Data Protection & GDPR Compliance in Greece
The GDPR applies directly in Greece, as in every EU member state. But Greece’s national implementing legislation – Law 4624/2019 – adds Greek-specific rules on employee data, video surveillance, children’s consent, genetic data, and the powers of the Hellenic Data Protection Authority (HDPA). If you’re operating in Greece, compliance means understanding both layers. We advise foreign businesses on GDPR compliance in the Greek context: identifying obligations, structuring processing activities, responding to HDPA investigations, and handling the areas where Greek law diverges from or supplements the EU framework.
introduction
What Makes Greece Different
The GDPR is a regulation, not a directive – it applies uniformly across the EU. But it contains more than 50 “opening clauses” where member states can legislate differently. Greece has exercised several of these, creating rules that foreign businesses often don’t anticipate.
Employee data
Law 4624/2019 restricts when employers can rely on employee consent as a legal basis for processing. Because of the inherent power imbalance in employment, consent must be genuinely free – and Greek law requires that assessment to account for the employee’s dependency on the employment contract and the specific circumstances under which consent was given. Consent must be clearly separated from the employment contract itself. In practice, this means most workplace data processing in Greece should be grounded in legitimate interests or contractual necessity, not consent. Processing through CCTV in the workplace is permitted only for safety and security purposes – never for employee monitoring or performance assessment.
Children’s data
Greece has set the age of digital consent at 15 (the GDPR default is 16). Below that age, processing requires parental or guardian consent.
Genetic data
Greece has imposed a complete prohibition on processing genetic data for health and life insurance purposes – going beyond the GDPR’s general restrictions on special categories of data.
Public authorities
Public bodies in Greece cannot rely on consent as a legal basis for processing. They must identify an alternative basis under Article 6 GDPR.
Video surveillance
HDPA Directive 1/2011, read together with Law 4624/2019 and the GDPR, governs the use of CCTV systems. Surveillance is permitted only for the protection of persons and property. Footage can be transmitted to police authorities upon request, but the data subject must be informed. Retention periods, signage requirements, and access rights are all regulated – and the HDPA has actively enforced these rules with fines.
safeguard your business
Key topics we cover
Lawful basis
consent/contract/legal obligation/vital interests/public task/legitimate interests
Children’s data
and age gating
Special category data
health, biometrics, beliefs, sexual orientation
Marketing
email/SMS, soft opt-in where applicable, unsubscribe flows
Analytics/ads
consent for cookies; server-side tagging; IP truncation
HR data
recruitment, payroll, references, CCTV at workplace
AI & profiling
transparency, purpose limitation, human oversight
Data retention
justify, minimize, delete
Security Measures
access control, encryption, backups, vendor oversight
The HDPA: How Greece Enforces
The Hellenic Data Protection Authority is a constitutionally established independent authority with investigative and sanctioning powers. It handles complaints, conducts audits (including remote website audits for cookie compliance), and imposes administrative fines.
Fine levels in practice. The HDPA can impose fines up to €20 million or 4% of global annual turnover for private entities, and up to €10 million for public bodies. In practice, fines have ranged widely: €20 million against Clearview AI for unlawful facial recognition processing of Greek citizens’ data; nearly €3 million against Hellenic Post (ELTA) after a cyber-attack exposed data of up to 5 million individuals; €9.25 million combined against major telecom providers for inadequate technical and organisational measures and data leakage; €400,000 against the Ministry of Internal Affairs for unauthorised transfer of voter data; and smaller but consistent fines against banks, employers, and service providers for failing to satisfy data subject access requests, conducting unsolicited marketing, and inadequate breach notification.
Enforcement focus areas. The HDPA has been particularly active on unsolicited marketing communications (SMS, telephone), data subject access rights (especially delays and non-cooperation), data breach notification failures, video surveillance compliance, and cookie consent – where remote audits of controllers’ websites have found widespread non-compliance, though formal enforcement actions are still building.
Criminal liability. Under Law 4624/2019, unauthorised processing and unauthorised disclosure of personal data are criminal offences punishable by up to 20 years’ imprisonment and fines up to €300,000. This is separate from the HDPA’s administrative fining power and applies regardless of intent – negligent violations can trigger criminal exposure.
