Personal Data Protection

Which acts fall within the term “processing of personal data”? Which business activities are really affected by the legislation on personal data protection?

Any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means - such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction- qualifies as “processing of personal data”. Thus, it is obvious that personal data issues may arise in all business activities and in all aspects of life in general, since information from which it is possible to identify natural persons can be found almost everywhere.

Is there any special law regarding personal data protection in Greece?

Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation – GDPR”) is applicable from 25 May 2018. As of to date (22.11.2018), the Greek law implementing and supplementing the GDPR has not yet been issued, although it entered into public consultation on 20 February 2018.

The main set of data protection rules consists of L. 2474/1997, which harmonized the Greek legislation with Directive 95/46/EC. This law sets out the obligations of those who process personal data and the respective rights of those to whom the data processing relates. The same Law also provides for the establishment of the Hellenic Data Protection Authority (HDPA) and its powers and competencies.

Additionally, when it comes to special cases of personal data processing, other laws may apply as well: e.g. Law 3471/2006 on personal data protection in respect of electronic communications (vide Directive 2002/58/EC), Law 3917/2011 on the retention of data processed within the framework of public electronic communications (vide Directive 2006/24/EC), article 34 of Law 4002/2011 on the processing of personal data conducted by the Gaming Supervision & Control Commission within the framework of the Gaming Market regulations, etc.

Are there any other regulations, guidelines etc. regarding personal data processing?

Yes. By virtue of Law 2472/1997, the HDPA is entitled to issue circulars, directives, regulatory acts and so on, in order to interpret the provisions of said Law or even institute special regulations for specific cases of personal data processing.

The HDPA has, inter alia, issued the following: regulatory act 1/1999 on the controller’s obligation to inform the data subjects, directive 1/2011 on the installment, operation and notification of CCTV systems, decision 115/2001 on personal data processing within the context of employment relations, directive 1/2005 on the secure destruction of personal data, directive 2/2011 on consent given via electronic means, opinion 6/2013 on third-party access to public documents containing personal data, opinion 1/2016 on cold calling for any kind of sales or advertisement purposes, etc.

It is noted that the Credit Profile Database and the Risk Consolidation System operated by TIRESIAS S.A. (which is an inter-banking entity) is also subject to the regulations issued by the HDPA through various decisions and normative acts.

Which parties are involved in personal data processing?

The “controller” is the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

The “processor” is a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The processor is, usually, an independent party which, while taking instructions from the controller, does not belong to the controller’s organization.

Both controllers and processors have accountability obligations under the GDPR. These include keeping records that can be provided to supervisory authorities upon request. Controllers and processors share responsibilities for personal data security and must ensure compliance with international data transfer rules. And both controllers and processors are subject to large administrative fines if their obligations are not met and can be subject to compensation claims from individuals.

In accordance with Article 28 of the GDPR, processing by a processor shall be governed by a contract or other legal act under Union or member state law that is binding to the processor with regard to the controller. Such a contract shall set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. Therefore, it shall be ensured that the processor processes the personal data only on documented instructions from the controller under an appropriate statutory obligation of confidentiality and with the appropriate technical and organizational measures.

It is also noted that there are a number of other provisions which controllers and processors may wish to include in Data Processing Agreements which are not mandatory for inclusion under the GDPR. Such provisions may include but are not limited to liability provisions (including indemnities), detailed technical security provisions and/or additional cooperation provisions between the controller and processor.

“Joint controllers” are two or more controllers who jointly determine the purposes and means of processing, between of which there shall be an arrangement regarding their respective roles and relationships vis-à-vis the data subjects.

The “data subject” is the natural person to whom data relates.

The “third parties” are any parties other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.

The “recipient” is a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not.

What are the requirements for the lawful processing of personal data?

