Skip to content
World Watch/Greece/Data & Privacy

Data & Privacy · Greece

Data protection & GDPR compliance in Greece (2026)

Comprehensive lawEU GDPR (Regulation 2016/679) directly applicable + Greek Law 4624/2019 (national supplement, in force 29 August 2019) + Law 3471/2006 (ePrivacy Directive implementation); supervised by the Hellenic Data Protection Authority (HDPA)Country index 93 · A+

Greece shaded by its data & privacy status

Data protection in Greece: comprehensive law, under EU GDPR (Regulation 2016/679) directly applicable + Greek Law 4624/2019 (national supplement, in force 29 August 2019) + Law 3471/2006 (ePrivacy Directive implementation); supervised by the Hellenic Data Protection Authority (HDPA).

Greece operates under the EU GDPR as directly applicable law, supplemented by national Law 4624/2019 which exercises GDPR derogations for employee data, sensitive categories, and sectoral rules for health, insurance, and media. The Hellenic Data Protection Authority (HDPA) is the independent supervisory authority, maintaining an active enforcement record with significant fines against public bodies, telecoms, and private controllers. The ePrivacy Directive is transposed via Law 3471/2006 governing electronic communications privacy and unsolicited marketing.

GDPR & data protection in Greece

In Greece, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Hellenic Data Protection Authority (HDPA).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Hellenic Data Protection Authority (HDPA)
Applies to
any organisation processing the personal data of people in Greece, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Greece supplements it with a national data-protection act and its own supervisory authority.

GDPR in Greece: FAQ

Does the GDPR apply in Greece?

Yes. As an EU/EEA member, Greece applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Hellenic Data Protection Authority (HDPA).

Who enforces data protection law in Greece?

The Hellenic Data Protection Authority (HDPA).

What are the GDPR fines in Greece?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Greece?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Greece?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Primary Legal Framework

The EU GDPR (Regulation 2016/679) applies directly. Law 4624/2019, in force from 29 August 2019, supplements the GDPR and also implements Directive 2016/680 on law-enforcement data processing. Law 2472/1997 was largely repealed upon GDPR application.

Key National Derogations

Law 4624/2019 sets the digital consent age at 15 (GDPR default is 16), establishes specific employee data processing rules, and creates sectoral provisions for health, insurance, and media. The HDPA itself raised compatibility concerns with the GDPR in its Opinion 1/2020.

Supervisory Authority, HDPA

The Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) is the independent national DPA. It holds full GDPR Article 58 powers: investigations, corrective orders, bans on processing, and administrative fines up to the GDPR statutory maxima.

ePrivacy / Electronic Communications

Law 3471/2006 transposes the ePrivacy Directive (2002/58/EC) and governs privacy in electronic communications including unsolicited direct marketing (spam/SMS). Violations carry fines up to €150,000 per infringement under this law, enforced by the HDPA.

Recent Enforcement (2024-2025)

The HDPA fined the Greek Ministry of Interior €400,000 for unsolicited political emails, the National Bank of Greece €200,000 for systematically delayed Article 15 access responses, and Vodafone €350,000 for GDPR Article 28 violations plus €150,000 under Law 3471/2006. The HDPA also opened an ex officio investigation into the DeepSeek AI application.

EDPB 2026 Coordinated Enforcement

The HDPA is participating in the EDPB's 2026 Coordinated Enforcement Framework (CEF) action, assessing controllers' compliance with GDPR transparency and right-to-information obligations under Articles 13-14 across 25 EU/EEA supervisory authorities.

Greece - other topics

Data & Privacy in other countries

Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →