Law 4624/2019: Protection of Personal Data and Measures for the Implementation of the GDPR
Law 4624/2019 enacts supplemental measures for the application of the General Data Protection Regulation (“GDPR”) and incorporates Directive (ΕU) 2016/680.
In May, 25th, 2018, the General Data Protection Regulation (“GDPR”) came into application, radically transforming the level playing field for businesses in the field of data protection.
In August 29th, 2019, i.e. 15 months later, the long-awaited Greek Law regarding the protection of personal data has been published in the Government Gazette (137/A/29-08-2019). The Law supplements the provisions of the GDPR and incorporates Directive (ΕU) 2016/680 of the European Parliament and of the Council (“LED Directive”).
The new Law includes provisions in certain areas which are left by the GDPR to the discretion of member-states and dissolves the legal uncertainty caused by the delayed supplementation of the Regulation and the parallel validity of Law 2472/1997.
The Law annuls prior Law 2472/1997, excluding certain of its provisions regarding the disclosure of data by law enforcement authorities in case of specific offenses, the use of visual and auditory materials in public meetings and the opt-out register for commercial communications by post. Furthermore, it maintains in force the provisions of Law 2472/1997 regarding the composition of the Data Protection Authority and the compensation of its members. Along with the frame of administrative fines to private entities.
It should also be noted that the enactment of the Law was expedited due to the referral of Greece to the European Court of Justice for failure to timely transpose the LED Directive into Greek law.
The new Law complements the GDPR in a wide series of sectors. Section Α of the Law stipulates its objective and scope, the definitions of public and private entities and the mandatory designation of the data protection officer in public bodies. Section B includes provisions regarding the organization and operation of the Hellenic Data Protection Authority. In Section C supplemental measures for the application of the GDPR are implemented, whereas Section D transposes the LED Directive into Greek law.
Organization and Operation of the HDPA
The Hellenic Data Protection Authority (“HDPA”) is re-established and declared as the supervisory authority of the GDPR in Greece.
The GDPR provides for the enhanced protection of minors, but leaves it to the discretion of member-states to upgrade such protection. Under the new Law, minors’ data in relation to information society services (e.g. online videogames or social media) can now be processed, only in case the minor is at least 15 years old and s/he consents. Otherwise, the consent of the holder of the parental responsibility over the minor is required.
Processing of Special Categories of Data
Notwithstanding the provisions of the GDPR, the new Law stipulates that processing of special categories of data by public and private entities is permitted without the consent of the data subject, in cases in which it is mandatory for healthcare, social care, social security and assessment of individual’s ability to work purposes, on the condition that measures to safeguard data subjects’ interests are taken. Furthermore, processing of special categories of data by public entities for further purposes is permitted, in cases where there are grounds of public interest, the necessity of preventing a significant threat for public safety and the necessity to take humanitarian measures. Nevertheless, processing of genetic data for health and life insurance is expressly prohibited.
Processing for Further Purposes
The processing of personal data by public entities for purposes other than those for which they have been collected is permitted in cases in which it is necessary for the prosecution of offenses, public safety reasons and prevention of harm of another person. Similarly, the processing by private entities is permitted in cases in which they are subject to national security issues or for the foundation, exercise or support of their legal claims. Such processing by private entities is permitted in order to prevent threats against national security or public health after a public entity’s request for either the prosecution of criminal offenses or the establishment, exercise or defence of legal claims, unless the interest of the data subject to his/her data not to be processed is outweighed.
Specific Processing Situations
The processing of personal data for journalistic or academic, artistic or literary purposes is permitted without the consent of the data subject, provided that the right to privacy is outweighed by the right to the information of the public. In addition, the processing of personal data is permitted without the consent of the data subject, provided that it is necessary for scientific or historical research or for purposes related to the collection or retention of statistics, on the condition that appropriate measures are taken, such as anonymity and encryption.
