Sign up for tax alert emails    GTNU homepage    Tax newsroom    Email document    Print document    Download document

October 7, 2019

Greece transposes EU General Data Protection Regulation into domestic law

Executive summary

The European Union (EU) General Data Protection Regulation (GDPR) came into force on 25 May 2018 and has radically transformed the level playing field for businesses in the field of data protection.

Fifteen months later, the long-awaited Greek Law regarding the protection of personal data has now been published in the Government Gazette of 29 August 2019 (137/A/29-08-2019). The Law supplements the provisions of the GDPR and incorporates Directive (ΕU) 2016/680 of the European Parliament and of the Council (LED Directive).

The new Law includes provisions in certain areas which are left by the GDPR to the discretion of Member States and eliminates the legal uncertainty caused by the delayed supplementation of the Regulation and the parallel validity of Law 2472/1997.

The Law annuls prior Law 2472/1997, excluding certain of its provisions regarding the disclosure of data by law enforcement authorities in case of specific offenses, the use of visual and auditory materials in public meetings and the opt-out register for commercial communications by post. Furthermore, it maintains in force the provisions of Law 2472/1997 regarding the composition of the Data Protection Authority and the compensation of its members. Along with the frame of administrative fines to private entities.

It should also be noted that the enactment of the Law was expedited due to the referral of Greece to the European Court of Justice for failure to timely transpose the LED Directive into Greek law.

Detailed discussion


The new Law complements the GDPR in a number of sectors. Section Α of the Law stipulates its objective and scope, the definitions of public and private entities and the mandatory designation of the data protection officer in public bodies. Section B includes provisions regarding the organization and operation of the Hellenic Data Protection Authority. Section C implements supplemental measures for the application of the GDPR, whereas Section D transposes the LED Directive into Greek law.

Main provisions

Organization and operation of the HDPA

The Hellenic Data Protection Authority (HDPA) is re-established and declared as the supervisory authority of the GDPR in Greece.

Minors’ consent

The GDPR provides for the enhanced protection of minors but leaves it to the discretion of Member States to upgrade such protection. Under the new Law, minors’ data in relation to information society services (e.g., online videogames or social media) can now be processed, only if the minor is at least 15 years old and consents. Otherwise, the consent of the holder of the parental responsibility over the minor is required.

Processing of special categories of data

Notwithstanding the provisions of the GDPR, the new Law stipulates that processing of special categories of data by public and private entities is permitted without the consent of the data subject, in cases in which it is mandatory for purposes of healthcare, social care, social security and assessment of an individual’s ability to work, on the condition that measures to safeguard data subjects’ interests are taken. Furthermore, processing of special categories of data by public entities for further purposes is permitted, in cases where there are grounds of public interest, the necessity of preventing a significant threat for public safety and the necessity to take humanitarian measures. Nevertheless, processing of genetic data for health and life insurance is expressly prohibited.

Processing for further purposes

The processing of personal data by public entities for purposes other than those for which they have been collected is permitted in cases in which it is necessary for the prosecution of offenses, public safety reasons and prevention of harm of another person. Similarly, processing by private entities is permitted in cases in which they are subject to national security issues or for the foundation, exercise or support of their legal claims. Such processing by private entities is permitted in order to prevent threats against national security or public health after a public entity’s request for either the prosecution of criminal offenses or the establishment, exercise or defense of legal claims, unless the interest of the data subject to his/her data not to be processed is outweighed.

Specific processing situations

The processing of personal data for journalistic or academic, artistic or literary purposes is permitted without the consent of the data subject, provided that the public’s right to the information outweighs the right to privacy of the data subject.

In addition, the processing of personal data is permitted without the consent of the data subject, provided that it is necessary for scientific or historical research or for purposes related to the collection or retention of statistics, on the condition that appropriate measures are taken, such as anonymity and encryption.

Exception from the obligation to inform

The controller is exempted from the obligation to inform the data subject according to articles 13 and 14 of the GDPR in certain cases, such as when such information would jeopardize the proper performance of the controller’s duties, public security or the establishment or exercise or defense of legal claims. For public entities, in particular, such exceptions from the obligation to inform the data subject are broader when personal data have been collected from third sources.

