On 29 August 2019, the much awaited new Greek data protection law came
into force. ?his law (4624/2019), implements both the provisions of the
EU Law Enforcement Directive (LED, 2016/680) and the General Data
Protection Regulation (GDPR) into national level. However, since the
first days after the law was adopted, a lot of criticism was voiced
concerning the lack of conformity of its provisions with the GDPR.
The Greek data protection law was adopted following the ?uropean
Commission?s decision of July 2019 to refer Greece to the Court of
Justice of the European Union (CJEU) for not transposing the LED on
time. Thus, the national authorities acted fast in order to adopt a new
data protection law. Unfortunately, the process was rushed through. As a
result, the new data protection law suffers from important shortcomings
and includes Articles that are challenging the provisions of the LED or
even the GDPR.
In September 2019, Greek EDRi observer Homo Digitalis, together with a
Greek consumer protection organisation EKPIZO, sent a common request to
the Hellenic data protection authority (DPA) asking it to issue an
Opinion on the conformity of the Greek law with the provisions of the
LED and the GDPR. The DPA issued a press statement in early October 2019
announcing that it will come up with an Opinion in due time. Moreover,
on 24 October 2019; Homo Digitalis filed a new complaint to the European
Commission regarding the provisions of the Greek data protection law
that are challenging the EU data protection regime.
Moreover, in order to acquire a thorough view on the Greek law, Homo
Digitalis reached out to one of the most prominent privacy and data
protection law experts in Greece, Professor Lilian Mitrou, who kindly
shared her thoughts on the positive and one negative aspects of the new
data protection law.
Professor Mitrou states that, on the positive side, the Greek legislator
has introduced further limitations to the processing of sensitive data
(genetic data, biometric data or data concerning health). Thus,
according to the Article 23 of the new Greek law, the processing of
genetic data for health and life insurances is expressly prohibited. ?In
this respect the Greek law, by stipulating prohibition on the use of
genetic findings in the sphere of insurance, precludes the risk of
results of genetic diagnosis being used to discriminate against people,?
However, a strong point of criticism relates to the provisions
concerning the purpose alienation. The Greek law introduces very wide
and vague exceptions from the purpose limitation principle that
prohibits the further use of data for incompatible purposes. ?For
example, private entities are allowed to process personal data for
preventing threats against national or public security upon request of a
public entity. Serious concerns are raised also with regard to the
limitations of the data subjects? rights,? Professor Mitrou points out.
She reminds that the Greek legislator ?has made extensive use of the
limitations permitted by Article 23 of the GDPR to restrict the right to
information, the right to access and the right to rectification and
erasure?. However, these restrictions have been adopted without fully
complying with the safeguards provided in Article 23, para 2 GDPR.
Moreover, the Greek law introduces provisions that allow the data
controller not to erase data upon request of the data subject, in case
the controller has reason to believe that erasure would adversely affect
legitimate interests of the data subject. Thus, the data controller is
allowed by the Greek legislator to substitute the will of the data subject.
?The Greek law has not respected the GDPR as standard borderline and has
(mis)used ?opening clauses? and Member State discretion not to enhance
but to reduce the level of data protection,? Professor Mitrou concludes.
The data protection law 4624/2019 (only in Greek 29.08.2019)
Official Request to the Hellenic Data Protection Authority for the
issuance of legal opinion on Law 4624/2019 (20.09.2019)
Homo Digitalis on a seminar discussion regarding Law 4624/2019 (24.09.2019)
Homo Digitalis? complaint to the European Commission against the new
data protection law 4624/2019 (24.10.2019)
(Contribution by Eleftherios Chelioudakis, EDRi observer Homo Digitalis,