Greece applies the General Data Protection Regulation (GDPR) directly as EU law, supplemented by national implementing legislation that creates additional obligations specific to the Greek legal environment. Businesses operating in Greece - whether as data controllers or processors - face a regulatory framework with real enforcement teeth: administrative fines, civil liability claims, and criminal sanctions under Greek law. Understanding how GDPR operates in the Greek context, where national law adds layers of complexity, is essential for any international company with a Greek establishment, Greek customers, or data flows touching Greek territory.
This article covers the Greek supervisory authority and its enforcement posture, the national implementing law and its key derogations, consent and lawful basis requirements as applied in Greek practice, data breach notification obligations, cross-border data transfer rules, DPO appointment requirements, and the practical litigation and enforcement landscape. Each section identifies the concrete risks that international clients most commonly underestimate.
The Hellenic Data Protection Authority (Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, HDPA) is the independent supervisory authority established under Article 51 of the GDPR and given its domestic mandate by Law 4624/2019. The HDPA operates with investigative, corrective, and advisory powers that mirror the full range contemplated by GDPR Article 58.
The HDPA's corrective powers include issuing warnings, reprimands, temporary or permanent bans on processing, and administrative fines. Fines under GDPR Article 83 apply in Greece at the same two-tier structure used across the EU: up to EUR 10 million or 2% of global annual turnover for procedural violations, and up to EUR 20 million or 4% of global annual turnover for substantive violations. Greek courts have confirmed that the HDPA may impose fines on both controllers and processors, including entities established outside Greece where they process data of Greek residents.
The HDPA conducts both complaint-driven and ex officio investigations. Complaint-driven investigations are triggered when a data subject files a complaint under GDPR Article 77. The HDPA must inform the complainant of the outcome, typically within three months, though complex investigations extend considerably longer. Ex officio investigations arise from the HDPA's own monitoring activity, sector-specific audits, or referrals from other Greek public bodies.
A non-obvious risk for international businesses is the HDPA's practice of coordinating with other EU supervisory authorities through the consistency mechanism under GDPR Article 63 and the one-stop-shop mechanism under Article 56. Where a company's main EU establishment is in another member state, the HDPA may act as a concerned supervisory authority and formally object to draft decisions of the lead authority. Greek data subjects' complaints about multinational companies are therefore not simply absorbed into another jurisdiction's process - the HDPA retains an active role.
In practice, it is important to consider that the HDPA publishes its decisions on its official website, creating reputational exposure beyond the financial penalty itself. Greek media regularly report on significant HDPA decisions, and the reputational dimension of enforcement is a material business risk that many international clients underestimate when assessing the cost of non-compliance.
To receive a checklist on HDPA compliance readiness for Greece, send a request to info@vlo.com.
Greece implemented the GDPR through Law 4624/2019 (the Greek Data Protection Law), which came into force on August 29, 2019. This law exercises the derogations and specifications permitted by GDPR Articles 6(2), 9(4), 23, and others, creating a national overlay that international businesses must understand alongside the regulation itself.
Several derogations in Law 4624/2019 are particularly relevant to business operations.
A common mistake made by international businesses is treating Greece as a jurisdiction where GDPR alone governs, without reviewing Law 4624/2019 for sector-specific or category-specific derogations. The national law is not merely procedural - it creates substantive obligations and permissions that differ from the default GDPR framework.
Law 4624/2019 also establishes criminal sanctions under Article 38, which go beyond the administrative fine regime. Unlawful processing of special categories of data, processing in violation of a supervisory authority order, and obstruction of HDPA investigations can result in criminal prosecution. Penalties range from fines to imprisonment, with more serious offences carrying custodial sentences of up to five years. These criminal provisions apply to natural persons, including company directors and data protection officers who are found to have acted negligently or intentionally.
Every processing activity in Greece must rest on one of the six lawful bases under GDPR Article 6. In practice, Greek businesses and international companies operating in Greece most frequently rely on consent, contract performance, legal obligation, and legitimate interests. The HDPA's enforcement record and published guidance provide important signals about how each basis is interpreted in the Greek context.
