Greece - Data Breach Guide

Greece

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

According to Article 33 of the General Data Protection Regulation (EU) 2016/679 (hereinafter the "GDPR"), data controllers, in the case of a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons, must notify this breach to the Hellenic Data Protection Authority (hereinafter the "HDPA"). The notification must be done without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. Moreover, according to Article 34 of the GDPR, when the personal data breach is likely to result in a high risk to the rights and freedoms of the natural persons concerned, then the controller must communicate the personal data breach to the data subject too without undue delay. Under Article 33, paragraph 5 of Law 4624/2019, implementing the GDPR and transposing into national law the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions, the above obligation shall not apply to the extent that the notification will disclose information of third parties which, either by legal provision or by its nature, must remain confidential.

Moreover, according to Article 12, paragraph 5 of Law 3471/2006 (which is a specific Act on the protection of personal data and privacy in the electronic communications sector), in the event of a personal data breach, the provider of a publicly available electronic communications service must notify the Authority for Communication Security and Privacy ("ADAE") and the DPA without undue delay. Furthermore, according to paragraph 6 of the same Article, in case of a personal data breach that may have detrimental consequences to the data owner, the provider has to notify the affected person without undue delay. It is not necessary to notify the affected person if the provider has proven to the competent authorities in a satisfactory manner that it has applied the appropriate technical security measures and that these measures were applied to the data related to the security breach according to paragraph 7 of Article 12.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

According to Article 33 of the GDPR, in the case of a personal data breach the controller has to notify the data breach to the HDPA. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. The notification shall at least:

1.2.1 describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

1.2.2 communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

1.2.3 describe the likely consequences of the personal data breach;

1.2.4 describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.

Furthermore, the provider of a publicly available electronic communications service, who in this case acts as a controller, should notify the Hellenic Authority for Communication Security and Privacy (ADAE) of the data breach regarding the electronic communication sector irrespective of the type of data breached.

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

According to Article 33 of the GDPR, the notification must be done by the controller without undue delay and, where feasible, not later than 72 hours after having become aware of the incident. To report a breach to the HDPA, the controller must complete and submit a specific template form, which is available (both in Greek and English) on the HDPA's website. The controller may send the form to the following e-mail address: databreach@dpa.gr. The form is provided in two versions. The first one uses macros in order to guide the controller through the process of filling in. The second one is a simple (MS excel form) file, without macros. The controller may choose either the first or the second form. For security reasons the HDPA suggests that controller send the form encrypted in such a way that it can be read only by the HDPA.

Furthermore, providers of publicly available electronic communications services must notify the Hellenic Authority for Communication Security and Privacy (ADAE) via the ADAE's online notification form (Article 12 (5) of Law 3471/20016 transposing the e-Privacy Directive).

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

1.4.1 Administrative fines of up to EUR 10,000,000, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83 (4) lit. a) of the GDPR and Article 39, paragraph 1 of Law 4624/2019).

1.4.2 Criminal sanctions of 1-10 years imprisonment and monetary fine of EUR 100,00 – 300,000 (Article 38, paragraphs 3-5 of Law 4624/2019).

1.4.3 Compensation of at least EUR 10,000 for material damages according to Article 932 of Civil Code, as described below under 1.4.4.

1.4.4 Additionally, pursuant to Article 11 of Law 3115/2003, in case of a breach of privacy in the telecommunications sector or the revocation of its terms and procedures, the ADAE is empowered to impose the following sanctions on any natural person or legal entity:

• A warning with a definite deadline within which the violation should cease; or
• A fine ranging between EUR 15,000 and EUR 1,500,000. These administrative sanctions shall only be imposed following the issuance of a substantiated decision of ADAE and following a hearing of the interested parties. Any natural person or legal entity, which, in breach of this law, causes material damage shall be liable for damages in full and in the case of non-pecuniary damage, shall be liable for compensation. The compensation payable, according to Article 932 of the Civil Code for non-pecuniary damage, is set at a minimum of EUR 10,000, unless a lesser amount is claimed. Such compensation shall be awarded irrespective of the claim for damages. The claims referred to in the above Article shall be litigated according to Articles 664-676 of the Code of Civil Procedure, notwithstanding whether the Data Protection Authority has issued a relevant decision on the ascertainment of criminal activities or criminal charges. Custodial sentences may be given in the following circumstances:
  • Anyone who unlawfully interferes in any way whatsoever with a personal data file of a subscriber or user, or takes notice of such data or extracts, alters, affects in a harmful manner, destroys, processes, transfers, discloses, makes accessible to unauthorized persons or permits such persons to take notice of such data or anyone who exploits such data in any way whatsoever, will be punished by imprisonment for a period of at least one year and a fine of between EUR 10,000 and EUR 100,000 unless otherwise subject to more serious sanctions;
  • Any controller or representative thereof who does not comply with the acts of the Data Protection Authority (imposing the administrative penalties of provisional license revocation, file destruction or interruption of processing of the pertinent data), will be punished by imprisonment for a period of at least two years and a fine of between EUR 12,000 and EUR 120,000;
  • If perpetrators of the acts referred to above gained unlawful benefit on their own or on another person’s behalf or intended to cause harm to a third party, then they shall be punished with imprisonment for a period of up to 10 years and a fine between EUR 15,000 and EUR 150,000;
  • If this endangers the free operation of the democratic constitution or national security, the perpetrator shall be punished with imprisonment and a fine of between EUR 50,000 and EUR 350,000;
  • If the perpetrator of the acts committed these by negligence, then they shall be punished with imprisonment for a period of up to 18 months and a maximum fine of EUR 10,000.

1.5 Even if there is no current legal obligation to do so, or if there is no "data controller" or "data processor" located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Regarding the recent Law 4624/2019, the notification to individuals in the event of a data breach is mandatory.

1.6 What are the applicable data protection laws or guidelines within your country?

The main applicable data protection legislation are the GDPR, Law 4624/2019, Law 3471/2006, as well as, specific guidelines/decisions/regulations issued from time to time by the HDPA, the Hellenic Telecommunication and Post Commission (EETT) and ADAE.

1.7 Contact information for Data Protection Authority:

1.7.1 Data Protection Authority:

1.7.2 Hellenic Authority for Communication Security and Privacy (ADAE):

For more information, contact: