GREECE
LAW
no. 2472
On
the Protection of Individuals with regard to the Processing of Personal
Data
CHAPTER
A GENERAL PROVISIONS
Article
1 Scope
The scope
of this law is to establish the conditions regarding the processing
of personal data and protect human rights, fundamental liberties and
private life, in particular.
Article
2 Definitions
For the
purposes of this law the following words or expressions shall have the
following meanings:
a) "personal
data" shall mean any information pertaining to the person who is
the data subject. As personal data may not be regarded the consolidated
data of a statistical nature, from which one may no longer identify
the persons who are the data subjects.
b) "Sensitive
data", shall mean the data being in connection with the racial
or ethnic origin, with political beliefs, religious or philosophical
convictions, with the participation in a society, association or trade
union, with health, social welfare and sexual life as well as with everything
being in connection with penal prosecutions or sentences imposed by
a court.
c) "Data
Subject" shall mean the natural person or private individual to
whom these data refer and whose Identity is known or may be found, that
is to say, his identity may be determined directly or indirectly, especially
on the basis of an identity card number or on the basis of one or more
specific details designating his existence from a physical, biological,
psychological, financial, cultural, political or social viewpoint.
d) "Processing
of personal data" ("processing"), shall mean any individual
act or a series of acts of processing performed by the State or by a
public law or private law legal entity or a body of persons or a natural
person with or without the assistance of automated method and applying
to personal data, such as the collection, recording, organization, preservation
or storage or amendment to, extraction, use or transmission or the dissemination
or any other form of disposal or comparison or co-relation or interconnection
or blocking, or erasure or destruction thereof.
e) "Personal
Data Filing System" ("Filing System") shall mean a group
of data of a personal nature which constitute or may constitute the
subject matter of processing and which are kept either by the State
or by a public law or private law legal entity or by a body of person.
or by a natural person.
f) "Interconnection",
means a form of processing consisting in the possibility of corelating
the data of a file to the data of a file or files kept by another person
or persons who are in charge of processing or with data of a file or
files kept by the same person who is in charge of processing for another
purpose.
g)"Controller",
shall mean any person who specifies the scope and the way of processing
of personal data and who may be a natural person or a legal entity,
a public authority or department or any other organization. When the
scope and the way of processing are prescribed by law provisions or
regulations of domestic or E.C. law, then the Controller or the special
criteria on the basis of which its selection is made shall be specified
respectively by domestic or E.C. law.
h) "Processor",
shall mean anyone who processes personal data on behalf of the Controller,
such as a natural person or a legal entity, a public authority or department
or any other organization whatsoever.
i) "Third
party" shall mean any natural personal or legal entity, a public
authority or department or an organization whatsoever other than the
person who is the data subject, the Controller and the persons who are
authorized to process the personal data, provided they act under the
direct supervision or on behalf of the Controller.
j) "Recipient",
means the natural person or the legal entity, the public authority or
department or any other organization whatsoever, to whom or to which
the data are transmitted, no matter whether it has to do with a third
party or not.
k) "The
Data Subject's Consent" shall mean any freely, given, specific
and informed indication of his wishes by which the data subject, after
being previously informed, signifies his agreement to personal data
relating to him being processed. The rendering of such information shall
include information which at least pertains to the purpose of processing,
the data or the categories of data to which the processing relates,
the recipients or the categories of recipients of personal data, as
well as the name, trade name and the address of the Controller and his/its
representative, if any. Such consent may be revoked at any time without
a retroactive effect.
l) "Authority"
shall means the Protection of Personal Data Authority which is established
in Chapter D' of this law.
Article
3 Scope
1.
The provisions of this law shall apply to the automated processing
in whole or in part as well as to the nonautomated processing of personal
data which are included or are to be included in a file.
2. The
provisions of this law shall not apply to the processing of personal
data which is implemented by a natural person for the purpose of proceeding
to activities of an exclusively personal or household nature.
3. The
present law shall apply to any processing of personal data, provided
such processing is realized:
a) By a
Controller or a Processor established in the Greek Territory or at a
place, where on the basis of public international law, Greek law applies.
b) By a
Controller who is not established in the Greek Territory or at a place,
where Greek law applies, when such data processing pertains to persons
established in the Greek Territory. In that case, the Controller will
be obliged to indicate by his statement in writing addressed to the
competent authority a representative domiciled or established in the
Greek territory, who will be subrogated to the supervisor's rights and
liabilities, without the latter being exempted from his personal liabilities,
if any. The same shall apply also when the Controller is covered by
any form of immunity or any other reason impeding penal prosecution.
CHAPTER
B PROCESSING OF PERSONAL DATA
Article
4 Characteristics of personal data
1. Personal
data in order to be lawfully processed:
a) they
must be collected in a lawful and fair way for specified, clear and
lawful purposes and they must be subject to a fair and lawful processing
in light of the above mentioned purposes.
b) They
must be adequately connected, expedient and not exceeding a number which
is required from time to time in view of the purposes of processing.
c) They
must be accurate and, should the need arise, they should be updated.
d) They
must be kept in a form permitting the determination of the identity
of the persons who are their subjects only during the period required,
in the Authority's opinion, for the fulfillment of the purposes for
which they were collected and processed. After the lapse of such period,
Authority may, under a reasoned decision issued by it, permit the preservation
of personal data, for historical, scientific or statistical purposes,
provided it judges that the rights of the persons who are their subjects
or the rights of third parties are not affected in every specific case.
The compliance with the provisions of this paragraph shall burden the
Controller
2. Personal
data which have been collected or are subject to processing, in contravention
of the provisions of the preceding paragraph, will be destroyed on the
Controller's responsibility. If the Authority, either ex officio or
following the submission of a relevant complaint, ascertains a violation
of the provisions of the preceding paragraph, its shall order the interruption
of collection or processing and the destruction of the personal data
which have already been collected or processed.
Article
5 Conditions of processing
1. Processing
of personal data will be permitted only when the data subject has given
his consent.
