TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

GREECE

 

The Hellenic Data Protection Authority website: http://www.dpa.gr/portal/page?_pageid=33,40911&_dad=portal&_schema=PORTAL

 

Law 3471/2006 – The Protection of personal data and privacy in the electronic telecommunications sector and amendment of law 2472/1997: http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/LEGAL%20FRAMEWORK/LAW%203471-2006-EN.PDF

 

Law 2472/1997 - The Protection of Individuals with regard to the Processing of Personal Data: http://www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/LEGAL%20FRAMEWORK/LAW%202472-97-APRIL010-EN%20_2_.PDF

 

What needs to be done prior to collection?

 

NOTIFY THE DATA PROTECTION AUTHORITY

 

Article 6 – Notification

 

  1. The controller must notify the authority in writing about the establishment and operation of  a file or the commencement of data processing

 

  1. In the course of the aforementioned notification, the Controller must necessarily declare the following
    1. His/her name, trade name or distinctive title as well as his/her address
    2. The address where the file or the main hardware supporting the data processing are established
    3. The description of the purpose of the processing of personal data
    4. The category of personal data that are being processed or about to be processed or included or about to be included in that file
    5. The time period during which he/she intends to carry out data processing or to preserve the file
    6. The recipients or the categories of recipients to whom such personal data may be communicated
    7. Any transfer and the purpose of such transfer of personal data to third countries
    8. The basic characteristics of the system and the safety measures taken for the protection of the files or data processing

 

  1. The data referred to in the preceding paragraph will be registered with the Files and Data Processing Register kept by the Authority

 

  1. Any modification of the data referred to in paragraph 2 must be communicated in writing and without any undue delay by the Controller to the Authority

 

Article 7 – Processing of sensitive information

 

This Article refers to the collection of sensitive data. The collection of sensitive data is prohibited. Exceptionally the collection will be permitted if one of the listed conditions occurs. The Authority shall then consider whether to grant a permit for the collection and processing of sensitive data.

 

Article 7a – Exemption from the obligation to notify/receive a permit

 

The controller is exempted from the obligation of notification and the obligation to receive a permit in the listed cases.

 

 

 

 

NOTIFY THE DATA SUBJECT

 

Article 11 – Right to information

 

  1. The Controller must, during the stage of collection of personal data, inform the data subject in an appropriate and express manner of the following data:
    1. His/her identity and the identity of his/her representative, if any
    2. The purpose of the data processing
    3. The recipients or categories of recipients of such data
    4. The existence of a right to access

 

  1. If the controller, in order to collect personal data, requests the data subject’s assistance, she/he must inform him specifically and in writing of the data referred to in paragraph 1of this article as well as his/her rights according to Articles 11-13 of this law. By means of such notification the Controller shall also inform the data subject whether she/he is obliged to assist in the collection of data, on the basis of which provisions, as well as of any sanctions resulting from his/her failure to co-operate

 

  1. If the data are to be disclosed to third parties, the data subject will be kept informed of such disclosure before it is effected

 

  1. By virtue of a decision by the Authority, the obligation to inform, pursuant to paragraphs 1 to 3, may be lifted in whole or in part, provided that the data processing is carried out for reasons of national security or for the detention of particularly serious crimes…

 

What needs to be done prior to shipping?

 

Article 9 – Tran boundary flow of personal data

 

  1. The transfer of personal data is permitted:
    1. For Member States of the European Union
    2. For a non Member of the European Union following a permit granted by the authority if it deems that the country in question guarantees an adequate level of protection. For this purpose it shall particularly take into account the nature of the data, the purpose and duration of the processing, the relevant general and particular rules of law, the codes of conduct, the security measures for the protection of personal data, as well as the protection levels in the country of origin, transit and final destination of the data. A Permit from the Authority is not required if the European Commission has decided that the country in question guarantees an adequate level of protection

 

  1. The transfer of personal data to a state non member of the European Union which does not ensure an adequate level of protection is exceptionally allowed only following a permit granted by the Authority, provided that one or more of the following conditions occur:
    1. The data subject has consented to such a transfer, unless such consent has been extracted in a manner contrary to law
    2. The transfer is necessary:

                                                               i.      In order to protect the vital interests of the data subject, provided she/he is physically or legally incapable of giving his/her consent,

                                                             ii.      For the conclusion and performance of a contract between the data subject and the Controller or between the Controller and a third party in the interest of the data subject if she/he is capable of giving his/her consent

                                                           iii.      For the implementation of pre-contractual measures taken in response to the data subject’s request

    1. The transfer is necessary in order to address an exceptional need and safeguard a superior public interest, especially for the performance of a co-operation agreement with the public authorities of the other country, provided that the Controller provides adequate safeguards with respect to the protection of privacy and fundamental liberties and the exercise of corresponding rights
    2. The transfer is necessary for the establishment, exercise or defence of a right in court
    3. The transfer is made from a public register which by law is intended to provide information to the public and which is accessible by the public or by any person who can demonstrate legitimate interest, provided that the conditions set out by law for access to such register are in each particular case fulfilled
    4. The Controller shall provide adequate safeguards with respect to the protection of the data subject’s personal data and the exercise of their rights, when the safeguards arise from conventional clauses which are in accordance with the regulation of present law. A permit is not required if the European Commission has decided that certain conventional clauses offer adequate safeguards for the protection of personal data.

 

  1. In the cases referred to in the preceding paragraph, the Authority shall inform the European Commission and the respective Authorities of the other Member States (a) when it considers that a specific state does not ensure an adequate protection level and (b) for the permits granted pursuant to paragraph 2, point f

 

What are the sanctions for non-compliance?

 

Article 21 – Administrative Sanctions

 

  1. The Authority may impose on the Controllers or on their representatives, if any, the following administrative sanctions for breach of their duties arising from this law as well as from any other regulation on the protection of individuals from the processing of personal data:
    1. A warning with an order for the violation to cease within a specified time limit
    2. A fine amounting between EUR 880 and EUR 146,735[1]
    3. A temporary revocation of the permit
    4. A definitive revocation of the permit
    5. The destruction of the file or a ban on the processing and the destruction, return or locking of the relevant data

Article 22 – Penal Sanctions

 

Anyone who fails to notify the Authority, according to the provisions of Article 6 of this Law, of the establishment or the operation of a file or any change in the terms and conditions regarding the granting of the permit referred to in paragraph 3 of Article 7 of this Law, will be punished by imprisonment of up to 3 years and a fine amounting between EUR 2934 and EUR 14,673[2].

 

[See the Statute for more detail on penal sanctions]

 

Article 23 – Civil Liability

 

  1. Any natural person or legal entity of private law, who in breach of this law causes material damage, shall be liable for damages in full. If the same causes non-pecuniary damage, she/he shall be liable for compensation. Liability subsists even when said person or entity should have known that such damage could be brought about
  2. The compensation payable according to article 932 of the Civil Code for non-pecuniary damage caused in breach of this law is hereby set at the amount of at least EUR 5869.40[3], unless the plaintiff claims a lesser amount or the said breach was due to negligence. Such compensation will be rewarded irrespective of the claim for damages

 

 

Please refer to The Hellenic Data Protection Authority website for further details on the statute

 


 

[1] Still referred to in the Act as 300,000 and 50,000,000 Drachmas respectively

[2] Still referred to in the Act as 1,000,000 and 5,000,000 Drachmas respectively

[3] Still referred to in the Act as 2,000,000 Drachmas


© TRILANTIC - All rights reserved. | Disclaimer | Client Login