Abstract
In Greece, it quickly became apparent that the risks of invasion of privacy posed by the processing of personal data, which arise from modern technology and the expansion of the internet, had to be addressed by special legislation. The addition of article 9A to the Constitution was a significant step forward in this respect. Furthermore, several provisions relating to the protection of data subjects were adopted by the Greek legislator in many sectors. Since the enactment of the general Law 2472/1997, which transposed Directive 95/46, Greek law closely follows the evolution of the relevant EU legislation, and endorses the case-law of the CJEU and the opinions and recommendations issued by the Art. 29 working party. The Hellenic Data Protection Authority significantly contributed to the implementation of the data protection legislation mainly by interpreting and specifying the general rules, in order that the protection of data subjects becomes more effective. The entry into force of the GDPR opens up ambitious perspectives for the protection of data subjects and their capability to take back the control of their personal data, as well as for the free movement of data within and outside the EU. Greek legislation is in the process of being adapted to the changes introduced by the GDPR.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
See Areios Pagos (plenary session) no. 1/2017.
- 3.
See Law 2068/1992 Government Gazette A 118, valid from 01.12.2005; see also Tsevas (2010), pp. 92 ff.
- 4.
- 5.
Government Gazette A 50.
- 6.
- 7.
- 8.
Law 3471/2006 replaced Law 2774/1999, which previously had transposed Directive 97/66/EC. The provisions of the second part of Law 3471/2006 (articles 18–31) amended Law 2472/1996.
- 9.
Government Gazette A 82.
- 10.
Article 3 § 2 L. 3471/2006. However, according to a different—not predominant—interpretation of Art. 3 § 2, based on the argument of consistency to article 9A of the Constitution, the provisions of Law 3471/2006 were only applicable when they were more favorable to the data subject, see Christodoulou (2013), pp. 152 ff.
- 11.
See Iglezakis (2009), p. 197.
- 12.
Government Gazette A 136.
- 13.
Government Gazette A 22.
- 14.
See art. 4 GDPR and art. 2 L. 2472/1997.
- 15.
See DPA decision no. 38/2010.
- 16.
See Sotiropoulos (2006), pp. 84 and 89.
- 17.
See Mittleton (2016), p. 10.
- 18.
Areios Pagos no. 637/2013.
- 19.
First Instance Court of Thiva no. 54/2014.
- 20.
Court of Peace of Athens no. 4048/3014.
- 21.
Court of Appeal of Athens no. 3808/2014.
- 22.
See DPA decision no. 25/2013.
- 23.
- 24.
See DPA directive no. 115/2001; see also Court of Appeal of Athens no. 5433/2011 and Administrative First Instance Court of Thessaloniki no. 4796/2013.
- 25.
See DPA decision no. 59/2000.
- 26.
See DPA decisions nos. 86/2002, 24/2004, 25/2004 and 186/2014. See also Iglezakis (2006).
- 27.
Art. 2b L. 2472/1997; on sensitive data see Iglezakis (2003).
- 28.
In its Opinion no. 15/2001, DPA adopted the definition of genetic data given by the Council of Europe Recommendation R (97) 5 on the protection of medical data. Greek academics argued that certain types of genetic data are not covered by the definition of health data containing in Law 2472/1997, see, e.g., Papachristou and Papadopoulou-Klamaris (2006), pp. 41 ff.
- 29.
On this see also the decision of the Misdemeanor Court of Thessaloniki no. 1247/2011.
- 30.
- 31.
See the website of this Authority, at: www.dpa.gr/en.
- 32.
Art. 19 § 1b L. 2472/1997.
- 33.
See Papakonstantinou (2010), § 15.2.2.
- 34.
See art. 5 GDPR.
- 35.
Art. 5 § 1 L. 3471/2006.
- 36.
Art. 5 § 2 L. 3471/2006.
- 37.
- 38.
See Areios Pagos no. 1/2017 and Council of State nos. 1616/2012 & 2254/2005.
