Greece Data Privacy Laws: GDPR Implementation Guide (2026)

Greece took a deliberate approach to implementing GDPR, finalizing its national legislation more than a year after the regulation became directly applicable. That delay reflected the complexity of adapting a comprehensive data protection framework to a legal system with its own constitutional traditions around privacy and public administration.

Today, Greece's data protection regime is notable for the Hellenic Data Protection Authority's active enforcement, particularly in the area of video surveillance and CCTV compliance, where the authority has built one of the most detailed bodies of case law in the EU.

Legal Framework and GDPR Implementation

Greece's data protection system operates under two primary legal instruments. The GDPR applies directly as EU law, and Law 4624/2019 supplements it with national implementing provisions.

Law 4624/2019 was enacted and entered into force on 28 August 2019. The legislation addresses three main areas: it implements the GDPR's opening clauses where member state action is required, it transposes the Law Enforcement Directive (EU 2016/680) on data processing by criminal justice authorities, and it establishes the organizational framework for the HDPA.

Before Law 4624/2019, Greece had operated under Law 2472/1997, which implemented the earlier EU Data Protection Directive. That law was partially repealed and replaced by the new framework, though certain provisions remain in force where they do not conflict with the GDPR.

Constitutional Foundation

Data protection in Greece has strong constitutional backing. Article 9A of the Greek Constitution explicitly provides for the protection of personal data and establishes the HDPA as an independent constitutional authority. This constitutional status gives the HDPA a level of institutional protection that goes beyond what supervisory authorities enjoy in many other EU member states, as its independence is guaranteed by the fundamental law of the country rather than ordinary legislation.

Article 9 of the Constitution further protects the inviolability of private and family life, while Article 19 protects the secrecy of correspondence and communications.

The Hellenic Data Protection Authority (HDPA)

The HDPA is Greece's independent supervisory authority responsible for monitoring compliance with data protection law. Established under the Constitution, the HDPA operates independently from the government and any other state body.

The Authority is composed of a President and six members, all appointed for four-year terms. The President must be a senior judge or a university professor of law, reflecting the legal nature of the authority's work.

Powers and Functions

Under Law 4624/2019 and the GDPR, the HDPA holds the full range of supervisory and enforcement powers specified in Article 58 of the GDPR. These include investigative powers (conducting audits, obtaining access to premises and data), corrective powers (issuing warnings, reprimands, orders, processing bans, and administrative fines), and advisory and authorization powers (providing opinions on legislation and approving binding corporate rules).

The HDPA has been notably active compared to many similarly-sized EU member state authorities, issuing decisions on a wide range of data protection topics.

Fines and Penalties

The penalty framework in Greece follows the GDPR's two-tier structure. For violations of controller and processor obligations, the HDPA can impose fines of up to EUR 10 million or 2% of worldwide annual turnover. For more serious violations affecting data subjects' rights, processing principles, or international transfer rules, fines can reach EUR 20 million or 4% of worldwide annual turnover.

Law 4624/2019 also establishes criminal penalties for certain data protection violations. Unlawful processing of personal data can result in imprisonment and fines, with penalties increasing when the violation involves special categories of data or is committed by persons with access to data by virtue of their profession.

Notable Enforcement Actions

Ministry of Migration and Asylum (2024): The HDPA imposed a EUR 175,000 fine on the Ministry for GDPR violations in its surveillance systems at asylum and migration facilities. The violations included unlawful processing of biometric data and inadequate safeguards for the personal data of migrants.

Unsolicited Marketing Calls (2025): In Decision 44/2025, the HDPA imposed fines of EUR 10,000 and EUR 80,000 on an energy provider and its call center for making unsolicited promotional calls, demonstrating continued enforcement against direct marketing violations.

Energy Services Data Rights (2025): Decision 42/2025 saw the HDPA fine an energy services company EUR 30,000 for violating data subjects' rights of access, rectification, and erasure.

Workplace Surveillance (2021): The HDPA fined a company EUR 15,000 for illegal installation of video surveillance in employee offices and the kitchen, finding that such monitoring violated employee privacy rights.

