• Harmonization of Greek legislation with the provisions of GDPR, Incorporation of Directive 2016/680 for the processing of personal data by public authorities with respect to criminal offences

Contact  Liana Kosmatou   8/30/2019

We briefly present the main provisions of Greek law 4624/2019 harmonizing Greek legislation with the provisions of GDPR and incorporating Directive 2016/680 for the processing of personal data by public authorities with respect to criminal offences

In this edition (Download PDF)

  • Main provisions for the harmonization of Greek legislation with GDPR
  • Incorporation of Directive 2016/680/ΕΕ
  • CPA Law Comments

Newly enacted Greek law 4624/2019 (Government Gazette Bulleting A137/29.8.2019) introduces measures for the harmonization of Greek legislation on data protection with Regulation 2016/679 (GDPR), on the basis of the flexibility provided by GDPR to the member states. The new law also replaces the Greek legal framework regulating the composition and operation of the Hellenic Data Protection Authority.

Furthermore, the new law incorporates Directive 2016/680/EE for the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

Main provisions for the harmonization of Greek legislation with the GDPR

The new law sets out the scope of application of the voted provisions, introduces a definition of the terms public and private body, regulates the appointment of Data Protection Officer for public bodies, provides for more specific conditions in relation to the participation of minors to the information society framework, expressly provides for the prohibition of processing of genetic data for purposes of insurance and health, introduces limitations in relation to the rights of data subjects in cases where their data are being processed by public bodies, introduces provisions for profiling by insurance companies, as well as for the transmission of data between public bodies.

The new law provides for a system of criminal penalties, as well as a special system of administrative penalties for public bodies, according to the explicit provision of the GDPR, whereas it abolishes law 2472/1997, with the exception of specific clauses which are amended and remain in force, concerning amongst others, definitions of terms in relation to the protection of personal data and administrative penalties for violations of the law on electronic services (law 3471/2006).

Incorporation of Directive 2016/680/ΕΕ

The new law and in the same spirit with GDPR, sets out the general principles and the scope of the Directive’s provisions that are being incorporated in the Greek legal framework.

The law sets out the legal basis for the processing of personal data for a purpose different from the one for which the data has been initially collected. Moreover, the law regulates the process of providing consent, as well as the obligation to maintain confidentiality from the persons involved with the processing of personal data.

Additionally, the rights of subjects (rights on information, access, rectification, complaint) are established and the responsibilities of the controller and processor are defined.

CPA Law Comments

The new law is an important step for the application of the GDPR in Greece, which was voted by the European Union 3,5 years ago.

However, there are weaknesses which we expect to be corrected either with amendments on the law or with Decisions and Opinions provide by the Hellenic Data Protection Authority.

  • Taking into account that the GDPR defines only the controller and the processor, the new law adds two new terms, the public and the private body. However, it is not clear whether the public sector companies that are not funded by the national budget fall under this definition.
  • Following the comments mentioned during the public consultation, many of which were taken into consideration, the article in relation to the Data Protection Officer in the private sector was deleted (article 37) as well as the provision relating to his/her criminal responsibility, whereas the level of administrative penalties imposed on public bodies is increased.
  • Article 9 of the new law, validates (legalizes?) the Hellenic Data Protection Authority according to law 2472/1997 as the Supervising Authority in Greece for GDPR purposes.
  • On what concerns the ability to amend the purpose of processing by private bodies, the new law provides that the processing of personal data by private bodies for a purpose different than the one for which data has been collected is permitted in case that it is necessary, amongst other, for the avoidance of threats against national safety, following a request made by the public body or for the prosecution of criminal offences.
  • Such processing is also permitted for the establishment, exercise or support of legal claims, unless the interest of the data subject is more significant. However, there are no guarantees offered to the data subjects and no procedures set to be followed by private bodies for this extended possibility.
  • The law introduces special regulations for the processing of personal data within the framework of employment in the private and the public sector, which amongst others provide that the personal data of the employees could be submitted for processing for the purposes of the employment contract, only if absolutely necessary for the conclusion of such contract or after its conclusion, for the execution of the contract.
    Furthermore, the reference in Article 27 of the new law on the employees’ consent as a basis for processing, provides to the employer a wide base in order to seek to establish processing based on consent. The employers must only prove that consent is given freely, taking mainly into consideration the current dependency of the employee and the situation under which such consent was given.
  • With Article 28, the legislator included important deviations from the GDPR with respect to the processing and freedom of expression and information, limiting amongst others, fundamental basic rights of the subjects, such as the right to be forgotten. Therefore, despite the fact that the GDPR permits divergements and exceptions, those should not be too wide because they violate the core of the protection of personal data.
  • The new law maintained Article 13 par (1) and (2) of law 2472/1997 on the right to object to the processing, with the addition of a further exception of such right for public bodies (Article 35 of the new law).
  • The report drafted by the legal department of the Ministry of Justice makes no reference to the impact of the law on several important sectors, such as the economic sector (consequences of establishment cost of required infrastructure, competitiveness between companies etc), the simplification of administrative procedures, the improvements that will occur in the legal order and others.
  • The need to reference three different documents (law 2472/1997, Regulation 2016/679 and law 4624/2019) is not practical for purposes of comprehension and implementation of regulations on what concerns the protection of personal data.

The new legal framework clearly highlights the need for the Public Sector to comply with the provisions of the GDPR, while it seems imperative for Private Sector entities to proceed to a substantial review of the GDPR compliance work already carried out and of the policies adopted.

Contact  Liana Kosmatou   8/30/2019
;