BREACH NOTIFICATION
The basic GDPR rule applies: notify the HDPA within 72 hours of becoming aware of a breach that poses risks to individuals’ rights. If the breach poses high risk, affected individuals must also be notified directly.
In Greece, the HDPA and the Hellenic Authority for Communication Security and Privacy (ADAE) share jurisdiction over breach notifications – the ADAE handles breaches involving electronic communications networks and services under Law 3471/2006 (the ePrivacy Directive transposition).
Between mid-2023 and early 2024, 167 data breach incidents were notified to the HDPA. Given the size of the Greek market, this is a relatively high rate – and the HDPA has not hesitated to fine organisations that fail to notify or that delay notification.
CROSS-BORDER DATA TRANSFERS
Transfers of personal data outside the EEA follow the standard GDPR framework: adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. BCR approvals in Greece must be submitted through the HDPA’s web portal (in Greek), and in practice, the approval process takes approximately three months.
For foreign businesses with Greek operations, the practical issues are typically structuring intra-group data flows to and from Greece, ensuring processor agreements with Greek service providers meet both GDPR and Law 4624/2019 requirements, and navigating the HDPA’s procedures for transfer impact assessments and approvals.
HOW WE HELP
We advise on GDPR compliance for businesses operating in Greece, with particular focus on the areas where Greek law creates additional or different obligations. This includes structuring lawful processing for employee data, customer data, and marketing activities under Greek rules; advising on video surveillance compliance for businesses with Greek premises; responding to HDPA investigations, complaints, and audit requests; handling data breach notification to the HDPA and affected individuals; drafting and reviewing data processing agreements, privacy policies, and internal compliance documentation; and advising on data protection aspects of M&A transactions, employment restructuring, and cross-border data flows.
Contact us if you need GDPR advice specific to Greece. The regulation is EU-wide, but the compliance questions that actually cause problems are almost always local.
Services
Our 6-step roadmap
01
Kickoff & discovery
products, data flows, tools, markets, and risks.
02
Data mapping
systems, categories, purposes, legal bases; produce RoPA.
03
Gap analysis
measure against GDPR, ePrivacy, and Greek practice.
04
Documents & controls
draft notices, DPA, cookies, SCCs, policies; configure consent tools.
05
Implement & train
deploy banners, forms, intake workflows; train teams; test DSARs.
06
Monitor
quarterly reviews, vendor updates, TRAs, incident drills; optional DPO support.
What you get
YOUR COMPLETE GDPR-KIT
Data mapping & RoPA
(Records of Processing Activities)
Lawful basis framework
+ LIA (Legitimate Interests Assessment) templates
Privacy Notices
website/app/HR; EN & GR
Cookie banner & policy
+ consent mode settings (ePrivacy alignment)
DPAs
(Data Processing Agreement) + sub-processor rules
International transfers
SCCs + Transfer Risk Assessment (TRA) templates
DPIA
(impact assessments) for high-risk processing (AI, biometrics, tracking)
Security baseline
& vendor due-diligence kit (questionnaires, clauses)
Data subject rights
playbook & SLAs (access, deletion, portability)
Retention schedule
+ deletion/archiving procedures
Incident response
72-hour breach plan, notifications, evidence pack
Training
slides + quick-reference guides for teams
Frequently Asked Questions
Does GDPR apply to my business?
GDPR applies if you process personal data of individuals in the EU, regardless of where your business is located. This includes Greek companies, foreign companies with establishments in Greece, and non-EU companies offering goods or services to people in the EU or monitoring their behavior. The regulation is extraordinarily broad—if you have employees, customers, website visitors, or business contacts in Europe, you almost certainly fall within scope. We help clients determine precisely how GDPR applies to their operations and what obligations follow.
What counts as personal data under GDPR?
Personal data is any information relating to an identified or identifiable individual. This includes obvious identifiers like names, email addresses, and ID numbers, but extends to IP addresses, location data, cookie identifiers, employee records, customer transaction histories, and even pseudonymized data if individuals can be re-identified. Special categories of data – such as health information, biometric data, racial or ethnic origin, political opinions, and trade union membership—face heightened restrictions. The definition is deliberately expansive.
What are the key obligations under GDPR?