Alpha Bank CCTV Access (2023): The HDPA imposed a EUR 10,000 fine on Alpha Bank for failing to provide CCTV footage in response to a data subject access request within the required timeframe.

Video Surveillance and CCTV Rules

Greece has developed particularly detailed rules around video surveillance, and the HDPA has built an extensive body of enforcement decisions in this area.

The HDPA has established that CCTV is permitted in private areas accessible to the public when it serves to protect persons and goods, based on the legitimate interest or legal obligation of the site administrator. However, several important restrictions apply.

CCTV systems must not be used to monitor employees for evaluation, assessment, or training purposes. This restriction means that employers cannot use camera footage to review worker performance, identify training needs, or make human resources decisions based on visual monitoring.

Organizations must conduct data protection impact assessments before deploying large-scale video surveillance systems. Signage must clearly inform individuals that surveillance is in operation, and the signage must include contact information for the data controller.

Retention periods for CCTV footage are subject to strict proportionality requirements. The HDPA has indicated that retention beyond 15 days requires specific justification, and many organizations limit retention to shorter periods based on the authority's guidance.

Data subjects have the right to access CCTV footage that captures their image, and the HDPA has fined organizations that fail to respond to such requests promptly, as demonstrated in the Alpha Bank case.

Age of Digital Consent

Greece set the age of digital consent at 15 years old. Children aged 15 and older may independently consent to information society services, while children under 15 require parental authorization. This places Greece in the middle range among EU member states, between countries that chose the minimum of 13 and those that maintained the default of 16.

Employee Data Protection

Beyond the specific CCTV restrictions, Greek data protection law includes several provisions affecting workplace data processing.

Employers must have a lawful basis under the GDPR for processing employee personal data. The employment contract provides a basis for processing data necessary to perform the contract, but employers must be careful not to extend processing beyond what is genuinely necessary.

The HDPA has been attentive to employee monitoring cases and has issued guidance emphasizing that workplace surveillance must be proportionate and that employees must be informed about any monitoring practices in place.

Data Breach Notification

Greece follows the standard GDPR breach notification framework. Data controllers must notify the HDPA within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. The HDPA provides notification procedures on its official website.

When a breach is likely to result in a high risk to affected individuals, the controller must also communicate the breach to those individuals without undue delay.

International Data Transfers

Greece applies the standard GDPR framework for international data transfers. Transfers outside the EEA require either an adequacy decision from the European Commission, appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), or one of the specific derogations under the GDPR.

The HDPA has aligned with European Data Protection Board positions on transfer mechanisms and has incorporated Schrems II requirements into its supervisory approach.

Data Protection Officers

Greek law follows the GDPR's standard requirements for DPO appointments. Public authorities, organizations whose core activities involve regular systematic monitoring on a large scale, and organizations processing special category data on a large scale must designate a DPO.

The HDPA has published guidance on DPO qualifications and responsibilities, emphasizing the independence of the DPO role and the obligation to provide adequate resources.

Recent Developments

The HDPA has been active in 2025 with enforcement decisions spanning direct marketing, data subject rights, and surveillance compliance. The authority's 2025-2026 activity reflects increasing attention to emerging technology issues alongside traditional enforcement areas.

Greece is also working to implement complementary EU digital regulations, including the Data Governance Act and the AI Act, which will expand the regulatory landscape for organizations operating in the country.

Practical Compliance Tips

Organizations operating in Greece should pay particular attention to video surveillance compliance. The HDPA has built a detailed and active enforcement practice in this area, and non-compliant CCTV systems are a common source of fines.

Ensure all surveillance systems have proper signage, that data protection impact assessments have been conducted where required, that retention periods are justified and proportionate, and that procedures exist to respond to data subject requests for CCTV footage access.

Direct marketing activities also warrant careful attention, as the HDPA has shown willingness to impose fines for unsolicited communications, particularly in the energy sector.

Finally, organizations should be prepared for data subject access requests and have processes in place to respond within the GDPR's one-month deadline. The HDPA has fined organizations for delayed responses to access requests, even when the underlying data processing was otherwise compliant.

Disclaimer: This article provides general information about Greece's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in Greece for guidance on your specific situation.