Greece Recording Laws: All-Party Consent Rules and Penalties (2026)

Overview of Greece's Recording Consent Standard

Greece enforces one of the strictest recording consent regimes in the European Union. The country operates under an all-party consent standard. Every person involved in a conversation must give their explicit consent before that conversation can be recorded.

This rule applies to phone calls, in-person conversations, video calls, and any other form of oral or electronic communication. The person doing the recording does not get a free pass simply because they are a participant. Even if you are part of the conversation, you must obtain clear, affirmative agreement from all other parties before pressing record.

Implied consent does not satisfy the legal requirement. Silence, continued participation in a call after hearing a tone, or a general awareness that recording technology exists do not constitute the explicit consent required by Greek law. The consent must be direct, informed, and unambiguous.

The legal framework protecting communications privacy in Greece draws from multiple sources: the Greek Constitution, the Penal Code, EU regulations, and several specialized statutes governing electronic communications and data protection.

Constitutional Foundation: Article 19

The right to communications privacy in Greece has constitutional protection. Article 19 of the Greek Constitution states: "The privacy of correspondence and any other form of communication is absolutely inviolable."

The word "absolutely" is significant. The constitutional drafters chose language that signals this is not a qualified or conditional right. It is a core guarantee of personal freedom and democratic participation.

Article 19 permits only one exception. The judicial authority may lift communications secrecy, but only in cases involving national security or the investigation of particularly serious crimes. The conditions and procedures must be specified by law. No other entity, and no private party, has the authority to override this constitutional protection.

Article 9A: Personal Data Protection

Article 9A of the Greek Constitution, added in the 2001 constitutional revision, establishes the right to protection of personal data. This provision requires an independent authority to oversee data protection. That authority is the Hellenic Data Protection Authority (HDPA), which plays a direct role in regulating how voice recordings and other personal data are collected, stored, and used.

ADAE: The Communications Privacy Watchdog

Article 19, paragraph 2, of the Constitution mandates the creation of an independent authority to ensure communications confidentiality. That authority is ADAE (Archi Diasfalisis Aporritou Epikoinonion), established by Law 3115/2003 and Presidential Decree 40/2005.

ADAE monitors the lawful interception process. It oversees how government agencies, intelligence services, and telecommunications providers handle communications data. It also controls the security of publicly available electronic communications networks.

ADAE has reported a 23% increase in state-ordered wiretaps during 2024. The authority has raised concerns about the National Intelligence Service (EYP) and the Special Violent Crimes Squad failing to notify ADAE of hundreds of surveillance orders in a timely manner during 2023 and 2024. These delays undermine ADAE's ability to exercise its constitutional oversight role.

Article 370A of the Greek Penal Code

Article 370A is the core criminal statute governing the recording and interception of communications in Greece. It contains multiple paragraphs, each addressing a different form of violation.

Paragraph 1: Telephone Interception

Paragraph 1 addresses anyone who unlawfully taps into, interferes with, or connects to a device, link, or network used for fixed or mobile telephony, or to any hardware or software system providing such services. The purpose of the interference must be to inform oneself or another person of, or to record, the content of a telephone conversation between third parties or location data related to that communication.

The original penalty for this offense was imprisonment from 10 days to 5 years. Following the 2022 amendments under Law 5002/2022, penalties were significantly increased.

Paragraph 1, Subparagraph 2: Participant Recording Without Consent

This provision specifically criminalizes a participant who records their own telephone conversation without the explicit consent of the other party. Greece differs from most countries on this point. In many jurisdictions, a participant in a conversation can freely record it. In Greece, even a participant commits a criminal offense by recording without explicit consent from every other party.

The requirement is explicit consent. The other party must clearly agree to the recording. Implied consent, such as continuing to talk after a beep or tone, does not satisfy this standard under Greek law.

Paragraph 2: In-Person Conversation and Private Acts

Paragraph 2 covers oral conversations that are not conducted in public. Anyone who monitors such a conversation by special technical means, or who captures it on a recording device, without the consent of the participants commits a criminal offense. This paragraph also covers capturing non-public acts of another person.

The minimum penalty under Paragraph 2 is imprisonment of at least one year.

Paragraph 3: Unlawful Use of Recordings

Paragraph 3 addresses the subsequent use of illegally obtained recordings. Anyone who unlawfully uses information captured through the methods described in Paragraphs 1 and 2, or the device containing such recordings, faces imprisonment of up to three years or a fine.