Consent under GDPR Article 7 must be freely given, specific, informed, and unambiguous. The HDPA has consistently held that pre-ticked boxes, bundled consent, and consent obtained as a condition of service do not meet the freely given standard. For direct marketing to Greek consumers, consent is the required basis under both GDPR and the Greek implementing provisions of the ePrivacy Directive (Law 3471/2006, as amended). Law 3471/2006 Article 11 specifically prohibits unsolicited electronic communications for direct marketing purposes without prior consent, and the HDPA enforces this provision actively. Businesses conducting email or SMS marketing campaigns to Greek recipients must maintain documented, granular consent records.
Legitimate interests under GDPR Article 6(1)(f) require a three-part balancing test: identifying a legitimate interest, demonstrating necessity, and confirming that the interest is not overridden by the data subject's rights. The HDPA has not published a comprehensive legitimate interests guidance document equivalent to those issued by some other EU supervisory authorities, but its decisions indicate a cautious approach. Reliance on legitimate interests for processing that involves profiling, behavioural tracking, or large-scale data aggregation is treated with particular scrutiny. A non-obvious risk is that the HDPA may challenge a legitimate interests assessment that was prepared in another EU jurisdiction and applied to Greek processing without local review.
Contract performance under GDPR Article 6(1)(b) is frequently misapplied. The HDPA's position, consistent with the European Data Protection Board's guidance, is that this basis covers only processing that is objectively necessary for the specific contract with the data subject. Processing for fraud prevention, analytics, or product improvement cannot be justified under contract performance even where the contract mentions these activities.
Special categories of data under GDPR Article 9 require an additional condition from the exhaustive list in Article 9(2), supplemented by Law 4624/2019. Explicit consent remains the most commonly used condition for private sector processing of health, biometric, or genetic data. The HDPA has emphasised that explicit consent for special categories must be separate from general consent and must specifically identify the category of data and the purpose.
Practical scenario one: A Greek e-commerce retailer collects customer email addresses at checkout and uses them for a loyalty programme and third-party marketing partnerships. The retailer relies on a single consent checkbox covering both uses. The HDPA would likely find this consent invalid for the third-party marketing purpose, because bundled consent does not allow the customer to consent separately to each purpose. The retailer faces potential fines and an obligation to re-obtain valid consent or cease the third-party marketing activity.
Practical scenario two: A multinational employer with a Greek subsidiary implements a global HR information system that processes employee performance data, health absence records, and salary information. The employer relies on contract performance as the lawful basis for all processing. The HDPA would challenge this approach for health data, which requires an explicit condition under Article 9(2), and for performance data used for purposes beyond direct employment management. The employer needs a layered lawful basis analysis covering each data category and processing purpose.
To receive a checklist on lawful basis mapping for data processing activities in Greece, send a request to info@vlo.com.
A personal data breach is defined under GDPR Article 4(12) as a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Greek law does not modify this definition, but Law 4624/2019 and HDPA guidance clarify the procedural obligations for controllers and processors operating in Greece.
Controller obligations under GDPR Article 33 require notification to the HDPA within 72 hours of becoming aware of a breach, where the breach is likely to result in a risk to the rights and freedoms of natural persons. The 72-hour clock starts when the controller has sufficient information to determine that a breach has occurred - not necessarily when the full scope of the breach is known. The HDPA accepts phased notifications where the full picture is not available within 72 hours, provided the initial notification is submitted on time and supplemented as information becomes available.
Notification to the HDPA must be made through the authority's online portal and must include, at minimum: a description of the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of records affected, the name and contact details of the DPO or other contact point, a description of likely consequences, and the measures taken or proposed to address the breach.
Data subject notification under GDPR Article 34 is required where the breach is likely to result in a high risk to the rights and freedoms of natural persons. The HDPA has indicated that breaches involving financial data, health data, identity documents, or login credentials typically meet the high risk threshold. Notification to data subjects must be in clear and plain language and must not be delayed beyond what is necessary. Where direct notification is disproportionate - for example, where contact details are unavailable - a public communication may substitute.
Processor obligations require notification to the controller without undue delay upon becoming aware of a breach, under GDPR Article 33(2). Data processing agreements governed by Greek law or covering Greek processing must include provisions specifying the processor's breach notification obligations, the information to be provided, and the timeline. A common mistake is drafting data processing agreements that satisfy the formal requirements of GDPR Article 28 but fail to specify a concrete notification timeline for the processor, leaving the controller unable to meet its own 72-hour obligation.
The HDPA has imposed fines for late breach notification and for failure to notify at all. The authority has also sanctioned controllers for inadequate breach documentation - GDPR Article 33(5) requires controllers to document all breaches, including those that do not require notification, with the reasoning for the decision not to notify. This internal documentation obligation is frequently overlooked by smaller businesses and by international companies that manage their breach response centrally from another jurisdiction.