- 39.
Art. 5 § 2 L. 2472/1997.
- 40.
See also recital 46 of the GDPR.
- 41.
See Arkouli (2010), p. 44.
- 42.
See Alexandridou (2018), pp. 259 ff.
- 43.
Art. 9 §1b P.D. 131/2003.
- 44.
See Decision of the Minister of Economy and Development 316/2017, Government Gazette B 969.
- 45.
See P.D. 10/2017, Government Gazette A 23.
- 46.
Art. 11 § 1 L. 3471/2006. Recipient of the messages is the subscriber or user of electronic communications, as defined in art. 2 §§1–2 L. 3471/2006.
- 47.
Art. 11 § 3 L. 3471/2006.
- 48.
Art. 6 § 1 P.D. 131/2003.
- 49.
Art. 5 P.D. 131/2003.
- 50.
Art. 6 § 2 P.D. 131/2003.
- 51.
Art. 11 § 2 L. 3471/2006.
- 52.
See Delouka-Igglesis (2018), p. 599.
- 53.
Art. 9 § 5 L. 2251/1994.
- 54.
See DPA Directive no. 2/2011, published in the Government Gazette, B 889.
- 55.
Art. 11 § 5 L. 3471/2006.
- 56.
See DPA Decision no. 112/2012 addressing the issue of the use of geolocation technology for the location tracking of individuals, e.g., minors or patients.
- 57.
On this matter see also Christodoulou (2018), pp. 61 ff.
- 58.
See art. 18 of DPA Directive no. 1/2011 on the use of CCTV systems and the protection of individuals and property.
- 59.
- 60.
CJEU, 13.05.2014, C-131/12, Google Spain v. Agencia Española, ECLI:EU:C:2014:317.
- 61.
See DPA Decision no. 38/2002.
- 62.
However, this obligation was subject to Law 3917/2011, which provided for the traffic data’s retention for a period of 12 months.
- 63.
WP 225/26.11.2014. See DPA decisions nos. 82/2016, 83/2016 and 84/2016.
- 64.
- 65.
See, e.g. DPA Decision no. 245/2000 on processing of personal data of workers for the purposes of entrance and exit at the workplace by means of taking fingerprints and Decision no. 637/2000 on monitoring of the calls of workers at the workplace.
- 66.
See DPA Directive no. 115/2001.
- 67.
See also Areios Pagos no. 1/2017.
- 68.
See, e.g. DPA Decision no. 34/2018.
- 69.
Art. 5 DPA Directive no. 1/2011.
- 70.
Art. 18 DPA Directive no. 1/2011.
- 71.
See also DPA Directive no. 115/2001 on the processing of employees’ personal data, part e, §§ 6–8.
- 72.
See the recital 155 of the GDPR.
- 73.
Article 8 L. 3144/2003, Government Gazette A 111.
- 74.
See DPA Directive no. 115/2001 on the processing of employees’ personal data, part d, §7.
- 75.
Areios Pagos no. 1/2017.
- 76.
According to Areios Pagos, when an electronic correspondence has been terminated, it is no longer protected by art. 19 of the Constitution, which guarantees the correspondence secrecy, but by art. 9A of the Constitution on personal data protection. See also the Opinion no. 6/2008 of the Attorney of Areios Pagos, according to which a hard disk is not a means of communication; hence, the data stored in a hard disk do not fall within the protective scope of the communication secrecy.
- 77.
Art. 20 § 1 of the Constitution.
- 78.
Articles 5 and 106 § 2 of the Constitution.
- 79.
Article 9A of the Constitution.
- 80.
See Malagardi (2010), pp. 297 ff.
- 81.
See DPA Directive no. 115/2001.
- 82.
Art. 10 § 3 L. 2472/1997.
- 83.
Art. 4 § 1 d L. 2472/1997. See also DPA Directive no. 1/2005 concerning the secure destruction of personal data after the end of the period that is required for the accomplishment of the processing purpose.
