Last review date: 19 December 2024

1. Greece has one data protection authority: The Hellenic Data Protection Authority ("HDPA"). According to article 5 of Law 5099/2024 on adoption of measures for the implementation of Regulation (EU) 2022/2065 (DSA), HDPA is responsible for the supervision of intermediary service providers and the enforcement of point (d) paragraphs 1 and 3 of Article 26 (on informing users how advertisements are displayed and targeted) and paragraph 1 of Article 28 (on the protection of personal data of minors) of the DSA.
2. Τhe Greek Authority for Communication, Security and Privacy ("A.D.A.E") is the Regulator designated by Law 3471/2006 (which incorporated EU Directive 2002/58 into the Greek legislation) to protect confidentiality of the communications as well as the security of networks and information systems and together with HDPA as the competent national authority to receive data breach notifications.
3. By virtue of Law 5086/2024, the National Cybersecurity Authority (“NCA”) has been established. According to article 4 of Law 5086/2024, the purpose of the NCA is to organize, coordinate, implement and control a comprehensive framework of strategies, measures and actions to achieve a high level of cybersecurity in Greece, at the level of prevention, protection, deterrence, detection, response, restoration and recovery from cyberattacks. According to article 17 of Law 5086/2024 the NCA has the power to impose sanctions in case of violations of the provisions of this law.
4. Pursuant to Law 5099/2024 on adoption of measures for the implementation of Regulation (EU) 2022/2065 (DSA), the National Telecommunications and Post Commission ("EETT") is the National Digital Services Coordinator and is responsible for supervising and checking compliance with the rules of the DSA in Greece. EETT as the National Regulatory Authority regulates, supervises and monitors the electronic communications market, the use of the radio frequency spectrum and the postal market.
5. Pursuant to Law 4727/2020, the General Secretariat for Public Administration Information Systems of the Ministry of Digital Governance is responsible for the productive operation as well as the technical design of the Single Digital Portal of Public Administration (EPSP). The provision of digital public services and in particular the circulation of electronic documents, public or private, between public sector bodies on the one hand and natural persons or legal entities on the other hand, is carried out through the EPSP.

Last review date: 19 December 2024

Moderately active

Last review date: 19 December 2024

The HPDA has imposed severe fines to data controllers for violation of principles of lawfulness and transparency, safety of processing and failure to satisfy data subjects’ rights.

It is anticipated that the HDPA will continue to put emphasis and impose penalties in cases of violations of the principles of lawfulness, transparency, integrity and confidentiality as well as cases of failure to satisfy data subjects’ rights.

EETT as Digital Services Coordinator and the HDPA, both as competent authorities pursuant to article 5 of Law 5099/2024 issued no. 1/2024 Joint Decision regulating issues relating to their cooperation in the context of the effective implementation of the DSA, in particular in the field of coordination of data and information collection and exchange, the use of information systems at national level and the procedure for receiving and transmitting complaints.

The main relevant responsibilities of the A.D.A.E. are to (i) conduct regular and special audits in public service facilities or private companies dealing with postal, telecommunication and other services; (ii) holding of hearings of electronic communications and postal services providers for the purpose of identifying possible violations of the applicable legislation to ensure confidentiality of communications; (iii) examining of complaints for violation of the confidentiality of telephone, internet and postal services communications and (iv) imposing administrative sanctions in cases of confidentiality of communication violations.

The purpose of the NCA is to organize, coordinate, implement and control a comprehensive framework of strategies, measures and actions to achieve a high level of cybersecurity in Greece, at the level of prevention, protection, deterrence, detection, response, restoration and recovery from cyberattacks.

Last review date: 19 December 2024

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

☒         Common

Class actions/group actions under data or cyber regulation are:

☒         Rare

Last review date: 19 December 2024

There are:

☒        administrative remedies from regulators and law enforcement

Law 4624/2019 leaves the administrative penalties provided in GDPR unchanged as regards private entities, which may amount to up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Fines on public entities are limited by law up to EUR 10 million depending on the severity and duration of the violation.

☒        criminal penalties from regulators and law enforcement

According to Law 4624/2019 anyone who (a) interferes with a system of archiving personal data and with such action gains knowledge of such data, (b) copies, destructs, alters, collects, organizes, files, deletes, destroys and generally uses it illegally shall be punished with one year imprisonment. In case of special categories of data or data referring to criminal convictions or offenses, imprisonment of at least one year and a fine up to EUR 100,000 shall be imposed. If the offender intends for himself or for others to unlawfully gain economic benefit or to cause property damage and the total benefit thereof exceeds EUR 120,000, offender shall be punished with imprisonment up to ten years.

