[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Hellenic Republic (Greece)

Constitutional Privacy Framework

The Constitution of Greece recognizes the rights of privacy and secrecy of communications. Article 9 states: "(1) Every person's home is a sanctuary. The private and family life of the individual is inviolable. No home search shall be made, except when and as specified by law, and always in the presence of representatives of the judicial power. (2) Violators of the preceding provision shall be punished for violating the home's asylum and for abuse of power, and shall be liable for full damages to the sufferer, as specified by law."[2567] A constitutional amendment in 2001 added a new provision to this article granting individuals a direct right to protection of their personal information. Article 9A, states: "All persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law”.[2568] Article 9A also establishes the Data Protection Authority: “The protection of personal data is ensured by an independent authority, which is established and operates as specified by law."[2569] Article 19 of the Constitution protects the privacy of communications. It states: "Secrecy of letters and all other forms of free correspondence or communication shall be absolutely inviolable. The guarantees under which the judicial authority shall not be bound by this secrecy for reasons of national security or for the purpose of investigating especially serious crimes shall be specified under law." The 2001 amendment, in addition to adding two new provisions to this article, establishes an independent authority, to supervise matters relating to telecommunications.[2570] Article 19(2) now states: "The matters relating to the establishment, operation and powers of the independent authority ensuring the secrecy of paragraph 1 shall be specified by law." Article 19(3) states: "The use of evidence acquired in violation of the present article and of articles 9 and 9A is prohibited."[2571]

Data Protection Framework

The Law on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act) was approved by the Parliament in April 1997.[2572] Greece was the last member of the European Union (EU) to adopt a data protection law and its law was written to directly adopt the EU Data Protection Directive (1995/46/EC). The Act was also necessary for Greece to join the Schengen Agreement. Greece has also incorporated into its national law all of the EU privacy protection Directives in the telecommunications sector, with the exception of the most recent Data Retention Directive.[2573]

The first major amendment of the Data Protection Act of 1997 came in 2006.[2574] The amendment refined the term “personal data” and adds provisions concerning the transfer of data to third countries.

Data Protection Authority

Implemented to ensure basic privacy protection, the Data Protection Act not only established the Hellenic Data Protection Authority (DPA), but also a set of guidelines, principles and rules relating to the use, processing, storage and export of personal data in both electronic and manual files.[2575] The DPA was established in November 1997 as an independent authority set to monitor privacy violations in Greece. It was created to supervise the implementation of the Data Protection Act and all regulations referring to the protection of personal data.[2576] It also exercises other powers delegated to it from time to time.

The DPA consists of 24 members. The Authority is composed of a judge of a rank corresponding at least to that of a Conseiller d’État as President.[2577] The Authority is assisted by a Secretariat that operates at the directorate level. It consists of three departments: a) Auditors' Department (11 employees), b) Communications Department (2 employees), c) Department of Administration and Budgetary Affairs (7 employees). Each of the departments has a supervisor. All departments are supervised by the Director.[2578]

The DPA enforces the Act. The Authority may impose on the controllers or on their representatives both administrative and penal sanctions. The administrative sanctions range from warning with an order for the violation to cease within a specified time limit, to the destruction of the file or a ban of the processing and the destruction of the relevant data.[2579] The penal sanctions include: punishment by imprisonment for up to three years and a fine amounting between 1,000 EUR and 150,000 EUR.[2580]

The DPA is responsible for archival audits, issuing regulatory acts arising from legislation on data protection, and providing information and recommendations to interested parties to ensure compliance with data protection regulations. Its mandate includes issuing directives to enhance uniformity in implementation and to protect personal data vis-à-vis technological developments; assisting controllers in drafting codes of conduct; examining complaints; reporting violations; and issuing decisions related to the right to access information. The DPA grants permits for the collection and processing of sensitive personal data and is accountable for the interconnection of files, including sensitive data and the trans-boundary flow of personal data. The DPA's communications office is in charge of all public relations and communication with private and public services and institutions, the media, foreign data protection authorities, European Union authorities, and international organizations and institutions.[2581]

On May 4, 2000, in a controversial but important ruling, the DPA ruled that religious affiliations must be removed from state identity cards. The decision was opposed by the Greek Orthodox Church and led to massive protests and challenges to the ruling.[2582] The strong connection between the Greek Orthodox Church and the State is notable as there is no separation between Church and State.[2583] In March 2001, Greece's highest administrative court upheld the ruling finding that stating citizens' religious affiliation on the compulsory identity cards was unconstitutional.[2584] Prior to the ruling, Greece was the only member of the European Union that required citizens to list their religious beliefs on citizen identity cards. The new Greek identity cards do not include religion, even on a voluntary basis. In addition to the removal of religious affiliation, new identity cards also no longer include fingerprints, names and surnames of the cardholder's spouse, maiden names, professions, home addresses, or citizenship.

