On August 12, 2019, the Greek Ministry of Justice published the long-awaited, draft legislation for implementing the General Data Protection Regulation (GDPR). Greece and Slovenia are the only two European Union (EU) countries that have not yet implemented the GDPR.
As an EU regulation, the GDPR has legally taken effect in every EU country, including Greece. In fact, the Greek Supervisory Authority recently imposed a 150,000EUR fine on a company for GDPR violations. However, the GDPR allows EU countries to adopt certain derogations, specifications, and exceptions through their implementing legislation. The draft, inter alia, does this through the following provisions:
- Age of Consent
The draft requires that a minor over 15 years old (and up to 18 years old) must consent to the processing of his/her personal data for the processing to be lawful. When a minor is under 15 years old, the minor’s legal guardian must consent.
- Data Protection Officer
The draft clarifies the process through which public authorities should appoint their data protection officer (DPO), and what the position of the DPO entails regarding their independence and duties. Notably, the draft provides criminal liability for DPOs in both private and public organizations (more on this below).
- Sensitive Data Processing
The draft deviates from the GDPR and permits sensitive data processing for several predefined purposes, including for insurance purposes, for preventive medicine, and to assess if an employee is fit to perform work. It also accommodates sensitive data processing that is based on a contract with a healthcare service provider or a service provider that is bound by confidentiality obligations. However, the draft prohibits the processing of genetic data for health insurance and life insurance purposes.
- Data Repurposing
The draft allows public authorities to process personal data for a different purpose than that for which the data was originally collected. Data repurposing is, for instance, allowed when the processing is “beneficial to the data subject and there is no reason to believe that the data subject would not have provided their consent if they knew the new purpose” [sic].
- Data deletion
The draft substitutes the data deletion right with data restriction where it is impossible to delete data due to the nature of the medium used or due to the disproportionate effort associated with said deletion.
- Certifications
The draft provides that the National Accreditation System (ESYD) is authorized to grant GDPR Article 42 certifications that a company’s security measures meet the EN-ISO/IEC 17065/2012 standard. ESYD was created in 2017 in an effort to streamline accreditations and to have a single body authorized to grant and revoke certifications. The Greek Supervisory Authority will provide guidance to assist ESYD with the certification requirements and eligibility.
- Criminal Sanctions
The draft provides criminal sanctions for certain GDPR related offenses. The table below summarizes the violation and the relevant criminal sanction, assuming it is not otherwise punished more severely under applicable law.
Infringement | Criminal sanction |
Unauthorized data processing (e.g., unauthorized access, copy, deletion, transmission, etc.) | Up to 1 year imprisonment |
DPO violating their confidentiality duty in order to gain benefit or cause harm | Up to 1 year imprisonment |
Unauthorized data processing and further transmission to other unauthorized individuals | Up to 5 years imprisonment |
Unauthorized data processing of sensitive data | Between 1-5 years imprisonment and up to 100,000EUR monetary penalty |
Unauthorized data processing in order to gain benefit or cause harm, of value greater than 120,000EUR | Between 5-10 years imprisonment |
Unauthorized data processing that relates to the functioning of the Greek state, or national security | Between 5-20 years imprisonment, and up to 300,000EUR monetary penalty |
Preliminary Assessment and Next Steps
The draft includes several noteworthy elements that merit further expert input and parliamentary debate. For instance, i) minors’ consent is required for data processing, which is against the spirit of the relevant GDPR provision; ii) the derogations allowed for sensitive data processing do not appear aligned with the GDPR provisions; iii) data repurposing is permitted under implied consent, which contradicts the GDPR; and iv) GDPR violations can lead to up to 20 years’ imprisonment. The DPO may also be held criminally liable, which jeopardizes the DPO’s independent role as envisioned under the GDPR. Further, the fact that the draft explicitly provides criminal liability may deter individuals from accepting DPO appointments.
Upon conclusion of the draft’s public consultation on August 20, 2019, the final draft is expected to be introduced to the Greek parliament, and then it will be up for a vote.