2. Exceptionally,
such processing will be permitted even without such consent, when :
a) The
processing is necessary for the performance of a contract, in which
contracting party is the person who is the data subject or for the taking
of measures, upon such person's request, during the precontractual stage.
b) Processing
is necessary for the fulfillment of an obligation on the part of the
Controller which is required according to law.
c) Processing
is necessary for safeguarding a vital interest of the above mentioned
person, if such person is physically or legally unable to give his consent.
d) Data
processing is necessary for the execution of a project of public interest
or a project which falls within the framework of the exercise of a public
power and is performed by a public authority or it has been assigned
by it either to the Controller or to a third party to whom the data
are communicated.
e) Data
processing is absolutely necessary for the satisfaction of a legal interest
pursued by the Controller or a third party or third parties to whom
the data are communicated and on condition that such legal interest
is apparently superior to the rights and interests of the persons with
whom the data are connected and their fundamental liberties are not
affected.
3. The
Authority may issue special data processing rules for the more usual
categories of data processing and files, which do not apparently affect
the rights and liberties of the persons to whom such data refer. These
categories will be specified by regulations enacted by the Authority
and ratified by Presidential Decrees, which will be issued upon proposal
of the Justice Minister.
Article
6 Notification
1. The
Controller will be obliged to notify the authority in writing of the
establishment and operation of a file or the commencement of data processing.
2. By the
notice referred to in the preceding paragraph, the Controller will be
obliged to declare the following:
a) His
name, trade name or distinctive title as well as his address and the
full name or trade name or title and address of the persons he uses
for the execution of processing in accordance with the of Article 10.
If the Controller is not established in the Greek territory or at a
place, where the Greek law applies, then the name, trade name or distinctive
title and the address of his representative in Greece should be additionally
declared.
b) The
address at which the file or the main hardware which supports data processing
are established.
c) The
description of the purpose of the processing of personal data being
contained or to be contained in the file.
d) The
sort of personal data which are being processed or they are to be processed
or are contained or they are to be contained in the file.
e) The
time period during which he intends to carry out data processing or
preserve the file.
f) The
recipients or the categories of recipients to whom he announces or he
will probably announce personal data.
g) The
probable transfer of personal data and the purpose of transfer of personal
data to third countries.
h) The
basic characteristics of the system and the safety measures pertaining
to the file or data processing.
i) In the
event that the data processing or the file falls within one of the categories
for which the Authority has issued special data processing rules, then
the Controller will submit to the authority a statement whereby he will
confirm that data processing will be carried out or the file will be
kept according to the special rules established by the Authority, which
will prescribe in detail the form and contents of such statement.
3. The
details referred to in the preceding paragraph will be entered in the
Files and Data Processing Register kept by the Authority.
4. Any
change in the details referred to in paragraph 2 must be communicated
in writing and without any delay by the Controller to the Authority.
Article
7 Processing of sensitive data
1. The
collection and processing of sensitive data will be forbidden.
2. Exceptionally,
the collection and processing of sensitive data, as well as the establishment
and operation of the relevant file, will be permitted following permission
on the part of the Authority, when one or more of the following conditions
concur :
a) The
data subject has given his consent in writing, except if the consent
has been extracted in a way contrary to the law or bonus mores or if
the law provides that any consent given may not lift the relevant prohibition.
b) Data
processing is necessary for the purpose of safeguarding such person's
vital interests, if such person is physically or legally unable to render
his consent.
c) Processing
exclusively pertains to data belonging to the subject which he publicises
or which are necessary for him for the recognition, exercise or defence
of one of his rights before a court of law.
d) The
data processing is in connection with health matters and is performed
by a person who is involved, as an occupation, in the rendering of health
services and is subject to a secrecy duty or to similar codes of practice,
on condition that such data processing is necessary for medical prevention,
diagnoses, treatment or the management of health services.
e) Data
processing is necessary for satisfying the national security requirements,
as well as for satisfying the requirements pertaining to criminal or
correctional policy, when this is performed by a public Authority and
pertains to the detection of crimes, penal sentences and precautionary
or security measures.
f) The
data processing is effected for research or scientific, exclusively,
purposes and on condition that anonymity is observed and on condition
that all necessary measures for the protection of the rights of the
persons to whom the data are connected are taken.
g) Processing
concerns data pertaining to public figures, provided such data are in
connection with the holding of a public office or the management of
third parties' interests, and provided such processing is exclusively
carried out for journalistic purposes. The authority's permit will be
granted only if such processing is absolutely necessary to ensure the
right to information on matters of public interests as well as within
the framework of literary expression and provided the right to protection
of private and family life is not violated in any way whatsoever.
3. The
Authority shall issue a permit for the collection and processing of
sensitive data, as well as a permit for the establishment and operation
of the relevant file, following an application submitted by the Controller.
If the Authority discovers that processing of sensitive data is effected,
the notice of the existence of a file, according to Article 6 of this
law, shall stand for an application for the granting of a permit. The
Authority may impose terms and conditions for the more effective protection
of the right to private life of the data subjects or the third parties.
Before granting the permit, the Authority shall summon the Controller
or his representative and the Processor.
4. The
permit will be issued for a determinate period of time, depending on
the purpose of the data processing. It may be renewed following an application
submitted by the Controller.
5. The
permit shall, by all means, contain the following:
a) The
full name or trade name or distinctive title as well as the address
of the Controller and his representative, if any
b) The
address of the place where the file is established.
c) The
sort of personal data which are permitted to be included in the file.
d) The
time period for which the permit is granted.
e) The
terms and conditions, if any, imposed by the Authority for the establishment
and operation of the file.
f) The
obligation of announcement of the recipient or recipients immediately
they are particularized.
6. A copy
of the permit will be entered in the Permits Register kept by the Authority.
7. Any
change in the details referred to in paragraph 5 will be communicated
without undue delay to the Authority. Any change other than a change
in the address of the Controller or his representative shall entail
the issuance of a new permit, provided the lawful prerequisites concur.
Article
8 Interconnection of files
1. Interconnection
of files is permitted only subject to the conditions of this article.
2. Every
interconnection will be communicated to the Authority under a declaration
being jointly submitted by the Controllers or the Controller who interconnects
two or nor files serving different purposes.
3. If one,
at least, of the files which are about to be interconnected contains
sensitive data or if the interconnection results to the disclosure of
sensitive data or if for the implementation of the interconnection a
uniform code number is about to be used, such interconnection will be
permitted only upon the Authority's previous permission (interconnection
permit).