The DPA has issued directives relating to direct marketing, CCTV, DNA testing, and workplace surveillance. The DPA has also issued guidelines covering data protection in the workplace in particular surveillance of phone calls and e-mails.[2585] In September 2000, the DPA set out guidelines prohibiting the recording, use, monitoring, and retention of personal information through the use of CCTV on a regular, continuous, or permanent basis.[2586] Recording is only lawful when it is done for the protection of individuals or goods or for traffic violations and only under the principles of necessity and proportionality. In these exceptional cases, the DPA must grant permission, and the rules on accuracy and notification must be followed. With respect to crime prevention or repression, the DPA must grant special permission to judicial and legal authorities to use cameras, with strict guidelines for use and retention.

With respect to DNA analysis for the purpose of criminal investigation and prosecution, the DPA issued an opinion in 2001 expressing concern with the methods and effects of collection of citizens' sensitive data. According to the opinion, the genetic analysis of DNA must be limited to the "non-codified section of DNA" and identity verification.[2587] The DPA advised that any methods that allow any conclusions about the personality traits of individuals from their DNA should be forbidden, including personality profiling.[2588] This method of investigation should only be used for verification of offenders' and victims' identity and for criminal investigations and should be destroyed once the fulfillment of the intended aim is achieved. Finally, the DPA does not support any effort to collect and analyze genetic material for preventative purposes.[2589]

In 2003, the DPA struck down the use of biometric identity verification at the International Athens Airport.[2590] The biometric system sought to ensure that the passenger who checked in was the same at the person who actually boarded the airplane. While observing that such cases should be decided on a case-by-case basis, the DPA ruled that the collection and processing of iris and fingerprint data for verification of passenger identity was not permissible. Pursuant to the Greek Data Protection Act, the biometric data process was unlawful because the gathering of personal data exceeded its purpose. The DPA noted that passenger identity could be ascertained in a "milder way" by requiring passengers to show an identity card along with the airplane ticket.[2591]

In 2004, the Olympic games year for Greece, privacy issues handled by the DPA mostly referred to the Games’ security. Altogether,[2592] the Greek Data Protection Authority received 626 complaints, 682 questions regarding data protection matters and 663 registrations to Robinson’s List (list of persons who do not wish data relating to them to be submitted to processing for the promotion of sales and long distance services), conducted 36 controls to files, issued 66 decisions and three opinions.[2593] The majority of the complaints are examined by the Auditors Department. Some complaints are also examined by the Board.[2594] A decision or an answer is issued and the interested parties are notified.[2595]

In 2006, the Data Protection Authority paid particular attention to the credit reporting sector. The DPA issued several decisions reiterating the basic data protection principle of keeping personal data only for as long as they are needed for the purposes they were collected.[2596] The DPA also issued an order prohibiting the posting of tenants’ money due for operational costs in their blocks of flats.[2597] Schengen-related issues were also popular with the DPA.[2598]

In 2005, the DPA refused to give permission to the Minster of National Defense to publish the names of the persons who were illegally disqualified to render military service. The Minister wanted to publish the names as a public example in order to avoid such a situation in future. The DPA concluded that the purpose can be more appropriately achieved by publishing the statistics on the number of cases that were examined and punished.[2599] An appeal of the Minister of National Defense to the Supreme Administrative Court (Simvoulio tes Epikrateas) against the DPA was rejected.

Wiretapping and Surveillance Rules

Law No. 2225/94 requires police who wish to conduct telephone taps to obtain court permission.[2600] While the current Greek Penal Law does address some cybercrimes, the penalties for violators are generally not severe, and when Greece tries to reduce cybercrime, the laws it passes generally do not correct the problem.[2601] One example of this can be seen in the attempt of the Greek government, during the summer of 2002, to restrict electronic games. This was primarily done to stem the flow of illegal online gambling, but led to economic hardship for many arcade owners, Internet cafes and computer game stores. Many of them closed or were forced to pay big fines for violations of the law. A side effect of these closures was the even bigger support for illegal distribution of pirated copies of games. This ultimately led to its repeal.[2602]

Tough security measures, including military patrols, special commando units and more than 1,000 surveillance cameras were put in place for the 2004 Olympic Games in Athens.[2603] Greek law enforcement authorities were provided training and intelligence assistance from seven countries: Australia, Britain, France, Germany, Israel and Spain, and the United States.[2604] There was little concern over the violation of citizens’ privacy through the use of these cameras.