- 84.
Art. 12 §§ 5–10 L. 3471/2006.
- 85.
Law 3418/2015, Government Gazette A 287.
- 86.
See Latsiou (2016), p. 155.
- 87.
Art. 12 L. 2472/1997 and art. 14 § 8 L. 3418/2005.
- 88.
Art. 14 § 10 L. 3418/2005.
- 89.
Papassiopi-Passia and Kourtis (2015), pp. 83 ff.
- 90.
See DPA Directive no. 1/2011 and Opinions nos. 1/2009 and 2/1010.
- 91.
See Tsolias (2016), pp. 363 ff.
- 92.
- 93.
Government Gazette A 121.
- 94.
See Manessis (1982), p. 238 and the decision of Areios Pagos no. 570/2006. The same steps were followed by the opinions of the Attorney of Areios Pagos nos. 9/2009, 12/2009 and 9/2011.
- 95.
Areios Pagos no. 924/2009, relied, inter alia, on the decision Copland v. UK. See also the ADAE Opinion no. 1/2005, by which the Authority changed its previous view and admitted the confidentiality of communication data.
- 96.
Art. 3 § 1 L. 3471/2006.
- 97.
Art 2a L. 3471/2006.
- 98.
Art. 11 § 7 L. 3471/2006.
- 99.
They may, inter alia, consist of data referring to the routing, duration, time or volume of a communication, to the protocol used, to the location of the terminal equipment of the sender or the recipient, to the network on which the communication originates or terminates, to the beginning, end or duration of a connection. They may also consist of the format in which the communication is conveyed by the network, see Art. 2 § 3 L. 3471/2006.
- 100.
See Council of State no. 1593/2016.
- 101.
- 102.
Art. 4 § 1 L. 3471/2006.
- 103.
Art. 4 § 2 L. 3471/2006.
- 104.
Art. 4 § 3 L. 3471/2006. The way in which parties are notified and give their consent as well as the manner and duration of storage for the recorded conversations and relevant traffic data are determined by act issued by the DPA.
- 105.
See Papadopoulos (2009), p. 216.
- 106.
Art. 4 § 4 L. 3471/2006.
- 107.
Art. 4 § 5 L. 3471/2006.
- 108.
Art. 6 § 2 L. 3471/2006.
- 109.
See L. 3917/2011 and §§ 2–6 L. 3471/2006.
- 110.
Art. 10 L. 3471/2006.
- 111.
Government Gazette A 47.
- 112.
See the website of this Authority, at: www.adae.gr/en.
- 113.
Art. 13 § 2 L. 3471/2006.
- 114.
Art. 6 L. 3115/2003.
- 115.
Art. 6 § 5 L. 3471/2006.
- 116.
Art. 8 § 7 L. 3471/2006.
- 117.
Art. 4 L. 3674/2008.
- 118.
Art. 6 L. 3674/2008.
- 119.
See Papakonstantinou (2010), § 15.3.01.
- 120.
Art. 3 § 2 b L. 2472/1997.
- 121.
Art. 2 b L. 2472/1997/.
- 122.
See Iglezakis (2011), p. 2.
- 123.
Art. 7 §2c L. 2472/1997.
- 124.
Areios Pagos 252/2018 (A 2). The same opinion has been expressed by the Authority, see, e.g., the decisions nos. 27/2001, 75/2001, 92/1011, 111/2011 and 4/2013.
- 125.
DPA Decision no. 12/2004.
- 126.
Government Gazette A 121.
- 127.
A panel of judges deciding in camera; their decisions must be reasoned like the decisions in public trials.
- 128.
Art. 5 §§2, 3 L. 2225/1994.
- 129.
Government Gazette A 64.
- 130.
Government Gazette A 22.
- 131.
As defined by art. 4 L. 2225/1995.
- 132.
Art. 19 § 1b of the Constitution.
- 133.
See Alexandropoulou-Aigyptiadou (2016), p. 102.