4. The
interconnection permit referred to in the preceding paragraph will be
granted after hearing the Controllers of the files and shall include
by all means the following:
a) The
purpose for which the interconnection is deemed necessary.
b) The
sort of personal data to which the interconnection refers.
c) The
time period for which the interconnection is permitted.
d) The
terms and conditions, if any, for the more effective protection of the
rights and liberties and, in particular, of the right to private life
of the data subjects or the third parties.
5. The
interconnection permit may be renewed upon application submitted by
the Controllers.
6. The
declarations referred to in paragraph 2 of this article as well as any
copies of the interconnection permits will be entered in the Interconnections
Register kept by the Authority.
Article
9 Cross-border flow of personal data
1. The
transmission of personal data to Countries of the European Union is
free. The transmission to a country which does not belong to the European
Union or personal data which have been undergone or they are about to
undergo a processing after their transmission will be permitted following
permission granted by the Authority. The Authority shall grant its permission
only if it judges that the above mentioned country ensures a satisfactory
protection level. For this purpose, it shall take into account especially
the nature of data, the purposes and the duration of processing, the
relevant general and special rules of law, the codes of practice, the
security measures for the protection of personal data as well as the
protection level in the countries of origin, transit and ultimate destination
of data.
2. The
transmission of personal data to a country which does not belong to
the European Union and which does not ensure a satisfactory protection
level will be exceptionally permitted upon permission granted by the
Authority as long as one or more of the following conditions concur:
a) The data subject has given his consent for such transmission, except
if the above mentioned consent has been extorted in a way which is contrary
to law or bongs mores.
b) Transmission
is necessary:
i) For
the purpose of ensuring a vital interest of the data subject, if the
latter is physically or legally unable to render his consent, or
ii) For
the purpose of entering into or performing a contract between the data
subject and the Controller or between the Controller and a third party
for the benefit of the data subject's interests, as long as the data
subject is physically or legally unable to render his consent, or
iii) For
the purpose of executing precontractual measures which have been taken
upon request of the data subject.
c) Transmission
is necessary for coping with an exceptional need and for the purpose
of safeguarding a higher public interest, especially for the purpose
of performing memoranda of understanding or cooperation agreements with
public Authorities in the other country provided the Controller grants
sufficient guarantees for the protection of private life and fundamental
liberties and the exercise of the relevant rights.
d) Transmission
is necessary for the recognition, exercise or defence of a right before
a court.
e) Transmission
is effected from a public register, which, according to law, is utilised
for rendering information to the public and is accessible to the public
or to any person who proves the existence of a legal interest, as long
as in the specific case the lawful conditions for access to the register
are fulfilled.
3. In the
cases referred to in the preceding paragraphs, the Authority shall inform
the European Commission and the respective Authorities of the other
member countries, when the Authority believes that a specific country
does not ensure the existence of a satisfactory protection level.
Article
10 Secrecy and security of data processing.
1. The
processing of personal data shall be secret. It will be solely and exclusively
affected by persons who are subject to the control of the Controller
or the Processor and only upon his instructions.
2. For
the carrying out of the data processing the Controller will be obliged
to select persons with respective professional qualifications rendering
sufficient guarantees insofar as technical knowledge and personal integrity
are concerned for keeping secrecy.
3. The
Controller will be obliged to take suitable organisational and technical
measures for the security of data and their protection against any haphazard
or unfair destruction, fortuitous loss, alteration, forbidden dissemination
or access to them and any other form of unfair processing. These measures
must ensure a safety level commensurate with the risks arising from
processing and the nature of the data which are subject to processing.
The Authority shall give from time to time instructions about the data's
degree of security as well as about the security measures which are
necessary for every category of data, also in view of high technology
evolution.
4. If the
data processing is carried out on behalf of the Controller by a person
not depending on him, the relevant assignment will be made obligatorily
in writing. Such assignment shall obligatorily provide that the Processor
will carry out such data processing only upon instructions of the Controller
and that the other obligations deriving from this article shall burden
him mutatis mutandis.
CHAPTER
C DATA SUBJECT's RIGHTS
Article
11 The right to be kept informed
1. The
Controller will be obliged, during the stage of collection of personal
data to advise in an expedient and clear way the data subject of the
following details at least:
a) his
identity particulars and the identity particulars of his representative,
if any,
b) the
purpose of data processing
c) the
recipients or the categories of recipients of data
d) the
existence of a right to access
2. If for
the collection of personal data. The Controller asks for the data subject's
assistance, he will be obliged to advise the data subject specifically
and in writing of the details referred to in paragraph 1 of this Article
as well as of the data subject's rights according to Articles 11-13
of this Law. With the opportunity of such briefing the Controller will
advise the data subject of whether the data subject is obliged or not
to render his assistance, on the basis of which provisions the data
subject is obliged to do so, as well as of any consequences deriving
from the data subject's refusal to act.
3. If the
data are announced to third parties, the data subject will be kept informed
of such announcement a priori.
4. Under
a decision of the Authority, following an application submitted by the
Controller, the obligation to render the information referred to in
paragraphs 1 and 3 of this Article may be lifted in whole or in part
as long as the collection of personal data is effected for national
security reasons or for the detection of particular serious crimes.
5. Subject
to the rights referred to in Articles 12 and 13 the obligation to render
the above mentioned information does not exist when the collection of
data is exclusively effected for journalistic purposes and refers to
public figures.
Article
12 Right to access
1. Every
one is entitled to know whether personal data pertaining to him constitute
or have constituted the object of data processing. For this purpose,
the Controller will be obliged to answer in writing.
2. The
data subject will be entitled to ask for and receive from the Controller,
without undue delay and in a way clear and comprehensible, the following
information:
a) All
the personal data pertaining to him as well as the origin thereof.
b) The
purposes of data processing, the recipient or the categories of recipients.
c) The
progress of data processing over the time period prior to the next preceding
briefing made to him.
d) The
logic of the automated data processing. The right to access may be exercised
by the data subject and with the assistance of a specialist.
3. The
right referred to in the preceding paragraph and the rights referred
to in Article 13 are exercised by submitting the relevant application
to the Controller and by the simultaneous payment of money whereof the
amount, he way of payment and any other similar matters will be regulated
under a decision taken by the Authority. This amount will be returned
to the applicant if the application for correction or deletion of data
is judged valid either by the Controller or by the Authority; in the
event that the data subject applies to it. The Controller will be obliged
in that case to give the applicant, without undue delay, gratis and
in a comprehensible language, a copy of the corrected part of the data
processing pertaining to him.