Exception from the Obligation to Inform
The controller is exempted from the obligation to inform the data subject according to articles 13 and 14 of the GDPR in certain cases, such as when such information would jeopardize the proper performance of the controller’s duties, public security or the establishment or exercise or defence of legal claims. For public entities, in particular, such exceptions from the obligation to inform the data subject are broader when personal data have been collected from third sources.
Processing of Personal Data in the Employment Context
Of great importance are the novelties vis-à-vis the GDPR brought about by the new Law in the employment context.
The employer may process employee data necessary for the recruitment, the performance and execution of the employment contract of its employees.
In case that the processing is based on the legal grounds of the employee’s consent, the validity of consent is evaluated according to the circumstances of the specific employment contract and the conditions of consent pursuant to Art. 7 GDPR. The processing of personal data is also permitted on the basis of collective labour agreements. The employer must comply with the processing principles of article 5 of the GDPR and take appropriate technical and organizational measures to protect employee data.
The surveillance through cctv systems in the workplace is permitted only when it is necessary for the protection of persons and goods and when written, including electronic, notice is provided to employees.
Right of Access
Within the ambit of the GDPR, the new Law brings about important limitations to the rights of data subjects. The exercise of the right of access is restricted when there is not any obligation to inform the data subject or when his/her data have been recorded and cannot be deleted due to regulatory provisions about their obligation to retain or control them, such as in cases in which they are stored on tax bases, fingerprints, passports, etc. In order to waive the obligation of access in such cases, the provision of access ought to require a disproportionate effort and the necessary technical and organizational measures to make processing impossible for other purposes.
Right to Erasure
The right to erasure of personal data does not apply in cases of non-automated processing, in which, due to the special nature of their storage, erasure is impossible or requires a disproportionate effort, and where it is contrary to conventional or legal retention periods. In certain cases of automated processing, the right to erasure may also be lawfully replaced by restrictions to processing of the relevant data.
Right to Object
The right to object to the processing of personal data before public entities may not be applicable, in cases in which such processing is required for the public interest, when the latter prevails over the interests of the data subject.
Accreditation of Certification Bodies
The National Accreditation System (ESYD) is responsible for the accreditation of certification bodies of article 43 of the GDPR regarding their compliance with applicable legislation in accordance with the standard EN-ISO / IEC17065: 2012.
Anyone who interferes with a system of archiving personal data, deletes it, copies it and generally uses it illegally shall be punished with one year imprisonment. In case of special categories of data, imprisonment of at least one year and a fine up to EUR 100,000 shall be imposed. On the contrary, if the offender intends for himself or for others to unlawfully gain economic benefit or to cause property damage and the total benefit thereof exceeds EUR 120,000, s/he shall be punished with imprisonment up to ten years. These offenses are prosecuted proprio motu.
The new Law leaves the sanctions of the GDPR unchanged as regards private entities, which may amount up to 2% or 4% of the annual turnover of a company. Fines to public entities are however limited by the Law up to EUR 10,000,000, depending on the severity and duration of the breach.
Claims for damages by the data subject vis-à-vis controllers or the processors shall be filed before the court of the registered seat of the controller /processor or its representative, if any, or in the court in whose district the data subject has his/her residence.
About Platis - Anastassiadis & Associates
Platis - Anastassiadis & Associates is part of the Law Specialty Practice (EY Law) which operates in 73 countries globally and is comprised of 1700 people.
We are an independent law office with a core team of 19 lawyers. Our office provides high quality legal services across the full range of commercial and financial transactions.
Especially in our geographical area, we have established an ongoing cooperation with the respective law firms which are associated with EY, in order to offer seamless and consistent regional services to our clients that have cross country operations.
Our experience allows us to better understand our clients’ needs and offer them integrated multidisciplinary solutions in the fields of accounting, tax and financial advisory services. Platis – Anastassiadis & associates law office is solution focused. We work closely with our clients to seek innovative and practical ways of dealing with their issues. Our priority is to help our clients meet their business objectives. Our expertise, commitment and enthusiasm has resulted in the build up of a client base which includes local and international listed, state and private sector companies and financial institutions.