The general clause of the protection of personality, Article 57 of the Civil Code can serve (and has served) as ground of liability for any impermissible processing of personal data. Article 57 has been applied widely. All the indications from jurisprudence are clear, that the Greek courts were ready to interpret the clause for the protection of personality as a proper foundation of a cause of action aiming at the prescription of the illegal processing of personal data and, most importantly, at an award for damages for moral harm (non-pecuniary losses) independent from any physical or generally, tangible, injury.
The European regulatory context and the Greek legislation
Greece has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR). Being a member of the Council of Europe, Greece had also signed the Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Greek Parliament ratified the Convention in 1992 even without having (at that time) data protection legislation in place, i.e. contrary to the respective requirement of the Convention 108.
The legislator delineated the constitutionally acceptable processing of personal data with the adoption of the Law 2472/97 on the protection of individual with regard to the processing of personal data, thus transposing the Data Protection Directive (95/46/EC) into national law. The similarities between the approach taken by the Greek legislator and that of the European Union are obvious and at the same time reasonable, as the Greek Parliament was expected to adapt the regulations to the standards and binding demands laid down by the Directive.
The Greek legislator has made full use of the discretion he had from the Directive in order to enhance further the protection of individuals. Initially, the Law did not contain full, or even very wide, exemptions with regard to matters such as national security, defence, police or other criminal matters ). However, such an exemption has been introduced in 2007 (through Article 8 of the Law 3625/2007), excluding the processing of personal data through judicial authorities, prosecutors and security/police authorities for the purposes of law enforcement from the application of the law provisions and the oversight of the Data Protection Authority. According to legal doctrine these amendments ignore the so-called “shield function” of the data protection legislation and the data protection authority, which offers an adequate guarantee for the citizens against the misuse of his/her data by police and other security authorities.Taking into account that the right to data protection is to be ensured by an independent authority, which is the sole competent for monitoring enforcement, such exceptions provision raise significant concerns in relation to its compliance with the Greek constitutional framework. Τhe Data Protection Authority has also pointed out that these amendments infringe also Article 8 of the European Convention on Human Rights as interpreted through the jurisprudence of the European Court on Human Rights.
The main characteristics of the Greek Data Protection Law
The Greek legislator opted for a general legal framework with a wide scope including all relevant areas of society (the so-called “omnibus-approach”). The Greek system could also be described as “monistic”, in the sense that consolidated rules on data processing are introduced both regarding the private and the public sector. Furthermore, the provisions of the Law cover, without exceptions and without differentiations, automated processing but also processing carried out by conventional means.
Special emphasis has been put on the object of the law, which is “to establish the terms and conditions under which the processing of personal data is to be carried out so as to protect the fundamental rights and liberties of natural persons and in particular their right to privacy”. Law 2472/98 constitutes a framework , which rest on four pillars : a) the establishment of conditions, obligations and responsibilities for the lawful processing of personal information b) the maintenance of transparent processing, based not only on the notification system but mainly on the rights of individuals c) the establishment of external, independent and effective oversight of the data processing activities in the public and private sector and d) a system of administrative and penal sanctions as well as provisions on civil liability.
As far as it concerns definitions, most of the basic data protection terms are defined in Article 2 of the Law generally in compliance with the Data Protection Directive, but with some modifications. The Law (Article 2(b)) adds a definition of “sensitive data”, which includes the “special categories of data” listed in Article 8(1) of the Directive, i.e., data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sexual life. The Greek Law included in this category also information on social welfare as well as data about criminal charges or convictions.
A main characteristic of the Greek data protection law is the classification of personal data based on its perceived sensitivity. The Act distinguishes between personal data and sensitive personal data, which are subject to strict(er) safeguards and procedural formalities. The Greek legislator has also considered that the so-called “interconnection of files” is likely to present specific risks: the interconnection of files is – under the conditions laid down in law-subject to notification or prior checking by the supervisory authority.
Data protection principles and legitimate grounds of processing
The data protection principles, contained in Article 6 of the Directive, are set out in very similar, but not quite identical, terms in Article 4 of the Law (under the rather confusing title “Characteristics of Data Processing”). According to the law, personal data must be processed “fairly and lawfully” and for “specific, explicit and legitimate purposes” (Article 4 a). In accordance with the Directive, the Greek law stipulates that personal data must be “adequate, relevant and not excessive in relation to those purpose” (Article 4§1 b), as well as “accurate and, where necessary, kept up to date”(Article 4 §1c). The Authority conceives the purpose limitation principle in a flexible and open way. Both in the interpretation of the Law as well as in the jurisprudence of the DPA reference is made not only to the criterion of “fairness” but also –and perhaps mainly - to the “compatibility” of further processing with the primarily defined purpose. The principle of proportionality is a key feature of the data protection law and especially of the jurisprudence of the DPA.
With regard to the criteria for legitimate processing of personal data , Article 5 of the Law sets out the criteria contained in Article 7 of the Directive, however with some significant differences. The first point of difference concerns the “consent” of the data subject. The Greek data protection law places particular emphasis on the “consent” of the data subject to the processing of his/her personal data: In the Greek Law consent serves as the standard norm and all other legal grounds (contract, legal obligation, vital interest, public interest, lawful interest of data controller/third person) are considered as exceptional. The Data Protection Authority is very strict with regard to consent. Applying the detailed definition of consent as well as the general principles of Greek constitutional and civil law the DPA has ruled in the case of processing of employees’s/workers’ personal data the consent cannot be accepted as legal ground for collection and processing, as it doubts if such a consent is “free”, as required by definition of consent (Article 2 k of Law 2472/97).
