New Greek Law on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and transposition into Greek legislation of Directive (EU) 2016/680
Under a fast track procedure, the Law on the protection of personal data was adopted as it was finally drafted after the public consultation.
The new Greek law on the protection of personal data, which came into force on 29.08.2019, i.e. Law 4624/2019, is based on the provisions of Regulation (EU) 2016/679 (“GDPR”) and incorporates the provisions of Directive (EU) 2016/680 into the Greek legislation.
GDPR allows Member States to derogate from its provisions and to adopt restrictions on the processing of personal data and the exercise of the rights of the data subjects.
Significant derogations from the provisions of the GDPR are found within the provisions of Law 4624/2019 on minor’s consent, the processing of special categories of personal data, the processing of personal data in the context of employment relations and the processing of personal data in the fields of health, insurance and related with freedom of expression and information.
In addition, the new Greek law has introduced significant restrictions on the exercise of the subjects’ rights of access and information regarding the processing of their data, the erasure of their personal data and the obligation of data processors to communicate a data breach to the subjects.
The distinction found in articles 24 and 25 of Law 4624/2019 regarding the processing of personal data a) by public bodies and b) by private entities is still very important.
Finally, the new Greek law contains, in addition to the administrative penalties introduced by the GDPR, significant criminal penalties for breach of these provisions and for the illegal processing of personal data.
The new Greek Law (Law 4624/2019) repealed the existing Law 2472/1997, except for some of its provisions, whose validity was retained.
Both public and private entities that fall within the substantive scope of this new Law should be provided with the necessary information and the necessary technical and organizational measures to ensure that their operation and processing of personal data is carried out lawfully and under both the provisions of the GDPR and the provisions of Law 4624/2019.