Practical scenario three: A Greek financial services firm discovers that a third-party IT service provider suffered a ransomware attack that encrypted customer account data. The firm becomes aware of the incident on a Monday morning. By Wednesday morning - 48 hours later - the firm has confirmed that customer data was affected but does not yet know the full scope. The firm must submit an initial notification to the HDPA by Thursday morning at the latest, even if the investigation is incomplete. Waiting for the full forensic report before notifying is a common and costly mistake - the HDPA treats delayed notification as a separate violation from the breach itself.
The cost of breach response in Greece includes not only potential HDPA fines but also legal fees for managing the investigation, notification process, and any subsequent HDPA inquiry. Legal fees for breach response typically start from the low thousands of EUR for straightforward incidents and scale significantly for complex multi-party breaches involving large numbers of data subjects.
Cross-border data transfers from Greece to third countries outside the European Economic Area are governed by GDPR Chapter V, which applies uniformly across the EU. However, several practical and procedural considerations are specific to the Greek context.
Adequacy decisions under GDPR Article 45 permit transfers to countries that the European Commission has recognised as providing an adequate level of data protection. Transfers to adequacy-recognised countries - currently including the United Kingdom under a time-limited arrangement, Japan, Canada for commercial organisations, and others - do not require additional safeguards. Businesses operating in Greece should monitor the status of adequacy decisions, as they can be suspended or revoked.
Standard contractual clauses (SCCs) under GDPR Article 46(2)(c) are the most commonly used transfer mechanism for Greek businesses transferring data to non-adequate third countries. The European Commission's updated SCCs, adopted in June 2021, replaced the earlier versions and must be used for new contracts. Greek law does not impose additional requirements for SCCs beyond those in the GDPR and the Commission's implementing decision, but the HDPA expects controllers to complete a transfer impact assessment (TIA) before relying on SCCs, particularly for transfers to countries with broad government access to data.
Binding corporate rules (BCRs) under GDPR Article 47 are available for intra-group transfers within multinational companies. BCR approval requires coordination with a lead supervisory authority. For companies whose main EU establishment is in Greece, the HDPA would act as the lead authority for BCR approval. In practice, few companies choose Greece as their BCR lead authority, but the option exists and may be relevant for companies with significant Greek operations.
Derogations under GDPR Article 49 permit transfers in specific circumstances without an adequacy decision or appropriate safeguards: explicit consent of the data subject, necessity for contract performance, important reasons of public interest, establishment of legal claims, and vital interests. The HDPA treats Article 49 derogations as exceptions to be used sparingly, not as routine transfer mechanisms. Reliance on explicit consent for systematic, large-scale transfers is specifically discouraged in HDPA guidance consistent with the EDPB's position.
A non-obvious risk for Greek businesses using cloud services or SaaS platforms with servers outside the EEA is that the data transfer analysis must cover not only the primary service provider but also sub-processors. Many standard cloud contracts include sub-processor lists that extend to countries without adequacy decisions, and the Greek controller remains responsible for ensuring that each link in the transfer chain is covered by an appropriate mechanism.
Law 4624/2019 does not create additional transfer restrictions beyond GDPR Chapter V, but it does reinforce the HDPA's authority to suspend or prohibit transfers where it finds that a third country cannot ensure an adequate level of protection in a specific case, consistent with GDPR Article 58(2)(j).
The Data Protection Officer (DPO) is a mandatory role under GDPR Article 37 for three categories of organisations: public authorities and bodies, controllers or processors whose core activities require large-scale, regular, and systematic monitoring of data subjects, and controllers or processors whose core activities involve large-scale processing of special categories of data or criminal conviction data.
Law 4624/2019 Article 37 extends the mandatory DPO requirement to all Greek public sector bodies, consistent with GDPR Article 37(1)(a), and adds specific provisions for public authorities at the central and local government level. For private sector organisations, the GDPR's three-category test applies without modification.
Qualification requirements: The DPO must have expert knowledge of data protection law and practice, under GDPR Article 37(5). Greek law does not prescribe a specific qualification or certification, but the HDPA has indicated in guidance that DPOs should demonstrate knowledge of both GDPR and Law 4624/2019, as well as familiarity with the specific sector in which the organisation operates. For organisations processing health data, financial data, or data in regulated sectors, sector-specific knowledge is expected.
