- Tech companies operating in Greece must comply with Law 4624/2019, which supplements the EU GDPR with specific local requirements for employment and criminal data.
- The Hellenic Data Protection Authority (HDPA) mandates that "Reject All" cookie options must be as prominent and easy to access as "Accept All" buttons.
- Appointing a Data Protection Officer (DPO) is legally required for most tech firms engaged in large-scale monitoring or processing of sensitive user profiles in Greece.
- Greek authorities have recently issued multimillion-euro fines against international tech firms for facial recognition and improper data processing, signaling a shift toward aggressive enforcement.
- Employee monitoring via CCTV or software in Greek workplaces requires a high threshold of justification, typically limited to safety or high-security needs rather than productivity tracking.
What are the Greek requirements for employee data monitoring?
Greek law permits employee monitoring only when it is strictly necessary for the performance of the employment contract and after a thorough proportionality assessment. Under Article 27 of Law 4624/2019, employers must provide clear, prior notice to employees regarding the scope and purpose of any monitoring, whether via CCTV, email tracking, or software analytics.
Tech companies must adhere to these specific Greek standards:
- Proportionality Principle: Monitoring must be the least intrusive means available to achieve a specific goal, such as protecting trade secrets or ensuring physical security.
- Email Access: Employers generally cannot read employee emails unless there is a pre-defined policy and a specific suspicion of illegal activity or a severe breach of contract.
- CCTV Use: Cameras are prohibited in areas where privacy is expected (restrooms, break areas) and must not be used solely for evaluating work performance.
- Biometrics: Using fingerprints or facial recognition for time-attendance is generally discouraged by the HDPA unless justified by extreme security requirements.
How does the HDPA regulate cookie consent and tracking?
The Hellenic Data Protection Authority requires that Greek websites and apps obtain explicit, granular consent before placing any non-essential cookies on a user's device. Consent must be a "clear affirmative act," meaning pre-ticked boxes or "scrolling as consent" are strictly prohibited under HDPA guidelines and Law 3471/2006.
To remain compliant in the Greek market, tech firms should follow this checklist:
- The "Reject All" Requirement: Users must be able to decline all non-essential cookies with a single click at the same level as the "Accept" button.
- Layered Information: Use a cookie banner for immediate notice and a detailed Cookie Policy for comprehensive technical explanations.
- No Tracking Walls: Access to a service cannot be made conditional on the user consenting to tracking cookies.
- Specific Consent: Users must be able to choose specific categories of cookies (e.g., analytics vs. marketing) rather than a "bundled" consent model.
What are the local requirements for Data Protection Officers (DPOs) in Greece?
While the GDPR sets the baseline for DPOs, Greek tech companies often fall under mandatory appointment rules due to the nature of "large-scale" digital processing. Any organization whose core activities involve the systematic monitoring of data subjects or the processing of special categories of data in Greece must designate a DPO and register their details with the HDPA portal.
The DPO role in Greece carries specific expectations:
- Registration: You must notify the HDPA of the DPO's appointment via their official online platform.
- Qualifications: The DPO must possess expert knowledge of both the EU GDPR and the local Law 4624/2019.
- Independence: The DPO cannot hold a position that creates a conflict of interest, such as Head of IT or CEO, where they would determine the purposes of data processing.
- Availability: While the DPO does not have to be a Greek resident for international firms, they must be easily accessible to the Greek authorities and Greek-speaking data subjects.
What are the recent enforcement trends and fines in Greece?
The HDPA has transitioned from a consultative body to an aggressive enforcer, particularly targeting the tech and telecommunications sectors. Recent years have seen a surge in investigations related to "dark patterns" in user interfaces and the illegal use of biometric data by international tech entities.
Significant enforcement actions include:
| Entity Type | Violation | Penalty |
|---|---|---|
| Facial Recognition Firm | Lack of legal basis for data scraping | €20,000,000 Fine |
| Telecommunications | Failure to report a data breach promptly | €6,000,000 Fine |
| Banking/Fintech | Improper processing of customer data | €150,000+ Fines |
| E-commerce | Non-compliant cookie banners | Administrative Warnings & Fines |
These actions demonstrate that the HDPA is willing to issue maximum-tier fines to ensure that the Greek digital landscape remains compliant with European privacy standards.
How do cross-border data transfers work from a Greek perspective?
Cross-border data transfers from Greece to "third countries" outside the European Economic Area (EEA) require strict adherence to the Schrems II ruling and HDPA directives. If a Greek tech startup uses US-based cloud providers or SaaS tools, they must ensure a valid transfer mechanism is in place, as the HDPA frequently audits the "transfer impact assessments" (TIAs) of local firms.
Key considerations for international tech firms:
- Standard Contractual Clauses (SCCs): These remain the primary tool for transfers to the US or other non-EEA countries.
- Supplementary Measures: Tech firms must often implement end-to-end encryption or pseudonymization to protect data from foreign surveillance, a point emphasized by the HDPA.
- Adequacy Decisions: Greece recognizes the EU-U.S. Data Privacy Framework, but companies must verify their partners are officially certified under this regime.
- Local Data Storage: Increasingly, Greek B2B clients prefer "local" or EU-based hosting to minimize the legal complexities of cross-border transfers.
Common Misconceptions About Greek GDPR
"Complying with EU GDPR is enough for Greece."
While GDPR is the foundation, Law 4624/2019 introduces specific nuances regarding the age of consent for minors (15 years in Greece for information society services) and stricter rules for processing criminal convictions and employment data. Relying solely on general EU templates can leave a firm vulnerable to local litigation.
"Small tech startups are exempt from HDPA oversight."
The HDPA does not provide an exemption based on company size. If a startup processes sensitive data or monitors users (which most tech apps do), they are subject to the same transparency and security requirements as multinational corporations.
"Consent is the only way to process data in Greece."
Many firms mistakenly rely on consent for everything. In the Greek B2B tech sector, "Legitimate Interest" or "Contractual Necessity" are often more appropriate and stable legal bases, provided a Legitimate Interest Assessment (LIA) is documented.
FAQ
What is the age of consent for digital services in Greece?
In Greece, the age of consent for children to use information society services (like social media or apps) without parental permission is 15 years old, as established by Article 21 of Law 4624/2019.
Do I need to host my data in Greece to be compliant?
No, there is no legal requirement to host data physically in Greece. However, the data must remain within the EEA or in a country with an adequacy decision to avoid the complex requirements of cross-border transfer assessments.
How much time do I have to report a data breach to the HDPA?
Tech companies must report a personal data breach to the HDPA within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.
Can the HDPA conduct unannounced audits of tech offices?
Yes, the HDPA has the legal authority to conduct "on-site" inspections of business premises in Greece, access all data processing equipment, and request any documentation related to GDPR compliance without prior notice.
When to Hire a Lawyer
Navigating Greek data protection law is critical when your tech company is:
- Launching a platform that uses AI, facial recognition, or complex algorithms to profile Greek users.
- Negotiating high-value B2B contracts with Greek banks or government agencies that require "airtight" data processing agreements (DPAs).
- Facing an investigation or a "Request for Information" from the Hellenic Data Protection Authority.
- Restructuring your international data flows following changes in EU-US data transfer regulations.
Next Steps
- Conduct a Gap Analysis: Compare your current global privacy policy against the specific requirements of Greek Law 4624/2019.
- Audit Your Cookies: Ensure your Greek-facing website has a "Reject All" button that is functionally identical to the "Accept" button.
- Appoint/Register a DPO: If your tech firm processes data on a large scale, ensure your DPO is registered via the HDPA's online portal.
- Draft Localized Documents: Create a Greek-compliant Employee Privacy Notice if you have staff or contractors based in Greece.
