-related crimes, crimes against the public order, crimes against minors etc.).

Sector-based laws

Some specific provisions regarding processing of personal data are contained in sector-based legislation such as, for example, the Penal Law.7

Data protection authority

Implemented to ensure basic privacy protection, the Data Protection Act established the Hellenic Data Protection Authority (HDPA),8 The HDPA was established in November 1997 as an independent authority to monitor privacy violations in Greece. It was created to supervise the implementation of the Data Protection Act and all regulations referring to the protection of personal data.9 It also exercises other powers delegated to it from time to time.

The HDPA is composed of a president, assisted by a secretariat that operates at the directorate level. The president is a judge of a rank corresponding at least to that of a Conseiller d’État.10 The secretariat consists of three departments: a) auditors' department, b) communications department, c) department of administration and budgetary affairs. Each of these departments has a supervisor. All departments are supervised by the director.11

The HDPA enforces the Act. The Authority may impose both administrative and penal sanctions on controllers or their representatives. Administrative sanctions range from a warning with an order requiring the violation to cease within a specified time limit to requiring the destruction of the file or a ban on further processing and require the destruction of the relevant data.12 The penal sanctions include: punishment by imprisonment for up to three years and a fine of €1,000 to €150,000.13

The HDPA is responsible for archival audits, issuing regulatory acts arising from legislation on data protection, and providing information and recommendations to interested parties to ensure compliance with the data protection regulations. Its mandate includes issuing directives to enhance uniformity in implementation and to protect personal data vis-Ã -vis technological developments; assisting controllers in drafting codes of conduct; examining complaints; reporting violations; and issuing decisions related to the right to access information. The HDPA grants permits for the collection and processing of sensitive personal data and is accountable for the interconnection of files, including sensitive data, and the trans-border flow of personal data. The HDPA's communications office is in charge of all public relations and communication with private and public services and institutions, the media, foreign data protection authorities, European Union authorities, and international organisations and institutions.14

The HDPA has issued directives relating to direct marketing, CCTV, DNA testing, and workplace surveillance. The HDPA has also issued guidelines covering data protection in the workplace, in particular surveillance of phone calls and emails.15

In 2004, the year of the Athens Olympic Games, privacy issues handled by the HDPA mostly related to the Games' security. All together,16 the Greek Data Protection Authority received 626 complaints, 682 questions regarding data protection matters, and 663 registrations for Robinson's List (the list of persons who do not wish data relating to them to be submitted for processing for the promotion of sales and long distance services), conducted 36 controls to files, and issued 66 decisions and three opinions.17 The majority of the complaints are examined by the Auditors Department. Some are also examined by the internal HDPA Board,18 which issues a decision or answer and notifies the interested parties.19

In 2005, the HDPA refused to give permission to the Minster of National Defence to publish the names of the persons who were illegally disqualified from military service. The Minister wanted to publish the names as a public example in order to avoid similar situations in the future. The HDPA concluded that the purpose could be more appropriately served by publishing statistics on the number of cases that were examined and sanctioned.20 An appeal by the Minister of National Defence to the Supreme Administrative Court (Simvoulio tes Epikrateas) against the HDPA was rejected.

In 2006, the Hellenic Data Protection Authority paid particular attention to the credit reporting sector. The HDPA issued several decisions reiterating the basic data protection principle of keeping personal data for only as long as needed for the purposes for which they were collected.21 The Authority also issued an order prohibiting the posting of tenants' debts for operational costs in their blocks of flats.22 Schengen-related issues were also popular with the HDPA.23

In 2007, DPA's members collectively resigned after a heated dispute with the police, the Attorney General of the Supreme Court, and the Ministry of Justice regarding the application of the Data Protection Act to personal information gathering by CCTV cameras.24 The HDPA issued a statement "charging that the police 'flagrantly violated' the data protection regulations, which require the cameras to be used only for monitoring traffic and not people."25 New HDPA members, including a new director, were elected in early 2008.

In 2008, the HDPA fined an insurance company €60.000 for illegally accessing the personal records of a gay man and deciding against providing him with life insurance. The HDPA considered this to be a breach of the person's privacy.26 It also fined Microsoft for not following the lawful procedure in establishing a database of copyright infringers of its software packages. Probably the HDPA's most notable decision was issued in March 2008, allowing crime prevention authorities (this time, the port police) to acquire phone records from telecommunications operators while carrying out their investigations without notifying the individuals concerned.27

In 2009, in its Opinion 3/2009, the HDPA attempted to address the issue of the conditions under which copies of public documents containing personal information may be disclosed if so ordered by the public attorney. In practice, this decision takes one of the following forms. Either: state authorities deny access to public documents to individuals on the grounds that the requested documents include personal information about third parties and the applicants then request the intervention of the public attorney. This path leads to uncertainty on the part of those same state authorities about how to respond. Or:  state authorities do grant access to public documents including personal information of third parties to those lawfully requesting them, but the third parties affected then refer the matter to the HDPA because their right to data protection has been infringed. In its legal opinion the HDPA acknowledged the binding effect of orders issued by the public attorney; however, it requested that state authorities, when in doubt, should consult the HDPA before granting applicants any access to any personal information, especially if sensitive personal data have been divulged in any way.

Major privacy and data protection case law

The relevant case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.