4. If the
Controller does not reply within a period of fifteen (15) days or if
his answer is not satisfactory, the data subject will be entitled to
apply to the Authority. In the event that the Controller refuses to
satisfy the request of the party concerned, he will communicate his
reply to the Authority and inform the party concerned that he may apply
to it.
5. Under
a decision issued by the Authority, following an application submitted
by the Controller, the obligation to render the information referred
to in paragraphs 1 and 2 of this Article may be lifted in whole or in
part if the processing of personal data is effected for reasons of national
security or for the detection of particularly serious crimes. In that
case the President of the Authority or his substitute will perform all
the necessary acts and shall have free access to the files.
6. Data
pertaining to health will be communicated to the data subject through
a doctor.
Article
13 Right to objection
1. The
data subject will be entitled to submit any objections to the processing
of data pertaining to him. Such objections will be addressed in writing
to the Controller and must contain a request concerning a specific act,
such as correction, provisional non-utilization, locking, non-transmission
or deletion. The Controller will be obliged to reply in writing on the
above mentioned objections within a peremptory time limit of fifteen
(15) days. In his reply he will be obliged to advise the data subject
of the acts which he performed or probably, of the reasons why he didn't
satisfy the request. The reply in the event the objections are dismissed
must also be communicated to the Authority.
2. If the
Controller does not reply in time or if his reply is not satisfactory,
the data subject will be entitled to apply to the authority and ask
for the examination of his objections. If the authority conjectures
that the objections are reasonable and that there is a risk of serious
damage which may be caused to the data subject due to the continuation
of data processing, then the authority may order the immediate suspension
of data processing until a final decision on the objections is issued.
3. Everyone
is entitled to declare to the authority that he doesn't want any data
pertaining to him to become the object of processing by any person whatsoever
for reasons the promotion of sale of goods or the rendering of services
from a remote place. The Authority shall keep records comprising the
identity particulars of the above mentioned persons. The Controllers
of the relevant files will be obliged to consult prior to any processing
the above mentioned records and delete from their files the persons
referred to in this paragraph.
Article
14 Rights to provisional judicial protection
1. Everyone
is entitled to ask the court of competent jurisdiction from time to
time to order the immediate suspension or non-application of an act
or a decision affecting him, which has been received by an administrative
authority or a public or private law legal entity or a body of persons
or a natural person exclusively through an automated data processing,
as long as such data processing aims at the evaluation of his personality
and, particularly, his productivity in work, his financial trustworthiness,
his reliability and his behaviour in general.
2. The
right referred to in this Article may be satisfied even when the other
substantive conditions of provisional judicial protection, as they are
provided for from time to time, do not concur.
CHAPTER
D PERSONAL DATA PROTECTION AUTHORITY
Article
15 Establishment - Mission - Legal Nature
1. A Personal
Data Protection Authority (the Authority) is constituted having as mission
the supervision of the implementation of this law and the other rulings
pertaining to the protection of individuals against the processing of
personal data as well as to the exercise of the powers delegated to
it from time to time.
2. The
Authority shall constitute an independent public authority, it shall
have its own budget and it will be assisted by its own secretariat.
The Authority shall not be subject to any administrative control. Upon
the exercise of their duties the members of the Authority shall enjoy
a personal and functional independence. The Authority will be subject
to the minister of Justice and will be seated in Athens.
3. The
Authority's budget will be proposed by the Justice Minister following
a proposal submitted by the authority. A percentage of the State's revenues
of any nature deriving from the implementation of this law, including
the fees and penalties imposed by the Authority, will be disposed of
for the Authority's needs. This percentage will be determined from time
to time under a joint decision issued by the Minister of Finance and
the Minister of Justice.
Article
16 Composition of the Authority
1. The
Authority will be composed of one judicial functionary with the rank
of State Councillor or a rank corresponding to him, as Chairman, and
six members as follows
a) A full
professor or an associate professor from an institution of higher education
specialized in law.
b) A full
or associate professor from an institution of higher education in informatics.
c) A professor
or an associate professor of an Institution of Higher Education.
d), e),
f) Three persons of high standing and experience in the field of protection
of personal data. The judicial functionary - Chairman and the professors
- members may be on active service or not.
2. The
Chairman of the Authority will be employed on a full time and exclusive
basis and he will be appointed by a Presidential Decree being issued
upon proposal of the Cabinet following a motion submitted by the Minister
of Justice. If for the position of the Chairman a judicial functionary
on active service is selected, then a decision of the pertinent supreme
judicial council will be required The substitute for the Chairman will
be selected and appointed on the basis of the same procedure.
3. The
members of the Authority will be appointed under the following procedure:
the minister of Justice submits to the Parliament Speaker a proposal
for the appointment of the six ordinary members of the Authority and
an equal number of substitutes. The proposal shall include a double
number of candidates. The Parliament Speaker forwards the proposal to
the Transparency and Institutions Committee which will deliver its opinion.
The Authority's ordinary members and their respective substitutes will
be selected by the Chairmen's Conference. The selected persons will
be appointed under a presidential decree being issued upon proposal
of the Minister of Justice and published in the Official Gazette.
4. The
Authority's Chairman and members will be appointed for a specific term
of office. Their term of office will be four years and may be renewed
only once. None may serve over a total period exceeding eight (8) years.
Half of the composition of the Authority's six members will be renewed
every two years. After the first formation of the authority, a draw
by lots will be effected among the six ordinary members thereof, so
that three of them shall have a four year term of office and the other
three of them shall have a two year term of office.
5. The
Chairman and the members of the Authority will be appointed along with
an equal number of substitutes who must have the same status and qualifications.
The substitutes for the Chairman and the members will participate in
the meetings of the Authority only in the event of a provisional absence
or inability of participation on the part of a relevant ordinary member.
Under its decision the Chairman of the Authority will delegate special
duties to the substitutes. The term of office of each substitute will
equal the term of office of the relevant ordinary member.
