Last review date: 19 December 2024
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ obligation to take specific security measures e.g., encryption
Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.
Last review date: 19 December 2024
☒ public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)
☒ network information security requirements (broader than telecommunications)
☒ health regulatory requirements
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ digital or connected (IoT) products
☒ other
According to paragraph 1 of article 15 of Law 5160/2024 incorporating article 21 and paragraph 1 of article 24 of Directive 2022/2555 (NIS2):
“1. Key and significant entities shall take appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of network and information systems that they use for their activities or for the provision of their services and to prevent or minimize the impact of incidents on the recipients of their services or on other services and organizations. Taking into account the most up-to-date and, where appropriate, relevant national, European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems that is proportionate to the risk involved. When assessing the proportionality of those measures, account shall be taken of the entity's exposure to risks, the size of the entity, the likelihood of incidents occurring and their severity, including their social and economic impact.”
☒ Data privacy
☒ Securities or public company
☒ network information security
☒ financial services
☒ telecommunications
Last review date: 19 December 2024
Yes.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Last review date: 19 December 2024
☒ data protection authorities
- in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
without undue delay and, where feasible, not later than 72 hours after having become aware of it
☒ affected individuals
- without undue delay
According to para. 1 of article 34 of GDPR:
"When the personal data breach is likely to result a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay"
- if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
- the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
- the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize
- it would involve disproportionate effort
☒ other
There shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate effort.
Above is the exception provided in para. 3(c) of article 34 of GDPR, where there is no provision of either specific or general timeframe for breach notification.
Last review date: 19 December 2024
☒ controller/ owner
- in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
- without undue delay after becoming aware of it
Last review date: 19 December 2024
☒ cybersecurity authorities
☒ other
On 23 September 2020, the Greek Government published Law 4727/2020 on the incorporation in Greek legislation of EU Directives 2016/2102, 2019/1024 and 2018/1972 ("EECC") and other provisions in the Issue of Government Gazette nr. 184/A/23.09.2020.
In particular article 40 of the EU Directive 2018/1972 has been incorporated in Greek legislation by article 148 of Law 4727/2020.
In particular, article 148 of Law 4727/2020 -which more or less constitutes translation in Greek of the relevant provisions of article 40 of the EU Directive EECC - provides with regard to the notification timeframe the following:
"providers of public electronic communications networks or of publicly available electronic communications services notify without delay A.D.A.E. (i.e. the Hellenic Authority for Communication Security & Privacy) every security incident that has had a significant impact on the operation of networks and services".
According to article 16 of Law 5160/2024 (incorporating article 23 of Directive 2022/2555 (NIS2) on incident reporting obligations:
“1. Key and significant entities shall notify, without delay, the Computer Security Incident Response Team ("CSIRT") of the National Cybersecurity Authority of any incident that has a significant impact on the provision of their services, in accordance with paragraph 3 (significant incident). Where appropriate, the entities concerned shall notify, without undue delay, the recipients of their services of significant incidents that may adversely affect the provision of those services. Such entities shall, inter alia, report any information that allows the National Cybersecurity Authority to determine the cross-border implications of the incident. The simple act of notification does not entail liability of the notifying entity. In the event of a cross-border or cross-sectoral significant incident, the National Cybersecurity Authority shall provide, without delay, to the single points of contact referred to in paragraph 8 the relevant information notified to it in accordance with paragraph 4.
2. Key and significant entities shall, without delay, notify the relevant recipients of their services that may be affected by a significant cyber threat of measures or remedial actions that they can take to address that threat. The entities shall also inform those recipients of the significant cyber threat.
3. An incident is considered significant if:
a) has caused or may cause serious operational disruption of services or financial damage to the entity concerned,
b) has affected or may affect other natural or legal persons, causing significant material or non-material damage.
4. For the notification of par. 1, the relevant entities shall submit to the National Cybersecurity Authority:
a) without undue delay and in any event within twenty-four (24) hours of becoming aware of the significant incident, a warning, which, where appropriate, states whether there is a suspicion that the significant incident was caused by illegal or malicious actions or could have a cross-border impact.
b) without undue delay and in any case within seventy-two (72) hours from the moment they became aware of the significant incident, an incident notification, which, where applicable, updates the information referred to in point a) and, in addition, includes an initial assessment of the significant incident, including its severity and impact, as well as, if any, the indications of the breach,
c) upon request of the National Cybersecurity Authority, an interim report on relevant updates of the situation,
d) a final report no later than one (1) month after the submission of the incident notification in accordance with paragraph b).”