The Rights of the Individuals
With regard to the individual’s right the Greek law has also its own distinctive approach. The obligations on data controllers to provide information when data is collected are established as data subject’s rights (Article 11). The content of the information to be given is slightly longer than that provided explicitly in the EU Directive: data controllers have in any case to inform the data subjects not only about their identity and the purpose of data processing, but also about possible recipients, the existence of an obligation to reply as well as of the right of access and the right of rectification. This obligation may be suspended by virtue of a decision by the supervisory authority, provided that the data collection is carried out for reasons of national security or the investigation of especially serious crimes, as they are defined by the greek constitution and the law
The Greek law entitles every person to exercise the right of access and imposes upon the data controllers the obligation to answer in writing (Article 12). However restrictions on the rights of access are allowed only insofar as they are necessary to safeguard national security and criminal investigations and prosecutions. The rights to rectification, erasure or blocking are dealt with together in a separate article with the right to object to processing (Article 13). Attention must be paid to the right to object, which is not dependent upon the justification of “compelling legitimate grounds relating to his particular situation”. A right to appeal to the supervisory authority is granted where the controller does not respond to the petition or his/her reply is not satisfactory.
The Greek Data Protection Authority
The starting point of the Greek legislator – even before the DPA has been embedded in Constitution-was that efficient legislation presupposes the establishment of a system of «external supervision» in the form of an independent authority, in order to ensure a good level of compliance with the law and provide support to data controllers and individuals. The law established a supervisory authority, which started its operation on November 10th, 1997. As constituent part of the very concept of control is the independence of the organ of control, understood as the total of statutory and functional conditions, which make possible the pursuit of the special objectives of control and their achievement.
The supervisory authority constituted, already from its establishment, an “independent public authority”, which per definition does not belong to the classic scheme of the separation of powers and is not subject to the supervision by a Minister. After the Amendment of the Constitution in 2001 the President and the Members of the DPA should be appointed by the abovementioned all-party parliamentary Committee (Conference of Presidents) requiring unanimity or at least four-fifths majority. In other words, these appointments should be the result of consensus between at least two major parties.
The Greek law introduced a system of control, which, in essence, makes the Authority the decisive factor on which the implementation of the legislative provisions pivots. It is the model of control in which the control organ, apart from the stricto sensu monitoring of compliance with the regulations, is endowed with broad decision-making powers and is equipped with the means, which allow it to impose its decisions and views, always subject to judicial review. The Data Protection Authority has extensive and significant tasks (investigative powers and powers of decision and intervention). Remedies against the binding decisions of the Authority may be filed by the natural or legal persons affected by the decisions of the DPA and also by the State. Such remedy shall be initiated by the competent Minister.
It has a wide range of other consultative functions, set out in a long list of paragraphs in Article 19: Especially during the first phase, the DPA has set as priority the clarification of the applicable rules and has focused on its quasi-regulatory competences. The DPA has issued a number of so-called “instructions” (Directives) for the purpose of a uniform application of the rules pertaining to the protection of data subjects. The Authority gives constantly advice to data controllers in the private and – also and mainly – in the public sector. The DPA has acted as a policy adviser, either by proposing amendments of the law or by commenting on privacy implications of proposed legislation or by giving testimony at the Parliament.
Last but not least equally important is its role as “Data Protection Ombudsman” for individuals, when the latter face difficulties in relation to the processing of their data and/or in the exercise of rights granted to them by the law. The DPA is entrusted with the task of considering complaints and reports lodged by data subjects and it has wide-ranging discretion in deciding on such complaints. This does not mean that the DPA should be regarded as a special court. However, it carries out quasi-judicial activity especially in respect to its auditing power, the possibility of hearing both “parties”, the enforceability of its decisions, its provision to be challenged before ordinary courts.
The starting point of the legislator’s approach was that the existence of effective and dissuasive sanctions is important in ensuring respect for the adopted rules. Therefore the law includes an impressive array of detailed provisions on sanctions, which may be administrative or criminal, in case of non-compliance with the provisions of the law. As far as administrative sanctions are concerned, the Authority may impose on the Data Controllers sanctions for breach of their duties arising from this law as well as from any other regulation on the protection of individuals from the processing of personal data. The Authority may also impose fines on the State, i.e. Ministries, State authorities/agencies, local authorities.
Greek Data Protection law provides for judicial remedies and the civil liability of the data controller in case where a person has suffered damage as a result of unlawful processing. The law provides for penal sanctions in case of non-compliance with a) the substantial and procedural provisions of the law and b) the binding decisions of the Data Protection Authority. Criminal sanctions may also be imposed in case of breach of rules of lawful processing as well as security and secrecy legal requirements. Criminal sanctions range from imprisonment of up to one year for keeping a file without permit or for breach of a permit’s conditions to incarceration of ten years for anyone who by breaching the provisions of the law purported to gain unlawful benefit on his/her behalf or on behalf of another person or to cause harm to a third party.