This means that even if someone else made the illegal recording, using that recording or distributing its contents is itself a separate criminal offense.

Law 5002/2022 Amendments: Penalties Up to 10 Years

Law 5002/2022, enacted on December 9, 2022, significantly toughened the penalties under Article 370A. The amendments impose prison sentences of up to 10 years for violations of communications confidentiality. This applies broadly, including to telephone service providers or their legal representatives or employees who violate the confidentiality of telephone and oral communications of third parties.

The law also added a new Article 370ST to the Greek Penal Code, which criminalizes the possession or distribution of surveillance software or devices. This provision was a direct response to the Predator spyware scandal and aims to close the gap that previously allowed spyware vendors to operate without criminal liability.

GDPR and Greek Data Protection Law

Greece is a member of the European Union, and the General Data Protection Regulation (GDPR) applies directly. Greece implemented the GDPR through Law 4624/2019, which took effect on August 29, 2019, replacing the earlier Law 2472/1997.

Voice Recordings as Personal Data

Under the GDPR and Greek law, voice recordings are personal data. A recording that can identify a person through their voice, name, phone number, or other identifying details falls within the scope of data protection regulation. Businesses and individuals who collect or store voice recordings are data controllers subject to GDPR obligations.

Legal Bases for Processing

Before recording and storing a voice conversation, a data controller must identify a valid legal basis under GDPR Article 6. In Greece, the most commonly relevant bases are:

• Consent: The data subject's freely given, specific, informed, and unambiguous agreement. Given Greece's all-party consent criminal law, this is the primary basis for most recording scenarios.
• Legitimate interest: The controller's legitimate interest, balanced against the data subject's rights. This requires a documented balancing test.
• Legal obligation: Processing required by law, such as regulatory requirements for financial services call recording.
• Contractual necessity: Processing necessary to perform a contract with the data subject.

HDPA Enforcement

The Hellenic Data Protection Authority (HDPA) enforces the GDPR and Greek data protection law. Its powers include:

• Investigating complaints and conducting audits with access to premises and equipment
• Issuing warnings, reprimands, or bans on processing
• Imposing administrative fines of up to 20 million euros or 4% of worldwide annual turnover for serious violations
• Ordering mandatory data deletion

Recent enforcement actions include a 200,000+ euro fine against a bank for violating data access rights and a 30,000 euro fine against a political party for processing voter data without adequate safeguards.

Law 3471/2006: Electronic Communications Privacy

Law 3471/2006 transposes the EU ePrivacy Directive (2002/58/EC) into Greek law. This statute governs privacy in the electronic communications sector and works alongside the GDPR and the Penal Code.

Key provisions relevant to recording include:

• Confidentiality of communications: Listening to, tapping, storing, or surveilling communications and related traffic data is prohibited without the consent of the users concerned.
• Direct marketing: Unsolicited electronic communications for marketing purposes require prior explicit consent from the recipient.
• Call recording by providers: Telecommunications providers may record communications to provide evidence of commercial transactions, but only when both parties have consented after being notified of the recording's purpose.

Recording Phone Calls in Greece

All phone call recording in Greece requires the explicit consent of every party on the call. This applies to:

• Landline-to-landline calls
• Mobile phone calls
• VoIP and internet-based calls (Viber, WhatsApp, Zoom, Teams)
• Conference calls with multiple participants

For conference calls, consent must be obtained from every participant. A single dissenting party makes the recording unlawful.

There is no exception for recording your own calls. A participant who records without consent commits the same offense as a third-party interceptor. The only difference is the specific paragraph of Article 370A that applies and the corresponding penalty range.

Recording In-Person Conversations

In-person conversations in Greece receive strong protection under Article 370A, Paragraph 2. Recording a private, non-public oral conversation without the consent of the participants is a criminal offense carrying a minimum of one year in prison.

The key distinction is whether the conversation takes place in public or private. A conversation held in a public square, at an open market, or in a space where others can freely overhear it has reduced privacy expectations. A conversation in a private home, an office with the door closed, a restaurant booth, or any other setting where the participants have a reasonable expectation of privacy is protected.

Covert recording devices placed in private spaces, whether audio bugs, hidden microphones, or smartphone recording apps running in the background, all fall within the scope of this prohibition.