- 134.
Art. 7 § 2e L. 2472/1997.
- 135.
As laid down by articles 4 and 5 L. 2472/1997. See also Iglezakis (2003), p. 238.
- 136.
Art. 5 § 2d L. 2472/1997.
- 137.
Art. 11 § 4 L. 2472/1997.
- 138.
DPA Decision no. 19/2008.
- 139.
Articles 57 and 59 CC.
- 140.
Articles 914 and 932 CC.
- 141.
Art. 14 L. 2472/1997.
- 142.
Art. 23 L. 2472/1997 and Art. 14 L. 3471/2006.
- 143.
See Augoustianakis (2011), pp. 673 ff.
- 144.
See Areios Pagos no. 1284/2017.
- 145.
See Areios Pagos no. 476/2009.
- 146.
Areios Pagos no. 252/2018 (A 2). The same opinion was expressed in the past by academics, see Kornilakis (2002), p. 435.
- 147.
- 148.
The earlier legislation (L. 2472/1997) also imposed criminal sanctions for acts or omissions for which the Authority has not yet issued a decision, such as the non-notification of the establishment of a file or the operation of a file containing sensitive data without permit or in breach of the terms and conditions referred to the Authority’s relevant permit. Moreover, for not complying with the courts’ decisions ordering provisional measures as well as for not implementing decisions issued by the Authority. Furthermore, for unlawful transfer of personal data as well as interconnection of files without the Authority’s permit.
- 149.
Art. 21 L. 2472/1997.
- 150.
See, e.g., the DPA Decisions no. 61/2004 [notice addressed to employer to cease recording the webpages visited by employees], no. 11/2005 [notice addressed to banks and to an insurance company to apply the necessary procedures for the secure deletion of personal data after the termination of the period required for the purposes for which such data were processed], no. 17/2016 [notice to Mayor to delete postings in his Facebook containing references to third party’s sensitive personal data].
- 151.
See, e.g., the DPA decision no. 71/2017 [imposition of a fine of 10,000 euros on a telephone company for failing to implement the right to access according to Art. 12 L. 2472/1997].
- 152.
See, e.g., the decisions of the DPA: no. 38/2005 [prohibition to a TV station to re-broadcast and use a transcribed text containing unlawful processing of personal data], no. 8/2016 [order against a rehabilitation care center for disabled persons to uninstall video monitoring system that operated unlawfully and to destruct of any relevant file containing personal data collected], no. 245/2000 [order against a Municipality to disrupt data processing that intended to monitor the entrance and exit of employees at the workplace].
- 153.
DPA decision no. 98/2013.
- 154.
Art. 3 § 3 L. 2472/1997.
- 155.
See recital 19 of Directive 95/46; see also recital 22 GDPR.
- 156.
CJEU, 13.05.2014, C-131/12, Google Spain v Agencia Española, ECLI:EU:C:2014:317; 01.10.2015, C-230/14, Weltimmo v NAIH., ECLI:EU:C:2015:639.
- 157.
See art. 4 (16) GDPR.
- 158.
See the General Report, no. 4.2.
- 159.
CJEU, 06.11.2013, C-101/2001, Lindquist, ECLI:EU:C:2003:596. On this matter, see Yannopoulos (2001), pp. 733 ff.
- 160.
Compare this to art. 45 GDPR; for more details regarding the procedure provided for by the GDPR for the issuance of the Commission’s decision, see the General Report, no. 4.3.
- 161.
DPA Decision no. 12/2003.
- 162.
A permit was not required if the Commission had decided, based on art. 26 § 4 of Directive 95/46 that certain conventional clauses offered adequate safeguards for the protection of data.
- 163.
See Vlachopoulos (2018).
- 164.
- 165.
For the different theories that have been formulated on the issue see Vrellis (2008), pp. 249 ff.
- 166.
See Areios Pagos no. 903/2010.
- 167.
See Court of Appeals of Rhodes no. 220/2013.