The controller of personal data is under an obligation to fulfill a number of requirements and is liable towards both the data subjects and the HDPA for non-compliance. The main requirements are the following:

• Observing the general principle of proportionality, which means the data must be: 1. collected fairly and lawfully for specified, explicit and legitimate purposes and must be lawfully, fairly and in a transparent manner processed (“lawfulness, fairness, transparency and purpose limitation”); 2. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”); 3. accurate and, where necessary, kept up to date (“accuracy”); 4. kept in a format which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, bearing in mind the purposes for which such data was collected or processed (“storage limitation”).
• Obtaining the consent of the data subject to the processing of his or her personal data for one or more specific purposes (under certain circumstances, another legal basis, in lieu of consent, may be sufficient).
• Informing the data subjects about when and how their personal data is collected and processed, including who has access to said data or whether said data is transferred outside Greece or the EU.
• Taking all necessary additional and specific precautions wherever sensitive personal data is involved.
• Complying with appropriate security measures (technical and organizational) and confidentiality obligations (“integrity and confidentiality”).
• Ensuring that any data transfer outside the EU takes place pursuant to an appropriate legal basis.

It is also noted that GDPR repeals the obligation for notification and/or request prior approval from the HDPA.

Are there any exemptions from the above requirements?

Potential exemption from the above requirements constitutes:

• anonymous data, which in contrast to personal data, is not related to an identified or an identifiable natural person. It has been rendered unidentifiable and, as such, is not protected by the GDPR.
• pseudonymous data may need special treatment and approach. More specifically, pseudonymous data is not fully anonymous and has undergone a process that has detached the aspects of the data attributed to a specific individual, similar to creating an alias for a person’s name, yet the personal data is still retrievable. Pseudonymizing data is typically a security measure that makes the use of the data less risky. Yet pseudonymous data is still subject to EU data protection laws.

Further exemptions may come into play in relation to the territorial and material scope of the GDPR and national data protection legislations. Special treatment of certain data processing activities may also derive from special circumstances relating to the public interest and respective data processing conducted by specific public authorities.

Do the above exemptions allow the law on the protection of personal data to be easily circumvented?

No. The specific parameters of the abovementioned exemptions are strictly and expressly described under the GDPR and the applicable Greek data protection legislation.

Is there any additional requirement when transferring personal data abroad?

Under GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of his/her personal data
• the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary in order to protect the vital interests of the data subject or of another natural person
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of
• personal data, in particular where the data subject is a child.

One stated objective of the GDPR is to ensure the free flow of personal data while, at the same time, recognizes that transfers of personal data from a member state to a third country must be protected to an adequate standard. It is noted that controllers are now obligated to inform data subjects of their intent to transfer personal data outside the EEA and describe the safeguards being used for such transfer.

Therefore, in accordance with the Regulation, international transfers shall take place on the basis of (a) an Adequacy Decision or in the absence of such a decision, (b) Appropriate Safeguards, namely binding corporate rules, standard contractual clauses, approved codes of conduct or certification mechanisms, ad hoc contractual clauses, and international agreements.

Where no adequacy decision or appropriate safeguards are in place, the only remaining option for transferring personal data internationally are limited circumstances described as “derogations”. More specifically, they include the following conditions: (a) explicit consent from the data subject, (b) performance of a contract with the data subject, (c) public interest, (d) establishment, exercise or defense of legal claims, (e) protection of vital interest of the data subject or other persons, (f ) transfer from a register of public information or (g) legitimate interests of the controller.

When does Greek law apply?

It is very important, when it comes to personal data processing within multinational organizations (e.g. involving controllers and processors located in more than one jurisdiction), to examine which set of national laws is applicable. It is noted that in this aspect Greek law is quite strict, since it goes further than the requirements of Directive 95/46/EC (vide amongst others recital 18 thereof).

Article 3 par. 3 of Law 2472/1997 provides that Greek law shall inter alia apply to any processing of personal data which is conducted either by a controller which has its registered seat in Greece or by a processor which has its registered seat in Greece. Thus, where a controller is located, for example, in Germany and has its processor in Greece, processing would be subject both to the laws of Germany (controller’s jurisdiction) and to the laws of Greece (processor’s jurisdiction).

