October 7, 2019
Greece transposes EU General Data Protection Regulation into domestic law
The European Union (EU) General Data Protection Regulation (GDPR) came into force on 25 May 2018 and has radically transformed the level playing field for businesses in the field of data protection.
Fifteen months later, the long-awaited Greek Law regarding the protection of personal data has now been published in the Government Gazette of 29 August 2019 (137/A/29-08-2019). The Law supplements the provisions of the GDPR and incorporates Directive (ΕU) 2016/680 of the European Parliament and of the Council (LED Directive).
The new Law includes provisions in certain areas which are left by the GDPR to the discretion of Member States and eliminates the legal uncertainty caused by the delayed supplementation of the Regulation and the parallel validity of Law 2472/1997.
The Law annuls prior Law 2472/1997, excluding certain of its provisions regarding the disclosure of data by law enforcement authorities in case of specific offenses, the use of visual and auditory materials in public meetings and the opt-out register for commercial communications by post. Furthermore, it maintains in force the provisions of Law 2472/1997 regarding the composition of the Data Protection Authority and the compensation of its members. Along with the frame of administrative fines to private entities.
It should also be noted that the enactment of the Law was expedited due to the referral of Greece to the European Court of Justice for failure to timely transpose the LED Directive into Greek law.
The new Law complements the GDPR in a number of sectors. Section Α of the Law stipulates its objective and scope, the definitions of public and private entities and the mandatory designation of the data protection officer in public bodies. Section B includes provisions regarding the organization and operation of the Hellenic Data Protection Authority. Section C implements supplemental measures for the application of the GDPR, whereas Section D transposes the LED Directive into Greek law.
Organization and operation of the HDPA
The Hellenic Data Protection Authority (HDPA) is re-established and declared as the supervisory authority of the GDPR in Greece.
The GDPR provides for the enhanced protection of minors but leaves it to the discretion of Member States to upgrade such protection. Under the new Law, minors’ data in relation to information society services (e.g., online videogames or social media) can now be processed, only if the minor is at least 15 years old and consents. Otherwise, the consent of the holder of the parental responsibility over the minor is required.
Processing of special categories of data
Notwithstanding the provisions of the GDPR, the new Law stipulates that processing of special categories of data by public and private entities is permitted without the consent of the data subject, in cases in which it is mandatory for purposes of healthcare, social care, social security and assessment of an individual’s ability to work, on the condition that measures to safeguard data subjects’ interests are taken. Furthermore, processing of special categories of data by public entities for further purposes is permitted, in cases where there are grounds of public interest, the necessity of preventing a significant threat for public safety and the necessity to take humanitarian measures. Nevertheless, processing of genetic data for health and life insurance is expressly prohibited.
Processing for further purposes
The processing of personal data by public entities for purposes other than those for which they have been collected is permitted in cases in which it is necessary for the prosecution of offenses, public safety reasons and prevention of harm of another person. Similarly, processing by private entities is permitted in cases in which they are subject to national security issues or for the foundation, exercise or support of their legal claims. Such processing by private entities is permitted in order to prevent threats against national security or public health after a public entity’s request for either the prosecution of criminal offenses or the establishment, exercise or defense of legal claims, unless the interest of the data subject to his/her data not to be processed is outweighed.
Specific processing situations
The processing of personal data for journalistic or academic, artistic or literary purposes is permitted without the consent of the data subject, provided that the public’s right to the information outweighs the right to privacy of the data subject.
In addition, the processing of personal data is permitted without the consent of the data subject, provided that it is necessary for scientific or historical research or for purposes related to the collection or retention of statistics, on the condition that appropriate measures are taken, such as anonymity and encryption.
Exception from the obligation to inform
The controller is exempted from the obligation to inform the data subject according to articles 13 and 14 of the GDPR in certain cases, such as when such information would jeopardize the proper performance of the controller’s duties, public security or the establishment or exercise or defense of legal claims. For public entities, in particular, such exceptions from the obligation to inform the data subject are broader when personal data have been collected from third sources.
Processing of personal data in the employment context
Of great importance are the novelties vis-à-vis the GDPR brought about by the new Law in the employment context.
The employer may process employee data necessary for the recruitment, the performance and execution of the employment contract of its employees.
In the case that the processing is based on the legal grounds of the employee’s consent, the validity of consent is evaluated according to the circumstances of the specific employment contract and the conditions of consent pursuant to Art. 7 GDPR. The processing of personal data is also permitted on the basis of collective labor agreements. The employer must comply with the processing principles of article 5 of the GDPR and take appropriate technical and organizational measures to protect employee data.
The surveillance through video surveillance systems in the workplace is permitted only when it is necessary for the protection of persons and goods and when written, including electronic, notice is provided to employees.
Right of access
Within the ambit of the GDPR, the new Law brings about important limitations to the rights of data subjects. The exercise of the right of access is restricted when there is no obligation to inform the data subject or when his/her data have been recorded and cannot be deleted due to regulatory provisions about their obligation to retain or control them, such as in cases in which they are stored on tax bases, fingerprints, passports, etc. In order to waive the obligation of access in such cases, the provision of access should require a disproportionate effort and the necessary technical and organizational measures to make processing impossible for other purposes.
Right to erasure
The right to erasure of personal data does not apply in cases of non-automated processing, in which, due to the special nature of their storage, erasure is impossible or requires a disproportionate effort, and where it is contrary to conventional or legal retention periods. In certain cases of automated processing, the right to erasure may also be lawfully replaced by restrictions to processing of the relevant data.
Right to object
The right to object to the processing of personal data before public entities may not be applicable, in cases in which such processing is required for the public interest, when the latter prevails over the interests of the data subject.
Accreditation of certification bodies
The National Accreditation System (ESYD) is responsible for the accreditation of certification bodies of article 43 of the GDPR regarding their compliance with applicable legislation in accordance with the standard EN-ISO / IEC17065: 2012.
Anyone who interferes with a system of archiving personal data, deletes it, copies it and generally uses it illegally shall be punished with one-year imprisonment. In case of special categories of data, imprisonment of at least one year and a fine up to €100,000 shall be imposed. On the contrary, if the offender intends for himself or for others to unlawfully gain an economic benefit or to cause property damage and the total benefit thereof exceeds €120,000, s/he shall be punished with imprisonment up to 10 years. These offenses are prosecuted proprio motu.
The new Law leaves the sanctions of the GDPR unchanged for private entities, which may amount up to 2% or 4% of the annual turnover of a company. Fines to public entities are however limited by the Law up to €10 million, depending on the severity and duration of the breach.
Claims for damages by the data subject vis-à-vis controllers or the processors shall be filed before the court of the registered seat of the controller/processor or its representative, if any, or in the court in whose district the data subject has his/her residence.
For additional information with respect to this Alert, please contact the following:
Platis – Anastassiadis & Associates Law Partnership, Athens