Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Greece - Data Protection

History of Data Protection in GREECE

The 1981 Council of Europe Convention regarding the protection of individuals from the automated processing of personal data was ratified by Greece over a decade after it was signed (Law 2068/1992) However, no specific data protection measures were adopted until 1997. In the meantime, Greek constitutional provisions provided the backbone of the protection of personal data.

It was soon recognized that such general provisions were inadequate to deal with the specific complex problems that had emerged. Despite this, successive attempts to introduce a dedicated data protection law in 1985, 1989, 1990, 1991 and 1992 all foundered. Finally, Law 2472/1997 was introduced, incorporating Directive 95/46/EC into Greek law, and establishing the Hellenic Data Protection Authority.

Laws 2819/2000 and 2915/2001 have since amended Law 2472/1997.

Summary of Data Protection in GREECE

Title of Data Protection Legislation Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data - as amended by Laws 2819/2000 and 2915/2000
Name of supervisory authority Hellenic Data Protection Authority
General Powers of supervisory authority The mission of the Hellenic Data Protection Authority is to supervise the implementation of Act 2472/97, Article 15 of which establishes the Authority. Artcle 19(1) sets out the powers of the authority. Among the powers are the following: 1) 19(1)(a): It shall issue instructions for the purpose of a uniform application of the rules pertaining to the protection of individuals against the processing of personal data. 2)19(1)(b): It shall call on and assist trade unions and other associations of legal and natural persons keeping personal data files in the preparation of codes of conduct for the more effective protection of the right to privacy and in general the rights and fundamental liberties of all natural persons active in their field. 3) 19(1)(c): It shall address recommendations and instructions to Controllers or to their representatives, if any, and shall publicise them, at its discretion. It shall deliver opinions with respect to any rules relating to the processing and protection of personal data. 4) 19(1)(k): It shall communicate to the parliament any breach of the rules relating to the protection of individuals from the processing of personal data.
Who has standing to notify the supervisory authority of breaches? The data subject
What are the penalties for data controllers if they breach the law? Law 2472/1997 sets out the penalties for breaches. Article 21 is concerned with administrative sanctions, for which punishments include fines, temporary or permanent revocations of licences, deleting the data concerned and cessation of processing. Article 22 deals with penal sanctions, which can be either a fine or imprisonment.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? No. The Greek national identification number, introduced by law 1599/1986, was abolished by law 1988/91.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably necessary to get consent when is not impracticable or inappropriate, unless in "exceptional" circumstances. See Article 5 of Law no. 2472/97.
Does the Data Protection Legislation cover the deceased? No
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions