top of page

GREECE - Data Protection and GDPR Review

Early Developments: Prior to the EU's concerted efforts to standardize data protection laws, Greece had its national regulations. The Law 2472/1997 was one of the first major pieces of legislation in Greece that aimed to protect individuals with regard to the processing of personal data.

EU Data Protection Directive (1995): Greece, as a member of the EU, was influenced by the European Union Directive 95/46/EC, which aimed to harmonize data protection laws across member states. This directive was implemented by Greece through its own national legislation.

General Data Protection Regulation (GDPR) - 2018: The major turning point in data protection came with the EU's General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. This regulation brought about significant changes in data protection rules across the EU, including Greece. The GDPR emphasizes transparency, the right to erasure, and data portability, among other things.

Greek Implementation of GDPR: Greece incorporated the GDPR into its national law, further developing regulations and guidelines. The Hellenic Data Protection Authority (HDPA) oversees the implementation of GDPR within Greece and ensures compliance by organizations.

Current Developments: Greece continues to adapt its data protection laws and regulations, keeping pace with technological advancements and societal changes. The country actively collaborates with other EU member states to develop and uphold shared data protection standards.

The history of data protection in Greece is largely intertwined with broader European efforts to create a consistent and rigorous data protection framework. This has been characterized by ongoing adaptations to national laws to conform to EU-wide regulations, with a focus on individual rights and business accountability

Key Principles of GDPR

  1. Lawfulness, Fairness, Transparency: Personal data must be processed lawfully, fairly, and transparently.

  2. Purpose Limitation: Data should be collected for specified, explicit, and legitimate purposes.

  3. Data Minimization: Only data that is necessary for the purpose for which it was collected should be processed.

  4. Accuracy: Personal data must be accurate and kept up to date.

  5. Storage Limitation: Data should not be kept longer than necessary.

  6. Integrity and Confidentiality: Appropriate security measures must be applied to protect data.

Rights of Individuals (Data Subjects)

  1. Right to Information

  2. Right to Access

  3. Right to Rectification

  4. Right to Erasure ("Right to be Forgotten")

  5. Right to Restriction of Processing

  6. Right to Data Portability

  7. Right to Object

  8. Rights Related to Automated Decision Making, including Profiling

Obligations of Data Controllers and Processors

  1. Data Protection Impact Assessment (DPIA): When necessary.

  2. Data Breach Notification: Must be reported within 72 hours.

  3. Appointment of a Data Protection Officer (DPO): For certain organizations.

  4. Compliance Documentation: Maintain records of data processing activities.

The Hellenic Data Protection Authority (HDPA)

The HDPA is responsible for overseeing the implementation of GDPR within Greece, handling complaints, and enforcing compliance.


Non-compliance can lead to substantial fines, up to €20 million or 4% of the global annual turnover, whichever is higher.

Special Considerations in Greece

Greece may have specific national provisions that modify or complement the GDPR, such as regulations concerning the processing of employee data, age of consent for minors, etc.


Data protection in Greece under GDPR is a comprehensive and multifaceted subject. Organizations operating within Greece must adhere to these rules and stay informed about local adaptations and interpretations of the regulation. Consulting with legal experts who specialize in Greek data protection law is often advisable to ensure full compliance.


  1. Hellenic Data Protection Authority: Website

  2. EU GDPR Portal: Website

  3. Official Journal of the European Union: GDPR Text Link

Please note that this guide is for informational purposes only and should not be considered as legal advice. Always consult with a legal professional specialized in Greek data protection law for specific guidance.


bottom of page