This comes after the EU Commission called for Greece to be sanctioned by the Court of Justice of the European Union for failing to transpose the rules on the Data Protection Law Enforcement Directive before the 6 May 2018 deadline. The EU Commission sought a minimum lump sum of €1.310 million and a daily penalty payment of €22,169,70.

As the GDPR allowed for certain derogations, Greece, like most of the other EU member states, used its discretion to amend certain provisions. As such, the new law does not adopt the whole of GDPR. Under the Greek data protection law, national provisions have been enacted that relate to children’s age of consent, the process of appointing a data protection officer (DPO) in the public sector, sensitive data processing, data repurposing and deletion, and criminal sanctions.

Some of the key provisions of the Greek data protection law include:

(i) children under the age of 15 must have parental consent for information society services;

(ii) organisations are permitted to process special categories of personal data for predefined purposes, for example, the exercise of social security rights and obligations, preventative medicine, provision of health or social care, and assessing if an employee is fit to work;

(iii) processing of genetic data for health and insurance purposes is prohibited;

(iv) public authorities can process personal data for a different purpose than that for which the data was originally collected; and

(v) criminal sanctions for unauthorised data processing, for DPO violations of confidentiality and unauthorised data processing of sensitive data and data relating to the functioning of the Greek state or national security, and for processing in order to gain benefit or cause harm.

The Greek Data Protection Authority is likely to issue guidance documents in the coming months. In the meantime, companies should review their internal processes, policies, and documentation to ensure compliance with the new provisions.

Client Alert 2019-230