So far, the Greek Data Protection Authority (HDPA) has mainly opted to raise awareness, providing information, guidelines and consultations and taking on an important role as an interpreter of data protection law provisions. It has, however, also taken some significant enforcement measures. It has imposed EUR 150,000 fines on mobile phone operators for making unsolicited calls, a EUR 30,000 fine on a group of companies in the petroleum industry for unlawful processing and failure to comply with the required organisational and technical measures, among others.
Some other notable decisions include its ruling that Uber is an information society service, falling within the scope of GDPR and its decision regarding the right to erasure, forcing Google to comply with data subjects’ requests, which the company had initially rejected, as well as imposing fines for breaching surveillance provisions. In total, the HDPA has handled 66 data breach notifications in the first six months following implementation of the GDPR.
National legislation to implement the GDPR is still pending. The relevant bill was open to consultation and is expected to be finalised in the coming months.
GDPR is gaining attention in several law areas including labour law. Meanwhile HDPA activity has increased. The organisation chart has been updated to align with the post-GDPR era and controllers are currently being recruited, leading potentially to an increase of monitoring and enforcement measures. Recently, the HDPA published a list of the kind of processing operations subject to the requirement for a data protection impact assessment pursuant to Article 35(4) of the GDPR.
Greek courts have already dealt with a number of GDPR-related issues, such as notification requirements for the transfer of personal data to be used within the framework of employment litigation, compensation for unlawful transfer of personal data, valid consent issues and surveillance of employees.