Public Recording and Photography in Greece

Greece does not prohibit photography or video recording in genuinely public spaces. The right to photograph and record in public is protected under Article 14 of the Greek Constitution as an expression of freedom of speech.

You do not need consent to photograph or film people in public streets, plazas, parks, or other open areas. This applies to journalism, tourism photography, and general public documentation.

However, several important restrictions apply:

• Military installations: Photographing or filming military bases or the composition of armed forces, even from a public vantage point, is not protected.
• Commercial use: Using a person's image for commercial advertising without their consent is illegal, unless the photo shows a group in a public space or the individual is only a minor part of the image.
• Religious sensitivities: Content that offends the Christian religion or the dignity of the President of the Republic may fall outside constitutional protection.
• Filming permits: Open-air filming for documentaries, advertisements, or movies at public locations such as squares, streets, and pedestrian areas may require permits from municipal authorities or archaeological services.

The distinction between public visual recording and private conversation recording is critical. Filming a street scene is lawful. Recording a private conversation happening on that street, where the participants have a reasonable expectation that they are speaking privately, is not.

Workplace Surveillance and Employee Monitoring

Greece places strict limits on workplace surveillance. The HDPA, through Directive 1/2011 and subsequent guidance, has established clear boundaries.

CCTV in the Workplace

Video surveillance through CCTV is permitted only when it is necessary for the protection of persons and property. CCTV must not be used to monitor, evaluate, or assess employee performance. Recording in the following areas is strictly prohibited:

• Individual workstations
• Corridors (in most circumstances)
• Eating areas and break rooms
• Restrooms and changing areas

Employers must inform employees in writing about the installation and operation of any video surveillance system before it becomes operational.

Computer and Digital Monitoring

Monitoring employee computer activity requires advance notification and must serve a legitimate business interest. The monitoring must be proportionate, meaning it should be limited to what is strictly necessary. Blanket surveillance of all employee digital activity without specific justification will not satisfy the proportionality test.

GPS Tracking

GPS tracking of company vehicles is restricted to predefined routes during work hours. Data retention for GPS tracking is limited to one month.

Audio Recording at Work

Recording workplace conversations, whether by the employer or by employees, follows the same all-party consent rule. An employer cannot install hidden microphones to record employee conversations. An employee cannot secretly record a meeting with their supervisor. Both scenarios require explicit consent from all participants.

This makes Greece significantly different from countries like the United States, Brazil, or the United Kingdom, where employee recording of workplace conversations for evidence of harassment or wrongful termination is often legally protected.

The 2022 Predator Spyware Scandal

The Predator spyware scandal, often called "Predatorgate" or the "Greek Watergate," exposed the illegal surveillance of journalists, politicians, and other public figures in Greece. The scandal has had a lasting impact on Greek surveillance law and public attitudes toward privacy.

How the Scandal Began

In March 2022, digital rights organization Citizen Lab informed journalist Thanasis Koukakis that his phone had been infected with Predator spyware and surveilled for approximately ten weeks. Predator is a highly invasive surveillance tool capable of extracting all data from a target's device, including messages, calls, location data, and passwords.

Four months later, Nikos Androulakis, leader of the opposition party PASOK-KINAL and a Member of the European Parliament at the time, discovered his phone had also been targeted with Predator.

Scale of the Surveillance

Investigations revealed that approximately 84 mobile phones were targeted through Predator spyware. Targets included journalists, politicians, government officials, and associates of Prime Minister Kyriakos Mitsotakis. The National Intelligence Service (EYP) was implicated in parallel lawful surveillance of some of the same targets.

Legislative Response: Law 5002/2022

The scandal prompted the Greek parliament to pass Law 5002/2022 on December 9, 2022. The law, titled "Procedure for Waiving Communications Secrecy, Cybersecurity, and Protection of Citizens' Personal Data," introduced several major changes:

• Increased maximum penalties under Article 370A to 10 years imprisonment
• Created new criminal offense for possession or distribution of surveillance software (Article 370ST)
• Established conditions under which communications secrecy may be waived: only for national security or investigation of particularly serious crimes
• Created new institutional bodies: a Cybersecurity Coordination Committee, a Cybersecurity Operations Centre (SOC), and a Standing Scientific Committee on Personal Data

Human Rights Watch and other organizations criticized portions of the law for potentially expanding government surveillance powers while claiming to restrict them. The organization noted concerns about provisions that could weaken judicial oversight of intelligence agency surveillance.