GDPR imposes multiple overlapping requirements: you must have a lawful basis for processing (consent, contract, legitimate interest, or another Article 6 ground), respect data subject rights (access, rectification, erasure, portability, objection), implement appropriate security measures, maintain processing records, conduct data protection impact assessments for high-risk processing, appoint a Data Protection Officer in certain circumstances, report personal data breaches within 72 hours, and ensure that contracts with processors meet Article 28 requirements. Compliance requires both documentation and operational capability.
Do we need to appoint a Data Protection Officer?
A DPO is mandatory if you are a public authority, if your core activities involve large-scale systematic monitoring (such as behavioral tracking or profiling), or if your core activities involve large-scale processing of special categories of data. Many Greek companies fall within these criteria, particularly in telecommunications, healthcare, banking, and insurance. Even where not mandatory, appointing a DPO (or engaging external DPO services) is often prudent to demonstrate accountability and maintain compliance expertise. We advise on whether appointment is required and help structure the DPO function.
What is a lawful basis and how do we choose one?
You cannot process personal data without a lawful basis under Article 6 GDPR. The most common bases are consent (freely given, specific, informed), contractual necessity (processing required to perform a contract with the data subject), legal obligation (required by law), and legitimate interests (your business needs, balanced against individual rights). Consent is often overused—it’s not always the appropriate basis, particularly in employment or B2B contexts. Choosing the wrong basis creates compliance risk and limits your operational flexibility. We help clients identify the correct legal basis for each processing activity.
What are data subject rights and how do we handle requests?
GDPR grants individuals extensive rights: to access their data, to have inaccurate data corrected, to have data erased in certain circumstances (“right to be forgotten”), to restrict processing, to object to processing based on legitimate interests, and to receive data in portable format. You must respond to requests within one month, verify the requester’s identity, and apply exemptions correctly (such as for legal claims or journalistic purposes). Mishandling these requests is a common enforcement trigger. We help establish request-handling procedures and advise on complex or contentious cases.
What are the penalties for GDPR violations?
The Hellenic Data Protection Authority can impose administrative fines up to €20 million or 4% of annual worldwide turnover, whichever is higher, for serious violations. Lesser violations can trigger fines up to €10 million or 2% of turnover. Beyond fines, consequences include corrective orders requiring operational changes, temporary processing bans, reputational damage, class action litigation under Greek law implementing the Representative Actions Directive, and regulatory scrutiny that extends to other aspects of your business. The HDPA has been actively enforcing – this is not theoretical risk.
What is the difference between a controller and a processor?
A controller determines the purposes and means of processing—the “why” and “how.” A processor processes data on behalf of a controller under instructions. The distinction matters because obligations differ: controllers bear primary responsibility for compliance, processors have specific duties under Article 28, and liability frameworks differ. Many businesses are controllers for some processing (employee data, customer data) and processors for others (providing services to clients). Misidentifying your role creates contractual and regulatory risk. When engaging service providers, you need compliant processor agreements.
Do we need Data Processing Agreements with our vendors?
If a vendor processes personal data on your behalf – hosting providers, cloud services, CRM platforms, payroll processors, marketing agencies – you must have an Article 28 compliant Data Processing Agreement. The DPA must specify the subject matter and duration of processing, the nature and purpose, types of data and categories of data subjects, controller obligations and rights, and processor obligations including security, sub-processing, assistance with data subject requests, deletion or return of data, and audit rights. Standard vendor terms rarely suffice. We draft and negotiate DPAs that actually meet regulatory requirements.
What should we do if we experience a data breach?
You must assess the breach immediately to determine if it creates risk to individuals. If it does, notify the Hellenic Data Protection Authority within 72 hours of becoming aware of it. If the risk is high, you must also notify affected individuals without undue delay. The notification must include specified details about the nature of the breach, likely consequences, and measures taken. Failing to report a notifiable breach is itself a violation. We help clients establish breach response protocols, assess notification obligations in real-time, and handle communications with the HDPA.
How does GDPR apply to international data transfers?
Transferring personal data outside the EU/EEA is restricted. Transfers to countries with adequacy decisions (such as the UK post-Brexit under current status) are straightforward. Transfers elsewhere require appropriate safeguards: Standard Contractual Clauses are the most common mechanism, but after Schrems II, you must also conduct Transfer Impact Assessments to evaluate whether the destination country’s legal framework undermines the protections. For transfers to the US, the EU-US Data Privacy Framework provides a pathway for certified organizations. Getting this wrong can result in processing bans. We structure compliant transfer mechanisms and conduct the required assessments.
