Data protection & privacy laws in Greece (2026)

The EU GDPR (Regulation 2016/679) applies directly. Law 4624/2019, in force from 29 August 2019, supplements the GDPR and also implements Directive 2016/680 on law-enforcement data processing. Law 2472/1997 was largely repealed upon GDPR application.

Law 4624/2019 sets the digital consent age at 15 (GDPR default is 16), establishes specific employee data processing rules, and creates sectoral provisions for health, insurance, and media. The HDPA itself raised compatibility concerns with the GDPR in its Opinion 1/2020.

The Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα) is the independent national DPA. It holds full GDPR Article 58 powers: investigations, corrective orders, bans on processing, and administrative fines up to the GDPR statutory maxima.

Law 3471/2006 transposes the ePrivacy Directive (2002/58/EC) and governs privacy in electronic communications including unsolicited direct marketing (spam/SMS). Violations carry fines up to €150,000 per infringement under this law, enforced by the HDPA.

The HDPA fined the Greek Ministry of Interior €400,000 for unsolicited political emails, the National Bank of Greece €200,000 for systematically delayed Article 15 access responses, and Vodafone €350,000 for GDPR Article 28 violations plus €150,000 under Law 3471/2006. The HDPA also opened an ex officio investigation into the DeepSeek AI application.

The HDPA is participating in the EDPB's 2026 Coordinated Enforcement Framework (CEF) action, assessing controllers' compliance with GDPR transparency and right-to-information obligations under Articles 13–14 across 25 EU/EEA supervisory authorities.