Article
17 Impediments-Incompatibilities of the Authority's members
1. No one
may be appointed as a member of the Authority :
a) If he
is a minister, undersecretary, a secretary general to a ministry or
to an independent secretariat general or a member of Parliament.
b) I f
he is a governor, manager administrator, member of the Board of Directors
or a person performing managerial duties, in general, in an undertaking
which produces, manufactures, sells or trades in materials being used
in informatics or telecommunications or renders services in connection
with informatics, telecommunications or personal data processing, as
well as those persons being connected under a contract for work with
such an undertaking.
2. Anyone
who after his appointment does the following shall automatically forfeit
its status as a member of the Authority
a) He acquires
one of the forms of statue constituting an impediment with regard to
his appointment, according to the provisions of the preceding paragraph.
b) He performs
acts or undertakes any business or work/project or he acquires any other
status which, in the Authority's opinion is not compatible with his
duties as a member of the Authority.
3. The
Authority shall proceed to the ascertainment of the incompatibilities
referred to in the preceding paragraph without participation of its
member, to whose person the above mentioned incompatibility probably
concurs. The Authority shall decide after hearing the above mentioned
member. The procedure will be moved either by the Chairman of the Authority
or by the Minister of Justice.
4. The
loss of status on the basis of which a member of the authority was appointed
according to paragraph 1 of Article 16 of this law, shall entail his
automatic forfeiture of his right, if such loss of status is due to
on irrevocable disciplinary or penal conviction.
Article
18 Obligations and rights of the Authority's members
1. Upon
the exercise of their duties the Authority's members shall obey to their
conscience and the law. They will be subject to the duty of secrecy.
As witnesses or experts they may submit details exclusively and solely
pertaining to the observance of the provisions of this law by Controllers.
The duty of secrecy continues to exist even after the withdrawal of
the Authority's members in any way whatsoever.
2. Under
a decision issued by the Minister of Finance and the Minister of Justice
the monthly wages of the Chairman and the Authority's members as well
as their remuneration for each session will be fixed by derogation from
any other provision. To the substitutes 1/3 of the monthly wages of
the Authority's members as well as a remuneration for each session in
which they participate will be paid. The provisions pertaining to the
transport expenses of the persons travelling upon the State's instructions
for the performance of duties prevailing from time to time shall also
apply to the travelling activities of the Authority's members and the
Authority's Secretariat employees. The Authority's Chairman shall issue
the relevant travelling instructions.
3. For
every infringement of their obligations deriving from this law, the
Authority's member will be disciplinarily liable. The disciplinary procedure
will be instituted before the disciplinary council by the Minister of
Justice with regard to the Chairman and the Authority's members and
the Authority's Chairman with respect to the Authority's members. The
Disciplinary Council will consist of one VicePresident of the Council
of State, as Chairman, one Supreme Court Judge, one Councillor of the
Court of Auditors and two professors from institutions of higher education
specialized in law. An employee of the authority shall perform the duties
of the Council's Secretary. The Chairman, the members and the Secretary
of the Council will be appointed along with an equal number of substitutes.
For the Council's members who are judicial functionaries a decision
by the pertinent Supreme Judicial Council will be required. The Council
will be formed under a decision of the Minister of Justice with a three-year
term of office. The Council will hold its session in the presence of
four members at least, among whom the Chairman or his substitute will
always be included, and the Council shall pass its solutions by an absolute
majority vote of the persons in attendance. In case of equality of votes
the Chairman's vote shall prevail. If there are more than two opinions,
those who have followed the weaker opinion will be obliged to accede
to one of the more prevalent of them. The disciplinary council will
decide at a first and last instance level on the discharge or the firing
of the defendant. The fees of the Council's Chairman, members and Secretary
will be determined under a joint decision issued by the Minister of
Finance and the Minister of Justice by derogation from any other provision.
4. A member
of the Authority who, in contravention of this law, disseminates in
any way whatsoever personal data which are accessible to him due to
his service or if he lets another person to take notice of them, will
be punished by imprisonment for not less than two (2) years and a pecuniary
punishment ranging from two million Drachmas (GRD 2,000,000) to ten
million Drachmas (GRD 10,000,000). If, however, he has committed the
act with the purpose of gaining unlawful benefits for himself or for
another person or for the purpose of causing damage to another person,
then he will be punished by confinement in a penitentiary. If the act
referred to in the first section of this paragraph has been committed
negligently, then the perpetrator will be punished by imprisonment for
not less than three (3) months and a pecuniary penalty.
Article
19 Powers, operation and decisions of the Authority
1. The
Authority shall mainly have the following powers:
a) It shall
issue instructions for the purpose of a uniform application of the rulings
pertaining to the protection of individuals against the processing of
personal data.
b) It shall
call on and assist trade unions and other bodies of persons or legal
entity associations keeping data files of a personal nature in the preparation
of codes of practices for the more effective protection of private life
and the rights, in general, and the fundamental liberties of the natural
persons in the sector of their activities.
c) It shall
address recommendations/admonitions and instructions to Controllers
or to their representatives, if any, and shall publish them, at its
discretion.
d) It shall
grant the permits provided for in the provisions of this law and it
shall fix the amount of the relevant fees.
e) It shall
denounce the infringements of the provisions of this law to the competent
administrative and judicial authorities.
f) It shall
impose the administrative sanctions provided for in Article 21 of this
Law.
g) It shall
assign to one or more of its members the carrying out of Administrative
Examination.
h) It shall
proceed ex officio or following the submission of a relevant complaint
to administrative controls with regard to any files. It shall have,
to that effect, a right of access to personal data and a right to collect
any kind of information for the purposes of the control without the
interference of any kind of secrecy. Exceptionally, the authority shall
not have access to identity data pertaining to associates being contained
in files kept for reasons of national security or for the detection
of particularly serious crimes The control will be carried out by one
or more members of the authority or an employee of the secretariat especially
authorized to that effect by the Chairman of the Authority. During the
control of files kept for reasons of national security the Authority's
Chairman will be present in person.
i) It shall
deliver an opinion with respect to any ruling pertaining to the processing
and protection of personal data.
j) It shall
issue regulations pertaining to the arrangement of special, technical
and detailed matters to which the present law refers.
k) It shall
announce to Parliament violations of the rulings pertaining to the protection
of individuals against the processing of personal data.
l) It shall
prepare every year a report concerning the fulfilment of its mission
over the previous calendar year. In the report shall also be emphasized
the necessary legislative changes, if any, in the sector of the protection
of individuals against the processing of personal data. The report will
be submitted by the Authority's Chairman to the Parliament Speaker and
to the Prime Minister and it will be published in the Official Gazette
on the authority's responsibility. The authority will also be entitled
to give even another kind of publicity to the report.
m) It shall
examine complaints relating to the implementation of the law and the
protection of the applicants' rights when such rights are affected by
the processing of data pertaining to them and its shall also examine
applications whereby the control and detection is requested of the legality
of such data processings and it shall advise the applicants of its relevant
action.
n) It shall
cooperate with the respective authorities of other member countries
of the European Union and the Council of Europe on matters in connection
with the exercise of its powers.