Independence and conflict of interest: The DPO must not receive instructions regarding the exercise of their tasks, under GDPR Article 38(3). The HDPA has taken enforcement action against organisations where the DPO was also the head of IT, the legal director, or another role with decision-making authority over processing activities. This conflict of interest issue is a common problem for smaller Greek companies that appoint an existing employee as DPO without restructuring their reporting lines.
External DPO: GDPR Article 37(6) permits the DPO function to be fulfilled by an external service provider under a service contract. This model is widely used in Greece, particularly by small and medium-sized enterprises and by international companies with Greek establishments that do not have sufficient local data protection expertise in-house. An external DPO must have the same access to management and resources as an internal DPO, and the service contract must not limit the DPO's independence.
Registration with the HDPA: Law 4624/2019 Article 37(7) requires controllers and processors to register their DPO's contact details with the HDPA. Registration is done through the HDPA's online portal. Failure to register the DPO is a procedural violation that can result in a warning or fine, and the HDPA checks DPO registration as part of its routine compliance monitoring.
The DPO's tasks under GDPR Article 39 include informing and advising the organisation on data protection obligations, monitoring compliance, advising on data protection impact assessments (DPIAs), cooperating with the HDPA, and acting as the contact point for the HDPA and for data subjects. In Greece, the DPO is also expected to maintain the record of processing activities (ROPA) under GDPR Article 30, which the HDPA may request at any time.
Many underappreciate the practical burden of the ROPA obligation. Greek businesses with complex processing activities - particularly those in retail, hospitality, healthcare, and financial services - often have dozens of processing activities that must be documented with the information required by Article 30. Maintaining an accurate, up-to-date ROPA requires ongoing effort and a clear internal process for capturing new processing activities before they commence.
The HDPA is the primary enforcement body for data protection in Greece, but it is not the only avenue for redress. Data subjects have the right to bring civil claims directly against controllers and processors under GDPR Article 82, which provides for compensation for both material and non-material damage caused by a GDPR violation.
Civil liability under GDPR Article 82: Greek courts apply Article 82 in conjunction with the general provisions of the Greek Civil Code (Αστικός Κώδικας) on liability for unlawful acts. Non-material damage - including distress, loss of control over personal data, and reputational harm - is compensable under Greek law, consistent with the Court of Justice of the European Union's interpretation of Article 82. Greek courts have awarded compensation for non-material damage in data protection cases, though the quantum of awards remains modest compared to some other EU jurisdictions.
Jurisdiction and venue: Civil claims for GDPR violations in Greece are brought before the civil courts. The competent court depends on the value of the claim and the location of the parties. Claims against controllers or processors established in Greece are brought in the courts of the defendant's registered seat. Claims against foreign controllers or processors may be brought in Greece where the data subject is habitually resident, under GDPR Article 79(2).
Class actions and representative actions: Greek procedural law (Code of Civil Procedure, Κώδικας Πολιτικής Δικονομίας) does not have a US-style class action mechanism, but GDPR Article 80 permits not-for-profit bodies, organisations, or associations to bring complaints and claims on behalf of data subjects. Greek consumer protection organisations have used this mechanism to file collective complaints with the HDPA. The Directive on Representative Actions (EU 2020/1828), implemented in Greece, provides an additional framework for collective redress in consumer data protection matters.
Pre-trial procedures: Before bringing a civil claim, Greek law generally requires an attempt at amicable resolution. For data protection disputes, the practical pre-litigation step is often a formal complaint to the HDPA, which may result in a decision that supports the subsequent civil claim. The HDPA's decision is not binding on the civil court but carries significant evidentiary weight.
Electronic filing: Greek courts have progressively expanded electronic filing capabilities. The e-filing system (e-Justice portal) is available for certain civil proceedings, and the HDPA's own complaint and notification processes are conducted through its online portal. International businesses should ensure that their Greek legal representatives are equipped to use these systems, as paper-only processes create delays.
Criminal enforcement: As noted above, Law 4624/2019 Article 38 creates criminal offences for serious data protection violations. Criminal proceedings are initiated by the public prosecutor (Εισαγγελέας) and are separate from HDPA administrative proceedings. A single incident can give rise to parallel HDPA enforcement, civil liability claims, and criminal prosecution. This multi-track exposure is a risk that international companies often fail to account for in their incident response planning.