What documentation do we need to maintain?
GDPR’s accountability principle requires demonstrable compliance. You must maintain Records of Processing Activities (Article 30)—an inventory of what data you process, why, how long you keep it, who receives it, and what security measures apply. You need privacy notices that actually inform individuals about your processing. You should document your legal basis determinations, legitimate interest assessments, Data Protection Impact Assessments for high-risk processing, breach records, data subject request logs, and evidence of processor due diligence. This documentation is what regulators examine in audits or investigations.
How do cookies and tracking technologies relate to GDPR?
Cookies and similar tracking technologies that process personal data (most do) must comply with both GDPR and the ePrivacy Directive (implemented in Greece by Law 3471/2006 as amended). With limited exceptions (strictly necessary cookies), you need consent before placing cookies—consent that meets GDPR standards, meaning freely given, specific, informed, and obtained before tracking begins. Cookie banners must offer genuine choice, not deceptive design patterns. Pre-ticked boxes don’t constitute valid consent. Scroll or continued browsing is insufficient. The Hellenic DPA has issued guidance and taken enforcement action. We help design compliant cookie consent mechanisms.
Can we use legitimate interests as a basis for marketing?
It depends. For B2B marketing to corporate email addresses, legitimate interests may be defensible if properly balanced and documented. For direct marketing to consumers, particularly via electronic means, consent is typically required under ePrivacy rules (the so-called “soft opt-in” exception has narrow scope). For profiling or behavioral advertising, consent is generally necessary. The key is conducting a proper Legitimate Interest Assessment that genuinely balances your interests against individual rights and freedoms, and respecting opt-out rights. Many companies claim legitimate interests without the analysis to support it—that’s a compliance gap waiting for enforcement.
What is a Data Protection Impact Assessment and when do we need one?
A DPIA is mandatory for processing likely to result in high risk to individuals—systematic large-scale processing, large-scale special category data, systematic monitoring of public areas, profiling with legal or similarly significant effects, and innovative technologies. Examples include implementing AI systems, launching facial recognition, extensive employee monitoring, or large-scale health data processing. The DPIA identifies risks, assesses necessity and proportionality, and determines mitigation measures. If residual risk remains high, you must consult the HDPA before proceeding. We guide clients through the DPIA process and handle supervisory authority consultations.
How do GDPR and Greek data protection law interact?
GDPR is directly applicable EU law—it doesn’t require national implementation for most provisions. However, Greece has enacted Law 4624/2019 to supplement GDPR, addressing areas where member states have discretion: age of consent for children (15 in Greece), national security exemptions, processing for employment purposes, and journalistic exemptions. The Hellenic DPA issues guidance interpreting GDPR in the Greek context. Compliance requires understanding both the regulation itself and Greek specificities. Our three decades practicing in Greece give us the contextual knowledge that purely international firms lack.
What happens during a HDPA investigation?
The Hellenic Data Protection Authority can initiate investigations based on complaints, data breach notifications, or its own initiative. Investigations may involve document requests, on-site inspections, interviews with staff, and technical audits of systems. You must cooperate fully—obstruction compounds liability. The HDPA will assess compliance with specific provisions, evaluate your documentation and procedures, and issue findings. Outcomes range from warnings and corrective orders to administrative fines and processing bans. Having organized documentation and demonstrable compliance efforts significantly affects outcomes. We represent clients in HDPA proceedings and help prepare for investigations.
Should we handle GDPR compliance internally or engage external counsel?
The answer depends on your resources and risk profile. Large organizations often have in-house privacy teams but engage external counsel for specialized matters – DPA negotiations, breach response, regulatory proceedings, complex transfer mechanisms, or high-stakes data subject requests. Smaller companies typically lack the internal expertise for effective compliance and benefit significantly from external support, at least for framework design and critical issues. GDPR is technical, detailed, and actively enforced – the cost of non-compliance typically far exceeds the cost of proper advice. We work with clients across this spectrum, from comprehensive compliance programs to targeted advice on specific issues.
Contact us today for a free initial discussion
Click here to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.