2. The
Authority shall hold its sessions ordinarily upon invitation sent by
its Chairman. It shall hold extraordinary sessions following an invitation
by the Chairman or the application by at least two of its members. The
decisions of the authority will be taken by a majority vote of at least
four of its members. In case of equality of votes, the Chairman's vote
or the vote of his substitute shall prevail.
3. The
authority shall prepare its rules of procedure whereby the allocation
of powers among its members, the previous hearing of the parties concerned,
matters pertaining to the disciplinary procedure as well as the way
of carrying out the controls referred to in paragraph 1 (h) of this
Article shall especially be regulated.
4. The
authority will keep the following registers:
a) The
Files and Processings Register, in which the files and the processings
communicated to the authority will be included.
b) The
permits register, in which the permits issued by the Authority for the
establishment and operation of files containing sensitive data will
be included.
c) Interconnections
register, in which the declarations and permits issued by the authority
for the interconnection of data will be included.
d) Register
of persons who do not want to be included in files, whereof the purpose
is the promotion of the supply of goods or the rendering of services
from remote places.
e) Transmission
permits register, in which the transmission permits for personal data
will be entered.
f) Secret
files register, in which files kept by the Ministry of National Defence,
the Ministry of Public Order and the National Intelligence Service for
National Security reasons or for the detection of particularly serious
crimes will be entered under a decision of the authority and following
an application submitted by the competent, from time to time, Controller.
In the secret files register shall also be entered the interconnections
with one at least file pertaining to that case.
5. None
will have access to the registers under a), b), c), d) and e) of the
previous paragraph. Following an application by the party concerned
and a decision of the Authority the access also to the secret files
register may be permitted in whole or in part. Upon request of the Controller
or his representative and under a decision of the authority the access
to the transmission permits register may be prohibited in whole or in
part as long as risk may arise therefore with regard to the private
life of a third party, the national security, the detection of particularly
serious crimes and the fulfilment of the country's obligations stemming
from international contracts.
6. The
Chairman will represent the Authority before any other authorities as
well as before committees and groups, in sessions and conferences of
institutions of the European Union as well as in any other international
organizations and institutions provided for by International Conventions
or in which representatives of similar authorities of other countries
participate. The Chairman may assign the Authority's representation
to one of its members, a substitute or even an employee of the controllers
branch of the Secretariat.
7. To the
Authority's Chairman applies the liability of the Authority's operation
as well as the operation of the secretariat. The Chairman may authorize
a member of the Authority or the Secretariat's Head or the Head of the
Secretariat's service to sign "by the order of the President"
documents, payment warrants or other acts. The Chairman will be the
Administrative Head of the Secretariat's Personnel. He will exercise
disciplinary power on them and he will be entitled to impose a disciplinary
punishment whereof the maximum limit will be a fine equal to half the
defendant's monthly wages.
8. The
Authority's regulations will be published in the Official Gazette. The
other decisions of the authority shall come into force as of the date
of their issuance or as of the date on which they were served upon.
9. Remedies
versus the Authority's decisions may also be instituted by the State.
The remedy will be instituted by the competent Minister according to
each specific case.
10. Every
public authority shall render its assistance to the Authority.
Article
20 The Authority's Secretariat
1. The
Authority will be helped out by a Secretariat Section. The Secretariat
shall operate at a management level. The official status of its employees
will be governed by the provisions prevailing from time to time for
the Administrative Civil Servants. The organization of the Secretariat,
its division into departments and offices and the individual powers
thereof, the number of the personnel's positions by branches and specialties
as well as any other necessary details will be determined by a Presidential
Decree being issued upon proposal of the Minister of the Interior, the
Minister of Public Administration and Decentralisation, the Minister
of Finance and the Minister of Justice following a motion submitted
by the Authority which will be delivered within two months following
its formation. Under the same decree the formation, as an official secretariat's
unit, of a controllers department will be provided for. The engagement
and the official status of the employees of the above mentioned Department
will be governed by derogation from the provisions from time to time
in force. The Head of the Secretariat will obligatorily come from the
controllers' branch. The number of positions of any kind of the Secretariat's
personnel may not exceed the number of thirty (30) persons.
3. Vacancies
in the Secretariat Section will be filled according to the provisions
from time to time in force pertaining to the engagement of civil servants.
Especially for the employees of the Secretariat's controllers' branch,
their engagement will be made by the Authority upon selection or an
examination procedure following a relevant announcement.
4. The
subjects pertaining to the Secretariat personnel's official status will
be resolved by an official council being formed under a decision of
the Authority's Chairman. Such council Authority's members, one (1)
employee being appointed by it and two (2) elected representatives of
the employees. Save as aforesaid the prevailing from time to time provision
for the official council of the public services' personnel and the personnel
of the public law legal entities shall apply.
5. The
ordinary employees of the Authority's Secretariat will be subject, as
to their secondary social security, to the Ministry of Justice Agencies
Personnel's Assistance Fund. Those who come from other agencies may
continue to belong to the social security funds of their previous agency.
The Secretariat's employees shall be obligatorily insured by the Lawyers'
Pension Fund under the same conditions as its other salaried insured
persons have been insured by it. The provisions of this paragraph shall
also apply to the employees who are transferred to the Authority's Secretariat
from Private Law Legal Entities.