February 2026 Convictions

On February 26, 2026, an Athens court convicted four individuals in the Predator spyware case. The convicted individuals were:

• Tal Dilian, founder of the Intellexa Consortium (the company behind Predator)
• Sara Aleksandra Fayssal Hamou, Dilian's wife, who provided managerial services to Intellexa
• Felix Bitzios, beneficial owner of Intellexa
• Giannis Lavranos, owner of Krikel, the company that purchased Predator

All four were found guilty of violating personal data and the confidentiality of communications. The court imposed a combined sentence of 126 years and six months in prison, with at least eight years to be served.

This verdict is believed to be the first case anywhere in the world in which individuals in the commercial spyware industry were criminally charged and convicted for marketing, distributing, and using spyware to illegally surveil a journalist. The court also forwarded the case file to prosecutors to investigate additional suspects, including potential involvement by intelligence officials.

Penalties Summary

Violation	Law	Penalty
Third-party interception of telephone communications	Penal Code Art. 370A, Para. 1	Up to 10 years imprisonment (post-Law 5002/2022)
Recording a phone call without explicit consent of other party	Penal Code Art. 370A, Para. 1, Sub. 2	Up to 10 years imprisonment
Recording private in-person conversation without consent	Penal Code Art. 370A, Para. 2	Minimum 1 year imprisonment
Unlawful use or distribution of illegally obtained recordings	Penal Code Art. 370A, Para. 3	Up to 3 years imprisonment or fine
Possession or distribution of surveillance software/devices	Penal Code Art. 370ST	Criminal penalties (added by Law 5002/2022)
GDPR violation (processing voice data without lawful basis)	GDPR / Law 4624/2019	Up to 20 million euros or 4% worldwide turnover
Violation of electronic communications privacy	Law 3471/2006	Administrative fines and criminal penalties

Business Compliance Checklist

Companies operating in Greece that handle voice communications or recordings must take specific steps to comply with Greek law.

Obtain explicit consent before any recording. This is non-negotiable under Greek criminal law. Inform all parties that recording will occur, state the purpose of the recording, and obtain clear affirmative consent before the recording begins. "This call may be recorded" is not sufficient. You need active agreement from the other party.

Document the legal basis under GDPR. Identify which GDPR Article 6 basis applies to your recording activity. In most cases, this will be consent. Record the legal basis in your processing register and be prepared to demonstrate compliance to the HDPA.

Provide transparent notice. Tell callers or meeting participants: who is recording, why, how long the recording will be stored, who will have access to it, and what rights they have regarding the recording. This must happen before the recording starts.

Define and enforce retention periods. Establish written policies specifying how long recordings are kept. Implement automated deletion at the end of the retention period. Recordings kept beyond the stated period create unnecessary legal exposure.

Restrict access to recordings. Limit access to stored recordings to personnel with a documented, legitimate need. Maintain access logs that record who accessed which recording and when.

Train employees. Staff who handle recordings must understand that unauthorized recording is a criminal offense in Greece. Training should cover the consent requirement, proper handling of recorded data, and the consequences of non-compliance.

Conduct a Data Protection Impact Assessment (DPIA). If your recording involves large-scale, systematic monitoring of individuals, a DPIA is required under GDPR Article 35. The HDPA has identified video and audio surveillance as categories that typically require a DPIA.

Review cross-border data transfers. If recordings are stored or processed outside Greece or the EU, ensure transfers comply with GDPR Chapter V requirements, including standard contractual clauses or adequacy decisions.

How Greece Compares to Other Countries

Greece's all-party consent requirement and severe penalties place it at the stricter end of the global spectrum.

Most EU countries require all-party consent for recording, but Greece's penalties are among the harshest. The 10-year maximum prison sentence under the 2022 amendments exceeds penalties in Germany (up to 3 years), France (up to 1 year), and Italy (up to 4 years) for comparable offenses.

The United States varies by state, with some states following one-party consent and others requiring all-party consent. Even in strict U.S. states like California or Illinois, maximum penalties for illegal recording are generally lower than Greece's 10-year ceiling.

Brazil, Canada, and the United Kingdom all follow one-party consent rules, making them significantly more permissive than Greece for participant recording.

For travelers, journalists, and businesses operating across borders, understanding Greece's strict requirements is essential. Recording practices that are perfectly legal in your home country may constitute a serious criminal offense in Greece.