Article 2.8 of the draft Greek law implementing the GDPR sets out the territorial scope of the provisions. Said law applies when the processing of personal data takes place in Greek territory or within an establishment in Greek territory, even if such processing takes place outside Greek territory.

Special cases of personal data processing: “whistleblowing” platforms / monitoring projects.

The most interesting special cases of personal data processing usually arise in the context of employment relationship. Such examples constitute:
Bring Your Own Device (BYOD), which allows employees to use their own devices, such as smart phones, tablets and laptops, for work-related activities. BYOD programs open the door to great risks to data protection, including data breaches, which could result
in substantial penalties and fines under the GDPR.
Whistle-blowing schemes, under which companies receive anonymous complaints about potential wrongdoing, including fraud, misappropriation of assets and/or material misstatements in financial reporting.
Workplace monitoring/surveillance, which must be based on legitimate purposes. Under the GDPR, employee’s rights and freedoms must be balanced against the rights of the employer and alternatives to monitoring should be always considered. In any case, to monitor employees lawfully, an employer must ensure that the monitoring is necessary, proportional, transparent and legitimate.

Are specific rights conferred upon data subjects, pursuant to the law?

The GDPR grants data subjects with certain rights as follows: right to information, right of access, right to rectification, right to erasure (“right to be forgotten”), right to restriction of processing, right to data portability, right to object, right not to be subject to a decision based solely on automated processing. The above will be also reflected in the draft Greek law implementing GDPR.

However, exercising such rights may be restricted by law in special cases of personal data processing. For instance, the right to access may not be exercised in case of processing within the scope of Law 3691/2008 on money laundering (vide HDPA Decision 66/2008).

Does the law provide for specific sanctions against those processing personal data without conforming to its provisions?

As it stands, Greek law sets out administrative, criminal and civil sanctions in case of violation of the obligations concerning personal data processing. The HDPA may impose on the controller and / or its representatives the following sanctions:

• a warning, along with setting a deadline for ceasing the violation,
• a fine amounting from 880 to 150,000 euro,
• a temporary revocation of the permit,
• a permanent revocation of the permit, destruction of the data collected, cessation of processing and destruction, return or seizure of the relevant data.

The choice of the appropriate sanction - and of its severity - is at the absolute discretion of the HDPA. However, the law provides that the sanction has to be proportionate to the violation which took place: the Conseil d’ État (2252/2005) found that a fine amounting to 60,000 euro for a simple violation of personal financial data was proportionate in view of the financial position of the controller (the case concerned the credit ability of the controlling company).

Furthermore, the following criminal sanctions apply for persons violating Law 2472/1997:

• Violation of articles 6 and 7 par. 3 (notification of processing or application for a permit to process) entails imprisonment of up to 3 years and a pecuniary (criminal) penalty amounting from 3,000 to 15,000 euro.
• Maintaining sensitive personal data (in a filing system) in violation of the provisions of article 7 (processing sensitive personal data), entails imprisonment of up to 5 years and a pecuniary (criminal) penalty amounting from 3,000 to 15,000 euro.
• In general, processing personal data in an unlawful way entails imprisonment of up to 5 years and a pecuniary (criminal) penalty amounting up to 30,000 euro. Similar sanctions are also provided for in special cases, as is, for example, failure to comply with the decisions of the HDPA, etc.

Article 23, on civil liability, provides that whoever suffers damage due to a violation of Law 2472/1997 is entitled to compensation from the wrongdoer, including actual damages, consequential damages (e.g. loss of profit) and moral damages. The above provision introduces a minimum compensation of 6,000 euro for cases concerning a violation of data protection legislation that gives rise to moral damages.

It is noted that the new Greek law will reflect the sanctions provided for by the Regulation and will provide to the Hellenic Data Protection Authority the power to enforce them.