In May 2004, the DPA approved a police request to operate closed-circuit television (CCTV) cameras on the streets during the "operational phase" of the Olympics, as long as the cameras are not used after the Games.[2605] According to the DPA's decision, the cameras could legally operate from July 1 until October 4, 2004. Other conditions were that the cameras not be set up in such a way that they film the entrances or interiors of homes or that they record the conversations of passers-by, and that there be adequate signposting informing citizens they are entering surveillance areas. The legal preconditions to using the video cameras include: (a) there is no receipt or record of images of the entrance or the interior of private homes; (b) the receipt and hearing of conversations of inhabitants or passing people is not possible; (c) the person is informed in a convenient and an adequate way before he enters the range of the video camera (adequate number of distinguishable signboards in visible places) in a place that is video recorded as well as the purpose of the video recording; (d) the rules of security system as well as data storage are strictly followed; and (e) the maintenance of the data is permitted for a period of seven days.[2606]

In November 2004, the DPA allowed the continuation of the closed-circuit television on the streets for a period of six months, as long as it was used only for the car circulation and not for any other reason including the ascertainment of illegal acts other than those related to the car circulation. The use of cameras was allowed only in the roads of high circulation and not in the roads of low circulation or at places, squares, parks, pedestrian-precincts, and public assembly areas (e.g. entrance of theaters). The cameras were to be set in such a way that they did not film the entrances or interiors of homes, and the receipt of sound should not be possible.[2607]

In 2006, the police asked the DPA for yet another extension for the use of the same surveillance system operating in Athens since the Olympic Games of 2004. The DPA extended its use until May 24, 2007 (Decision 39/2006), but also imposed a penalty (of 3,000 EUR) when it established that the terms set by the DPA had been breached by the police (Decision 57/2006).

Perhaps the most important privacy-related development came in early 2006 when it was made public that the mobile phones of a number of ministers and politicians (including the Prime Minister) were tapped for a period starting from the Olympic Games of 2004 until March 2005.[2608] Altogether more than 100 mobile phones were tapped, all numbers operated by Vodafone Greece, using Ericsson’s software (the same companies first revealed the case, when “they were made aware of it”). The antennas through which the above mobile phones were tapped were all located in the area around the American Embassy in Athens, but no connection to it was established. The case held tremendous publicity, allegedly led to top-level management changes in the companies implicated, and also led to enactment of the Hellenic Authority for the Information and Communication Security and Privacy who led the relevant investigations. A Parliamentary Special Committee was also established, but none of the investigations or state initiatives led to any tangible results. However, the DPA fined Vodaphone 76 million EUR for failing to protect the network from the unknown hackers.[2609]

E-Government

The Greek Ministry of the Interior is actively engaged in the delivery of e-government projects, including the creation of a data and voice network connecting approximately 2,000 public bodies via the National Public Administration Network. “Additionally, we are promoting the further development of the Citizen Service Centers (KEP), developing information technology infrastructure and introducing contemporary tools in various government organizations,” said Mr. Pavlopoulos, the Minister of Interior. The Minister spoke at the E-Government Forum organized by “The Economist” in Athens on October 19, 2004.[2610]

In 2006 Greece was still trying to implement an efficient e-government policy, and to keep up with rapid EU data protection developments. As far as its e-government policy is concerned, attempts have focused on strengthening and generalizing the use of KEPs (see above); additionally, emphasis was given on an increase of broadband connections. Data protection developments have been moving rapidly. Greece, traditionally adopting a strict privacy policy, is moving rather cautiously towards the necessary legislative steps for ratification or adoption of these documents.[2611]

Open Government

In 1999, Greece created Article 5 of the Greek Code of Administrative Procedure (Law No. 2690/1999),[2612] which is a new Freedom of Information Act that provides citizens the right to access administrative documents created by government agencies. It replaces Law 1599/1986, which regulated the use of the Single Register Code Number (EKAM).[2613]

International Obligations

Greece is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108)[2614] and the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR).[2615] In November 2001, Greece signed the CoE Convention on Cybercrime.[2616] Greece is also a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[2567] Constitution of Greece (1975) as amended in 2001, available at <http://www.parliament.gr/english/politeuma/syntagma.pdf>.
[2568] Id.
[2569] Id.
[2570] Id.
[2571] Id.

[2572] Law No. 2472 on the Protection of Individuals with regard to the Processing of Personal Data, available at <http://www.dpa.gr/Documents/Eng/2472engl_all.doc>.
[2573] Directive 97/66/EC transposed into national law through Law no. 2774/1999; the latter was replaced by Law no. 3471/2006, whose first part incorporated Directive 2002/58/EC into national law. The incorporation of Directive 2006/24/EC on data retention is still pending.

[2574] Law no. 3471/2006.

[2575] Data Protection Act <http://europa.eu.int/ISPO/legal/en/news/9709/chapter6.html>.
[2576] Homepage <http://www.dpa.gr/home_eng.htm>.

[2577] Law 2472/97, chapter D, article 16 (Composition of the Authority).

[2578] E-mail from Amalia Logiaki, Hellenic Data Protection Authority, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center, May 31, 2005 (on file with EPIC).