The business economics of data protection enforcement in Greece are significant. An HDPA investigation that results in a formal decision typically takes between 12 and 24 months from the initial complaint or ex officio trigger to the final decision. Legal representation before the HDPA and in subsequent court proceedings involves fees that typically start from the low thousands of EUR for straightforward matters and scale considerably for complex investigations involving multiple parties or large datasets. The indirect costs - management time, reputational exposure, and the cost of remediation measures ordered by the HDPA - frequently exceed the direct legal fees.
The risk of inaction is concrete: a data subject complaint filed with the HDPA triggers a formal investigation process that the controller cannot simply ignore. Failure to respond to HDPA information requests within the specified deadline - typically 15 to 30 days depending on the nature of the request - is itself a violation that can result in additional fines. International companies that route all HDPA correspondence through a central legal team in another jurisdiction without a Greek-qualified lawyer in the loop frequently miss these deadlines.
To receive a checklist on HDPA enforcement response procedures for Greece, send a request to info@vlo.com.
What are the most significant practical risks for a foreign company processing data of Greek residents without a Greek establishment?
A foreign company that targets Greek residents with goods or services, or monitors their behaviour, falls within the territorial scope of GDPR Article 3(2) regardless of where it is established. Such a company must designate a representative in the EU under GDPR Article 27 if it does not have an EU establishment - and that representative can be located in any EU member state, not necessarily Greece. However, the HDPA retains jurisdiction to investigate complaints from Greek data subjects and to take enforcement action. The representative designation does not insulate the company from HDPA enforcement; it simply provides a local contact point. Foreign companies that fail to designate an EU representative face a separate fine of up to EUR 10 million or 2% of global turnover under GDPR Article 83(4), in addition to any fines for substantive violations.
How long does an HDPA investigation typically take, and what are the financial consequences of an adverse decision?
An HDPA investigation from initial complaint to final decision typically takes between 12 and 24 months, though complex cases involving multiple parties or cross-border elements can take longer. During this period, the HDPA may issue interim measures, including temporary processing bans, which can disrupt business operations before any final decision is reached. An adverse HDPA decision can be appealed to the Administrative Court of Appeal (Διοικητικό Εφετείο) within 60 days of notification. The financial consequences of an adverse decision include the administrative fine, the cost of mandatory remediation measures, and the exposure to follow-on civil claims from affected data subjects. Companies that cooperate fully with the HDPA investigation, demonstrate prompt remediation, and have documented compliance programmes typically receive more favourable treatment in the HDPA's assessment of the appropriate fine level.
When should a company rely on legitimate interests rather than consent as the lawful basis for processing in Greece, and what are the risks of getting this wrong?
Legitimate interests is the appropriate basis where the processing is necessary for a genuine business purpose, the processing is proportionate to that purpose, and the data subject's interests do not override the business interest - for example, fraud prevention, network security, or intra-group administrative transfers. Consent is the appropriate basis where the processing is not strictly necessary for the service, where the data subject has a genuine choice, and where the company needs to demonstrate that choice was freely made - for example, direct marketing or optional personalisation features. The risk of misidentifying the lawful basis is that the processing is unlawful from the outset, regardless of how well other aspects of the compliance programme are managed. The HDPA cannot simply substitute a different lawful basis after the fact; the controller must stop the processing, re-evaluate the basis, and potentially re-obtain consent or restructure the processing activity. This can require significant operational changes and creates exposure for the period during which the incorrect basis was relied upon.
Data protection compliance in Greece requires a precise understanding of both GDPR and Law 4624/2019, active engagement with the HDPA's enforcement priorities, and a practical approach to breach response, cross-border transfers, and DPO governance. The Greek regulatory environment is not a passive one - the HDPA investigates complaints, conducts audits, and imposes fines that reflect the full range of GDPR's enforcement framework. International businesses that treat Greek compliance as an extension of their general EU GDPR programme without reviewing the national implementing law, the HDPA's published decisions, and the specific procedural requirements of Greek law face material and avoidable risks.
Our law firm Vetrov & Partners has experience supporting clients in Greece on data protection and privacy matters. We can assist with HDPA compliance assessments, DPO support, data breach response, cross-border transfer structuring, and representation in HDPA investigations and civil proceedings. We can help build a strategy tailored to your specific processing activities and risk profile. To receive a consultation, contact: info@vlo.com