- 168.
See Christodoulou (2010).
References
Alexandridou E (2018) Electronic commerce. In: Alexandridou E (ed) Law of consumer protection, 3rd edn. Nomiki Vivliothiki, Athens (in Greek)
Alexandropoulou-Aigyptiadou E (2016) Personal data. Nomiki Vivliothiki, Athens. (in Greek)
Anastassopoulos D (2016) Criminal protection of personal data. In: Kotsalis L (ed) Personal data. Nomiki Vivliothiki, Athens, pp 421 ff (in Greek)
Arkouli K (2010) Personal data protection in electronic communications. Nomiki Vivliothiki, Athens. (in Greek)
Armamentos P, Sotiropoulos V (2005) Personal data: interpretation of law 2472/1997. Sakkoulas Publications, Athens. (in Greek)
Armamentos P, Sotiropoulos V (2008) The amendments of law 2472/1997 by laws 3471/2006 and 3625/2007. Sakkoulas Publications, Athens. (in Greek)
Augoustianakis M (2011) Protection of individual from personal data processing. Hum Rights J 673. (in Greek)
Christodoulou K (2010) Internet provider’s liability for infringements of the private sphere. Media Commun Law J 328. (in Greek)
Christodoulou K (2013) Law of personal data. Nomiki Vivliothiki, Athens. (in Greek)
Christodoulou K (2018) Minor’s consent to personal data processing. In: Kotsalis L, Menoudakos K (eds) General Data Protection Regulation. Nomiki Vivliothiki, Athens (in Greek)
Christou V (2017) The right to protection against data processing. Sakkoulas Publications, Athens. (in Greek)
Chryssogonos K (2002) Individual and social rights. Nomiki Vivliothiki, Athens. (in Greek)
Delouka-Igglesis C (2018) Articles 9 and 9a-9i of law 2251/1994. In: Alexandridou E (ed) Law of consumer protection, 3rd edn. Nomiki Vivliothiki, Athens (in Greek)
Donos P (2000) The constitutional consolidation of the right to protection of the citizen against the processing of personal data and the corresponding independent authority. In: Papademetriou G (ed) Revision of the constitution and modernization of the institutions, pp 109 ff. (in Greek)
Donos P, Mitrou L, Mittleton P, Papakonstantinou V (2002) Personal data protection authority and the enhancement of the protection of rights. Sakkoulas Publications, Athens. (in Greek)
Douka V (2005) The protection of personal data in the employment relationship. Sakkoulas Publications, Athens. (in Greek)
Grammatikaki-Alexiou A (2016) Article 26 of the Greek Civil Code. In: Georgiadis A, Stathopoulos M (eds) Civil Code, 2nd edn, vol Ia. P.N. Sakkoulas, Athens (in Greek)
Iglezakis I (2003) Sensitive personal data. Sakkoulas Publications, Athens. (in Greek)
Iglezakis I (2006) Teiresias. Personal data protection in credit information systems. Sakkoulas Publications, Athens (in Greek)
Iglezakis I (2009) The law of electronic commerce. Sakkoulas Publications, Athens. (in Greek)
Iglezakis I (2011) Privacy protection. In: Manitotis D, Marinos M-T, Anthimos A, Iglezakis I, Nouskalis D (eds) Cyber law in Greece. Kluwer Law International
Iglezakis I (2014) The right to be forgotten and its limitations. Sakkoulas Publications, Athens. (in Greek)
Iglezakis I (2018) The General Data Protection Regulation. Interactive Books, Thessaloniki. (in Greek)
Iliadou E (2016) The constitutional safeguarding of personal data. In: Kotsalis L (ed) Personal data. Nomiki Vivliothiki, Athens (in Greek)
Karakostas I (2009) Law and internet. P.N. Sakkoulas, Athens (in Greek)
Kornilakis P (2002) Special law of obligations. Sakkoulas Publications, Athens. (in Greek)
Kotsalis L, Menoudakos Κ (2018) General Data Protection Regulation. Nomiki Vivliothiki, Athens. (in Greek)