[2579] Law 2472/97 chapter E, artciles 21-22. Other administrative sanctions include: a fine amounting between GRD 300,000 and GRD 50,000,000, a temporary revocation of the permit, a definitive revocation of the permit.
[2580] For further information, see sections 21-22 (Sanctions).

[2581] Homepage <http://www.dpa.gr/home_eng.htm>.

[2582] "Greek Church at War Over Plans to Change ID Cards," The Guardian, May 24, 2000.
[2583] E-mail from Fereniki Panagopoulou, to Cédric Laurant, Policy Counsel, Electronic Privacy Information Center, June 25, 2004 (on file with EPIC).
[2584] "Greek Church Causes Fresh Identity Crisis," The Guardian, August 29, 2001. See also Decision 134/31.10.2001, available at <http://www.dpa.gr/decision_eng.htm>.

[2585] Article 29 Data Protection Working Group Party, Fifth Annual Report on the Situation regarding the Processing of Individuals with Regard to the Processing of Personal Data and Privacy in the European Union and in Third Countries, Part II, March 6, 2002, available at <http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp54en_2.pdf>.
[2586] Hellenic Data Protection Authority, Directive on Closed Circuit Television Systems, 1122-26.09.2000, available at <http://www.dpa.gr/decision_eng.htm>.

[2587] Hellenic Data Protection Authority. Opinion.15/2001, available at <http://www.dpa.gr/decision_eng.htm>.
[2588] Id.
[2589] Id.

[2590] Hellenic Data Protection Authority, Decision 52/05.11.2003, available at <http://www.dpa.gr/decision_eng.htm>.
[2591] Id.

[2592] Compared to 2001 and 2002, the total number of complaints submitted to the DPA for the year 2003 decreased to reach 228. 23 were against banks, 129 for access to files, 16 against creditworthiness ascertainment companies, 22 against telecommunications companies, 15 against hospitals, 10 against CCTV, 11 against marketing companies and two against System Information Schengen. Since the entry into force of Greek law on the protection of personal data, the DPA has performed 51 audits on privacy policies and standards.
[2593] E-mail from Amalia Logiaki, supra.
[2594] See <http://www.dpa.gr/authority_eng.htm#pre>http://www.dpa.gr/authority_eng.htm#pre>.
[2595] E-mail from Amalia Logiaki, supra.

[2596] Decisions 12 to 18/2006 on data controllers who did not delete personal information according to the Data Protection Act.
[2597] Decision 35/2006.
[2598] Decisions 19, 20, 46, 51/2006.

[2599] Ninth Annual Report of the Article 29 Working Party on Data Protection for the year 2005, June 14, 2006 at 48, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual_report_en.pdf>.

[2600] Law No. 2225/94 (last amended 2003).
[2601] Christos Panageas, Computer Crime and Misuse: The Case of Greece and the EU (2003) (unpublished B.S. thesis, City College of the University of Sheffield) (on file with EPIC).
[2602] Id. See also Amanda Castleman, "More Fallout Over Greek Game Ban," Wired.com, February 13, 2003, at <http://www.wired.com/news/games/0,2101,57305,00.html>.

[2603] "Athens to Be on Full Alert for Games," The Ottawa Citizen, November 24, 2000.
[2604] "Olympics: More to It Than Games," The New York Times, July 24, 2001.

[2605] "Privacy Watchdog Approves Use of Street Cameras, But Only During Games," Kathimerini, May 5, 2004.

[2606] E-mail from Fereniki Panagopoulou, supra. See also Hellenic Data Protection Authority, Decision 28/03.05.2004, available at <http://www.dpa.gr/decs.htm> (in Greek).

[2607] Hellenic Data Protection Authority. Decision 63/2004.

[2608] Greek Privacy Watchdog Fines Vodaphone Over Wiretapping Scandal, International Herald Tribune Europe, December 14, 2006, available at <http://www.iht.com/articles/ap/2006/12/14/europe/EU_GEN_Greece_Wiretaps_Vodafone.php>.
[2609] Id.

[2610] “E-government a Priority for Greece, Says Minister of the Interior,” eGoverment news, October 22, 2004, available at <http://europa.eu.int/idabc/en/document/3409/337>.

[2611] Email from Vagelis Papkonstantinou, PKPartners, Greece, to Allison Knight, Research Director, Electronic Privacy Information Center, July 6, 2007 (on file with EPIC).

[2612] <http://www.rz.uni-frankfurt.de/~sobotta/greecenew.htm>.
[2613] Law No 1599/1986 on the Relationship of a New Type of Identification Card and Other Provisions.

[2614] Signed February 17, 1983; enacted August 11, 1995; entered into force December 1995.
[2615] Signed November 28, 1950; enacted November 28, 1974; entered into force November 28, 1974.
[2616] Signed November 23, 2001.