☒        private remedies
Individuals may, for example:

• file complaints with the data protection authorities
• claim damages for material or non-material damages

☒        other

According to paragraph 4 of article 24 of Law 5160/2024 (incorporating article 32 of Directive 2022/2555 (NIS2) on supervisory and enforcement measures in relation to the basic entities:

“4. The National Cybersecurity Authority, when exercising its supervisory duties in relation to key entities, has the following responsibilities:

(a) issue warnings or recommendations regarding violations of this Part by the entities concerned;

(b) issue binding instructions and guidelines, including on measures necessary to prevent or remedy an incident, and set deadlines for the implementation of such measures and for reporting on their implementation, or order the entities concerned to remedy identified deficiencies or violations of this Part;

(c) order the entities concerned to cease conduct that violates this Part and to refrain from repeating such conduct;

(d) order the entities concerned to ensure that cybersecurity risk management measures are in line with Article 15 or to fulfil the reporting obligations set out in Article 16, in a specific manner and within a specific period of time;

(e) instructs the relevant entities to inform natural or legal persons, in relation to whom they provide services or carry out activities that may be affected by a significant cyber threat, of the nature of the threat, as well as of any protective or remedial measures that such natural or legal persons may take to address that threat;

(f) instruct the entities concerned to implement the recommendations made as a result of a security audit within a reasonable period of time.

(g) appoint a competent supervisor with clearly defined tasks for a specified period of time, in order to supervise the compliance of the relevant entities with Articles 15 and 16,

(h) orders the relevant entities to make public information on violations of this part in a specific manner and procedure,

(i) impose administrative fines in accordance with article 26, in addition to the measures in paragraphs a) to h).”

According to article 26 of Law 5160/2024 (incorporating articles 34 and 36 of Directive 2022/2555 (NIS2) on general conditions for the imposition of administrative fines to key and important entities - sanctions:

“1. Supervisory or enforcement measures imposed on key or significant entities in relation to this Part shall be effective, proportionate and dissuasive, taking into account the circumstances of each individual case.

2. Sanctions against natural or legal persons for the violation of the provisions of this Part shall be imposed by a specifically reasoned decision of the Director of the National Cybersecurity Authority, which shall be issued after a hearing following their summons, in accordance with article 6 of the Code of Administrative Procedure (Law 2690/1999 , A` 45).

3. Decisions imposing fines and sanctions shall be notified to the interested parties and shall be posted, without delay, on the official website of the National Cybersecurity Authority. Decisions imposing fines and any other type of sanctions shall be appealed by means of an application for annulment to the competent Administrative Court of Appeal.

4. If a violation of Articles 15 or 16 is found, a fine of up to ten million (10,000,000) euros or up to two percent (2%) of the total worldwide annual turnover of the undertaking to which the significant entity belongs in the preceding financial year shall be imposed on the significant entities, whichever is higher.

5. If a breach of Articles 15 or 16 is found, a fine of up to seven million (7,000,000) euros or up to one point four percent (1.4%) of the total worldwide annual turnover of the undertaking to which the significant entity belongs in the preceding financial year shall be imposed on the significant entities, whichever is higher.

6. Administrative fines shall be imposed, in addition to the measures referred to in paragraphs a) to h) of paragraph 4 and paragraph 5 of article 24, as well as in paragraphs a) to g) of paragraph 4 of article 25, for the violation of paragraphs a) to h) of paragraph 4 and paragraph 5 of article 24, of a maximum amount of one million (1,000,000) euros, and for the violation of paragraphs a) to g) of paragraph 4 of article 25, of a maximum amount of seven hundred thousand (700,000) euros.

8. Without prejudice to the powers of the National Cybersecurity Authority in accordance with Articles 24 and 25, administrative fines shall be imposed on the entities referred to in point (f) of paragraph 2 of Article 3 that are subject to the obligations set out in this Part. Such fines may not be less than twenty thousand (20,000) euros and may not exceed five hundred thousand (500,000) euros.

9. If a violation is detected:

a) of paragraph 1 of article 14, a fine of a maximum amount of two hundred thousand (200,000) euros shall be imposed,

b) of paragraph 2 of article 14, a fine of a maximum of one hundred thousand (100,000) euros shall be imposed,

c) of article 19, a fine of a maximum of two hundred thousand (200,000) euros shall be imposed,

d) of article 20, a fine of a maximum of eight hundred thousand (800,000) euros shall be imposed,

e) of paragraph 3 of article 21, a fine of a maximum of one hundred thousand (100,000) euros shall be imposed,

f) of paragraphs 2 and 4 of article 24, a fine of a maximum of five hundred thousand (500,000) euros shall be imposed,

g) of paragraph 2 of article 25, a fine of a maximum of three hundred and fifty (350,000) euros shall be imposed, and

h) of paragraph 6 of article 15, a fine of a maximum of three hundred thousand (300,000) euros shall be imposed.”

Last review date: 19 December 2024

☒         individual personal actions

☒         representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)