Latsiou C (2016) Medical data. In: Kotsalis L (ed) Personal data. Nomiki Vivliothiki, Athens (in Greek)
Malagardi A (2010) New technologies – personal data and employment law. Ant. N. Sakkoulas, Athens (in Greek)
Manessis A (1982) Constitutional rights. Individual freedoms. Sakkoulas, Athens (in Greek)
Mitrou L (1999) The Personal Data Protection Authority. Ant. N. Sakkoulas, Athens (in Greek)
Mitrou L (2016) The protection of employees’ data. In: Kotsalis L (ed) Personal data. Nomiki Vivliothiki, Athens, pp 191 ff. (in Greek)
Mitrou L (2017) The General Data Protection Regulation. Sakkoulas Publications, Athens. (in Greek)
Mittleton P (2016) The concept of personal data. In: Kotsalis L (ed) Personal data. Nomiki Vivliothiki, Athens, pp 5 ff. (in Greek)
Nouskalis G (2005) Criminal protection of personal data (in Greek)
Panagopoulou-Koutnatzi F (2016) The evolution of the right to be forgotten. J Administ Law 714. (in Greek)
Panagopoulou-Koutnatzi F (2017) The General Data Protection Regulation 679/2016/EU. Sakkoulas Publications, Athens. (in Greek)
Papachristou T, Papadopoulou-Klamaris D (2006) Medical confidentiality. In: Kounougeri-Manoledaki Ε et al (eds) The new code of medical deontology (law 3418/2005). Sakkoulas Publications, Athens (in Greek)
Papadopoulos N (2009) Protection of the confidentiality of communication. Interpretive approach to Article 19 of the Constitution of Greece. P.N. Sakkoulas, Athens (in Greek)
Papakonstantinou E (2010) Computer law. Sakkoulas Publications, Athens. (in Greek)
Papassiopi-Passia Z, Kourtis V (2015) Law of Aliens. Sakkoulas Publications, Athens (in Greek)
Sotiropoulos V (2006) The constitutional protection of personal data. Sakkoulas Publications, Athens. (in Greek)
Spyropoulos P, Fortsakis T (2009) Constitutional law in Greece. Kluwer Law International
Tountopoulos V (2000) The protection of personal data in the field of telecommunications. Bus Company Law 475
Tsevas Α (2010) Personal data and mass media. Ant. N. Sakkoulas, Athens (in Greek)
Tsolias G (2016) Risks to individual’s personal data due to the use of unmanned aerial vehicles (U.A.V., “drones”). In: Kotsalis L (ed) Personal data. Nomiki Vivliothiki, Athens (in Greek)
Vidalis T (2006) A suggestion for a constitutional right to participate in the information society. In: Papachristou T, Vidalis T, Mitrou L, Takis A (eds) The right to participate in the information society. Sakkoulas, Athens (in Greek)
Vlachopoulos S (2018) Cross-border transfer of personal data from E.U. to third countries. In: Centre of International and European Economic Law, Personal data protection, Sakkoulas Publications, Thessaloniki, pp 27 ff (in Greek)
Vrellis S (2008) Private international law, 3rd edn. Nomiki Vivliothiki, Athens. (in Greek)
Yannopoulos G (2001) Protection of personal data and cross-border flow of information. Revue hellénique des droit de l’homme 11 (in Greek)
Yerontas A (2002) Citizens’ protection against the electronic processing of personal data (in Greek)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kourtis, V. (2020). Data Protection in the Internet: Greece. In: Moura Vicente, D., de Vasconcelos Casimiro, S. (eds) Data Protection in the Internet. Ius Comparatum - Global Studies in Comparative Law, vol 38. Springer, Cham. https://doi.org/10.1007/978-3-030-28049-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-28049-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28048-2
Online ISBN: 978-3-030-28049-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)