6. Upon
the first implementation hereof, the filling of vacancies for the Heads
of the Secretariat's Official Departments, except for the Controllers'
Department, will be effected following an announcement by the Authority
or through a transfer of employees of grade A or equivalent of the State
or of Public Law Legal Entities or through an appointment. The appointment
shall take place only for the vacancies which will not be filled through
transfer. The selection of the persons being transferred or appointed
will be effected by the Authority. The appointment of the selected persons
by the Authority will be effected under a decision issued by the Minister
of Justice and the transfer will be effected under a decision issued
by the Minister of Justice and the relevant other Minister. For the
transfer no opinion shall be required to be delivered by the pertinent
Official Council of the agency from which the employee is transferred.
The Head of the Secretariat will be selected by the Authority from among
the employees of the controllers department by derogation from any other
provision.
7.Upon
the first implementation hereof the other vacancies in the Secretariat
Section will be filled under the prerequisites and the procedure referred
to in the preceding paragraph. Those candidates who have a proven experience
on topics of informatics will be preferred. For the employees of the
controllers department shall apply the provisions of paragraph 3 of
this Article.
8. The
period of the previous service of the persons being transferred from
public law legal entities or from private law legal entities will be
regarded as time of actual public (civil service) with regard to any
consequence.
9. The
provisions of paragraph 4 of Article 18 shall also apply to the Secretariat's
employees.
CHAPTER
E SANCTIONS
Article
21 Administrative Sanctions
1. The
Authority shall impose on the Controllers or on their representatives,
if any, the following administrative sanctions due to violation of their
obligations deriving from this law and from any other ruling pertaining
to the protection of individuals against the processing of personal
data : ,
a) warning,
under a peremptory time limit for the lifting of the violation. .
b) Penalty
for an amount ranging from three hundred thousand Drachmas (GRD 300,000)
to fifty million Drachmas (50,000,000)
c) provisional
revocation of the permit
d) definitive
revocation of the permit
e) discarding
a file or interruption of processing and discarding the relevant data.
2. The
Administrative sanctions under b, c, d and e referred to in the preceding
paragraph shall be imposed always after hearing the Controller or his
representative. Such sanctions will be commensurate with the gravity
of the violation imputed on. The Administrative sanctions under c, d,
and e will be imposed in case of a particular grievous or repetitive
violation. A fine may be imposed cumulatively also with the sanctions
referred to in subparagraphs c, d and e. If the sanction of discarding
the file is imposed, the Controller will be responsible for such discarding,
to whom a fine may be imposed due to non-compliance. The amounts of
fine referred to in paragraph 1 may be readjusted under a decision issued
by the Minister of Justice, following a proposal on the part of the
authority. The acts of the authority whereby fines are imposed shall
constitute an enforceable instrument and will be served to the Controller
or his representative, if any. The collection of fines will be effected
according to the provisions of Public Revenues Collection Code (K.E.D.E,.).
Article
22 Penal Sanctions
1. Anyone
who fails to advise the Authority, according to the provisions of Article
6 of this law, of the establishment or the operation of a file or any
change in the terms and conditions regarding the granting of the permit
provided for by paragraph 3 of Article 7 of this law, will be punished
by imprisonment for not more that three (3) years and a pecuniary penalty
for an amount ranging from one million Drachmas: (GRD 1,000,000) to
five million Drachmas (GRD 5,000,000).
2. Anyone
who, in contravention of Article 7 of this law keeps a file without
permit or by infringement of the terms and conditions referred to in
the Authority's permit, will be punished by imprisonment for not less
than one (1) year and a pecuniary penalty for an amount ranging from
one million Drachmas (GRD 1,000,000) to five million Drachmas (GRD 5,000,000).
3. Anyone
who in contravention of Article 8 of this law proceeds to the interconnection
of files without advising the authority of that, will be punished by
imprisonment for not more than three (3) years and a pecuniary penalty
for an amount ranging from one million Drachmas (GRD 1,000,000) to five
million Drachmas (GRD 5,000,000). Anyone who proceeds to the interconnection
of files without the Authority's permit, wherever such permit is required,
or in contravention of the terms of the permit granted to him, will
be punished by imprisonment for not less than one (1) year and a pecuniary
penalty for an amount ranging from one million Drachmas (GRD 1,000,000)
to five million Drachmas (GRD 5,000,000).
4. Anyone
who, without having such a right, interferes in any way whatsoever,
within a data file of personal nature or anyone who takes notice of
such data or removes them, alters them, harms them, destroys them, processes
them, transmits them, announces them, make them accessible to unauthorized
persons or permit such persons to take notice of such data or any one
who exploits such data in any way whatsoever, will be punished by imprisonment
and a pecuniary penalty and if it has to do with sensitive data by imprisonment
for not less than one (1) year and a pecuniary penalty for an amount
ranging from one million Drachmas (GRD 1,000,000) to ten million Drachmas
(GRD 10,000,000), if the act is not punished by heavier punishment by
other provisions.
5. The
Controller who does not comply with the Authority's decisions being
issued for the satisfaction of the right to access according to paragraph
4 of Article 12, for the satisfaction of the right to objection according
to paragraph 2 of Article 13, as well as with acts for imposition of
the administrative sanctions referred to in subparagraphs c, d and e,
of paragraph 1 of Article 21 will be punished by imprisonment for not
less than two (2) years and a pecuniary penalty for an amount ranging
from one million Drachmas (GRD 1,000,000) to five million Drachmas (GRD
5,000,000). By the punishments referred to in the preceding section
will be punished the Controller who transmits personal data in contravention
of Article 9 as well as the person who does not comply with the Court
Decision referred to in Article 14 of this Law.
6. If the
perpetrator of the acts referred to in paragraphs 1-5 of this Article
purported to gain in his favour or in the of another person unlawful
property benefit or to harm a third party, then he will be punished
by confinement in a penitentiary for not more than ten (10) years and
a pecuniary penalty for an amount ranging from two million Drachmas
(GRD 2,000,000) to ten million Drachmas (GRD 10,000,000).
7. If from
the acts referred to in paragraphs 15 of this Article danger was
caused to the free function of Democratic Government or to national
security, then confinement in a penitentiary will be imposed and a pecuniary
penalty for an amount ranging from five million Drachmas (GRD 5,000,000)
to ten million Drachmas (GRD 1,000, 000) .
8. If the
acts referred to in paragraphs 15 of this Article were committed
negligently, imprisonment will be imposed for not more than three (3)
years and a pecuniary penalty.