Processing of personal data in the employment context

Of great importance are the novelties vis-à-vis the GDPR brought about by the new Law in the employment context.

The employer may process employee data necessary for the recruitment, the performance and execution of the employment contract of its employees.

In the case that the processing is based on the legal grounds of the employee’s consent, the validity of consent is evaluated according to the circumstances of the specific employment contract and the conditions of consent pursuant to Art. 7 GDPR. The processing of personal data is also permitted on the basis of collective labor agreements. The employer must comply with the processing principles of article 5 of the GDPR and take appropriate technical and organizational measures to protect employee data.

The surveillance through video surveillance systems in the workplace is permitted only when it is necessary for the protection of persons and goods and when written, including electronic, notice is provided to employees.

Right of access

Within the ambit of the GDPR, the new Law brings about important limitations to the rights of data subjects. The exercise of the right of access is restricted when there is no obligation to inform the data subject or when his/her data have been recorded and cannot be deleted due to regulatory provisions about their obligation to retain or control them, such as in cases in which they are stored on tax bases, fingerprints, passports, etc. In order to waive the obligation of access in such cases, the provision of access should require a disproportionate effort and the necessary technical and organizational measures to make processing impossible for other purposes.

Right to erasure

The right to erasure of personal data does not apply in cases of non-automated processing, in which, due to the special nature of their storage, erasure is impossible or requires a disproportionate effort, and where it is contrary to conventional or legal retention periods. In certain cases of automated processing, the right to erasure may also be lawfully replaced by restrictions to processing of the relevant data.

Right to object

The right to object to the processing of personal data before public entities may not be applicable, in cases in which such processing is required for the public interest, when the latter prevails over the interests of the data subject.

Accreditation of certification bodies

The National Accreditation System (ESYD) is responsible for the accreditation of certification bodies of article 43 of the GDPR regarding their compliance with applicable legislation in accordance with the standard EN-ISO / IEC17065: 2012.

Criminal sanctions

Anyone who interferes with a system of archiving personal data, deletes it, copies it and generally uses it illegally shall be punished with one-year imprisonment. In case of special categories of data, imprisonment of at least one year and a fine up to €100,000 shall be imposed. On the contrary, if the offender intends for himself or for others to unlawfully gain an economic benefit or to cause property damage and the total benefit thereof exceeds €120,000, s/he shall be punished with imprisonment up to 10 years. These offenses are prosecuted proprio motu.

Administrative sanctions

The new Law leaves the sanctions of the GDPR unchanged for private entities, which may amount up to 2% or 4% of the annual turnover of a company. Fines to public entities are however limited by the Law up to €10 million, depending on the severity and duration of the breach.

Judicial protection

Claims for damages by the data subject vis-à-vis controllers or the processors shall be filed before the court of the registered seat of the controller/processor or its representative, if any, or in the court in whose district the data subject has his/her residence.

For additional information with respect to this Alert, please contact the following:

Platis – Anastassiadis & Associates Law Partnership, Athens
  • Eirinikos Platis |
  • Antonios Broumas |



The information contained herein is general in nature and is not intended, and should not be construed, as legal, accounting or tax advice or opinion provided by Ernst & Young LLP to the reader. The reader also is cautioned that this material may not be applicable to, or suitable for, the reader's specific circumstances or needs, and may require consideration of non-tax and other tax factors if any action is to be contemplated. The reader should contact his or her Ernst & Young LLP or other tax professional prior to taking any action based upon this information. Ernst & Young LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.


Copyright © 2024, Ernst & Young LLP.


All rights reserved. No part of this document may be reproduced, retransmitted or otherwise redistributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP.


Any U.S. tax advice contained herein was not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.


"EY" refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.


Privacy  |  Cookies  |  BCR  |  Legal  |  Global Code of Conduct Opt out of all email from EY Global Limited.


Cookie Settings

This site uses cookies to provide you with a personalized browsing experience and allows us to understand more about you. More information on the cookies we use can be found here. By clicking 'Yes, I accept' you agree and consent to our use of cookies. More information on what these cookies are and how we use them, including how you can manage them, is outlined in our Privacy Notice. Please note that your decision to decline the use of cookies is limited to this site only, and not in relation to other EY sites or Please refer to the privacy notice/policy on these sites for more information.

Yes, I accept         Find out more