9. With
regard to the application of the provisions of this Article, if the
Controller is not a natural person, then the representative of the legal
entity or the head of the public authority or agency or organization
- if he exercises also substantively the administration and management
thereof - will be liable.
10. With
regard to the offences referred to in this Article, the Chairman and
the members of the Authority, as well as the employees of the Secretariat's
Controllers Department who are especially authorized to that effect
will be special investigating officers and will have all the rights
provided for to that effect by the Code of Penal Procedure. They will
be entitled to proceed to a preliminary investigation even without a
public prosecutor's order, if the perpetrator was caught in the very
act of committing a felony or a misdemeanour or if there is danger caused
due to the postponement.
11. For
the offences referred to in paragraph 5 of this Article as well as in
any other case in which there was a previous administrative control
by the authority, its chairman will announce in writing to the competent
Public Prosecutor anything which constituted the object of an investigation
by the authority and shall forward to him all the relevant records and
evidence.
12. The
preliminary investigation for the offences referred to in this Article
will be completed within two (2) months maximum following the bringing
of the penal prosecution and as long as there are sufficient indications
for the defendant's remanding to trial, the date of hearing will be
fixed for a date not longer than three (3) months from the completion
of the preliminary investigation or, if such remanding was effected
by a judicial council's order, not longer than two (2) months following
the date on which, such order became irrevocable. In the event that
the case is introduced to the courtroom by a direct summoning of the
defendant, no application will be permitted against the writ of summons.
13. No
postponement of the trial will be permitted with regard to the offences
referred to in this Article, except where this is done once and for
an exceptionally important reason. In that case, a date of hearing will
be expressly fixed which will not be more than two (2) months afterwards
and the case will be litigated, exceptionally, first.
14. The
felonies, provided for in this law, will be subject to the jurisdiction
of the court of appeal. Article 23 Civil Liability (Third party liability)
1. Any
natural person or a private law legal entity, who in contravention of
this law, causes a property damage will be liable to damages. If he/it
has caused a nonpecuniary damage he/it will be liable to pecuniary
indemnification. There will also be such liability if the person liable
was obliged to know the possibility that such damage could be caused
to another.
2. The
pecuniary indemnification provided for by Article 932 of the Civil Code,
due to nonpecuniary damage caused in contravention of this law,
will be fixed at the amount of two million Drachmas (GRD 2,000,000)
minimum, except if a lesser amount was asked for by the plaintiff or
if the infringement of law is due to negligence. Such pecuniary indemnification
will be awarded regardless of the compensation asked for with respect
to the property damage caused.
3. The
claims referred to in the present Article will be litigated according
to Article 664 - 676 of the Code of Civil procedure, notwithstanding
the issuance or not of the Authority's decision, in any, or the bringing,
if any, of penal prosecution, as well as notwithstanding the suspension
or the postponement thereof due to any reason whatsoever. The Court
decision will be issued within a period of two (2) months following
the first hearing in the courtroom.
CHAPTER
F FINAL - TRANSITORY PROVISIONS
Article
24 Controller's liabilities
1. The
processing supervisors of files which have been operating as of the
entry into force of this law will be obliged to submit the announcement
of operation referred to in Article 6 to the Authority within a period
of six months following the commencement of the Authority's operation.
2. To the
same obligation will be also subject the processing supervisors of sensitive
data files which have been operating as of the effective date of this
law, in order that the permit referred to in paragraph 3 of Article
7 may be issued.
3. For
files operating and for cases of processing being performed upon the
effective date of this law, the processing supervisors will be obliged
to proceed according to paragraph 1 of Article 11 to the briefing of
the subjects within a period of six 6 months following the date of commencement
of operation of the Authority. If such briefing pertains to a large
number of data subjects, it will be possible for it to be done through
the Press. In that case the relevant details will be determined by the
Authority. The provisions of paragraph 4 of Article 11 shall also apply
in this instance.
4. With
regard to files entirely notautomated the time limits referred
to in the preceding paragraphs will be one (1) year.
5. The
provisions of Articles 11, 12, 13 and 19 para. 1 of this law shall not
apply to the penal records and the official records kept by the competent
judicial authorities for the purpose of meeting the operation requirements
of penal justice and within the framework of the operation thereof.
Article
25 Commencement of the Authority's operation
1. Within
a period of sixty (60) following the effective date of this law, the
Authority's Chairman and his substitute will be appointed. Within the
same time limit the Minister of Justice will subject to the Parliament
Speaker a proposal for the appointment of four ordinary members of the
Authority and an equal number of substitutes.
2. The
time of commencement of the Authority's operation will be determined
under a decision of the Minister of Justice which will be issued not
later than four (4) months following the formation of the Authority.
From the date of the appointment of the Authority's members through
the date, according to the provisions of paragraphs 6 and 7 of article
20 of this law, of filling the Secretariats vacancies, the Authority
will be staffed by personnel who will be provisionally transferred to
it under a decision issued by it, by derogation from any other provision.
3. Until
the Authority comes to a point to operate according to the preceding
paragraph, the liquidation of its expenses will be effected by the financial
department of the central agency of the Ministry of Justice at the expense
of the Budget of the Ministry of Justice.
4. The
decision of the Minister of Justice according to paragraph 2 of this
Article with regard to the date of commencement of the Authority's operation
will be published in the Official Gazette and in four (4) at least daily
political newspapers with a broad circulation in Athens and Thessaloniki
and in two (2) at least daily financial newspaper .
Article
26 Effective date
1. The
provisions of Articles 15, 16, 17, 18 and 20 of this law shall come
into effect as of the publication of this law in the Official Gazette.
2. The
other provisions shall come into effect as of the date of commencement
of the Authority's operation according to the preceding Article.
Athens,
1997
THE MINISTER
OF THE INTERIOR, PUBLIC ADMINISTRATION AND DECENTRALISATION
THE MINISTER
OF NATIONAL ECONOMY AND FINANCE
THE MINISTER
OF JUSTICE
THE MINISTER
OF PUBLIC ORDER
THE MINISTER
OF THE PRESS AND MASS MEDIA
True translation
from Greek of the attached document.
Athens
30-4-1997
G. D. Goulandris,
Translator
Hellenic
Republic, Ministry of Foreign Affairs, Translations Office, Athens.
Document
loaded May 28, 1998