GREECE

LAW no. 2472

On the Protection of Individuals with regard to the Processing of Personal Data

CHAPTER A GENERAL PROVISIONS

Article 1 Scope

The scope of this law is to establish the conditions regarding the processing of personal data and protect human rights, fundamental liberties and private life, in particular.

Article 2 Definitions

For the purposes of this law the following words or expressions shall have the following meanings:

a) "personal data" shall mean any information pertaining to the person who is the data subject. As personal data may not be regarded the consolidated data of a statistical nature, from which one may no longer identify the persons who are the data subjects.

b) "Sensitive data", shall mean the data being in connection with the racial or ethnic origin, with political beliefs, religious or philosophical convictions, with the participation in a society, association or trade union, with health, social welfare and sexual life as well as with everything being in connection with penal prosecutions or sentences imposed by a court.

c) "Data Subject" shall mean the natural person or private individual to whom these data refer and whose Identity is known or may be found, that is to say, his identity may be determined directly or indirectly, especially on the basis of an identity card number or on the basis of one or more specific details designating his existence from a physical, biological, psychological, financial, cultural, political or social viewpoint.

d) "Processing of personal data" ("processing"), shall mean any individual act or a series of acts of processing performed by the State or by a public law or private law legal entity or a body of persons or a natural person with or without the assistance of automated method and applying to personal data, such as the collection, recording, organization, preservation or storage or amendment to, extraction, use or transmission or the dissemination or any other form of disposal or comparison or co-relation or interconnection or blocking, or erasure or destruction thereof.

e) "Personal Data Filing System" ("Filing System") shall mean a group of data of a personal nature which constitute or may constitute the subject matter of processing and which are kept either by the State or by a public law or private law legal entity or by a body of person. or by a natural person.

f) "Interconnection", means a form of processing consisting in the possibility of corelating the data of a file to the data of a file or files kept by another person or persons who are in charge of processing or with data of a file or files kept by the same person who is in charge of processing for another purpose.

g)"Controller", shall mean any person who specifies the scope and the way of processing of personal data and who may be a natural person or a legal entity, a public authority or department or any other organization. When the scope and the way of processing are prescribed by law provisions or regulations of domestic or E.C. law, then the Controller or the special criteria on the basis of which its selection is made shall be specified respectively by domestic or E.C. law.

h) "Processor", shall mean anyone who processes personal data on behalf of the Controller, such as a natural person or a legal entity, a public authority or department or any other organization whatsoever.

i) "Third party" shall mean any natural personal or legal entity, a public authority or department or an organization whatsoever other than the person who is the data subject, the Controller and the persons who are authorized to process the personal data, provided they act under the direct supervision or on behalf of the Controller.

j) "Recipient", means the natural person or the legal entity, the public authority or department or any other organization whatsoever, to whom or to which the data are transmitted, no matter whether it has to do with a third party or not.

k) "The Data Subject's Consent" shall mean any freely, given, specific and informed indication of his wishes by which the data subject, after being previously informed, signifies his agreement to personal data relating to him being processed. The rendering of such information shall include information which at least pertains to the purpose of processing, the data or the categories of data to which the processing relates, the recipients or the categories of recipients of personal data, as well as the name, trade name and the address of the Controller and his/its representative, if any. Such consent may be revoked at any time without a retroactive effect.

l) "Authority" shall means the Protection of Personal Data Authority which is established in Chapter D' of this law.

Article 3 Scope

1. The provisions of this law shall apply to the automated processing in whole or in part as well as to the nonautomated processing of personal data which are included or are to be included in a file.

2. The provisions of this law shall not apply to the processing of personal data which is implemented by a natural person for the purpose of proceeding to activities of an exclusively personal or household nature.

3. The present law shall apply to any processing of personal data, provided such processing is realized:

a) By a Controller or a Processor established in the Greek Territory or at a place, where on the basis of public international law, Greek law applies.

b) By a Controller who is not established in the Greek Territory or at a place, where Greek law applies, when such data processing pertains to persons established in the Greek Territory. In that case, the Controller will be obliged to indicate by his statement in writing addressed to the competent authority a representative domiciled or established in the Greek territory, who will be subrogated to the supervisor's rights and liabilities, without the latter being exempted from his personal liabilities, if any. The same shall apply also when the Controller is covered by any form of immunity or any other reason impeding penal prosecution.

CHAPTER B PROCESSING OF PERSONAL DATA

Article 4 Characteristics of personal data

1. Personal data in order to be lawfully processed:

a) they must be collected in a lawful and fair way for specified, clear and lawful purposes and they must be subject to a fair and lawful processing in light of the above mentioned purposes.

b) They must be adequately connected, expedient and not exceeding a number which is required from time to time in view of the purposes of processing.

c) They must be accurate and, should the need arise, they should be updated.

d) They must be kept in a form permitting the determination of the identity of the persons who are their subjects only during the period required, in the Authority's opinion, for the fulfillment of the purposes for which they were collected and processed. After the lapse of such period, Authority may, under a reasoned decision issued by it, permit the preservation of personal data, for historical, scientific or statistical purposes, provided it judges that the rights of the persons who are their subjects or the rights of third parties are not affected in every specific case. The compliance with the provisions of this paragraph shall burden the Controller

2. Personal data which have been collected or are subject to processing, in contravention of the provisions of the preceding paragraph, will be destroyed on the Controller's responsibility. If the Authority, either ex officio or following the submission of a relevant complaint, ascertains a violation of the provisions of the preceding paragraph, its shall order the interruption of collection or processing and the destruction of the personal data which have already been collected or processed.

Article 5 Conditions of processing

1. Processing of personal data will be permitted only when the data subject has given his consent.

2. Exceptionally, such processing will be permitted even without such consent, when :

a) The processing is necessary for the performance of a contract, in which contracting party is the person who is the data subject or for the taking of measures, upon such person's request, during the precontractual stage.

b) Processing is necessary for the fulfillment of an obligation on the part of the Controller which is required according to law.

c) Processing is necessary for safeguarding a vital interest of the above mentioned person, if such person is physically or legally unable to give his consent.

d) Data processing is necessary for the execution of a project of public interest or a project which falls within the framework of the exercise of a public power and is performed by a public authority or it has been assigned by it either to the Controller or to a third party to whom the data are communicated.

e) Data processing is absolutely necessary for the satisfaction of a legal interest pursued by the Controller or a third party or third parties to whom the data are communicated and on condition that such legal interest is apparently superior to the rights and interests of the persons with whom the data are connected and their fundamental liberties are not affected.

3. The Authority may issue special data processing rules for the more usual categories of data processing and files, which do not apparently affect the rights and liberties of the persons to whom such data refer. These categories will be specified by regulations enacted by the Authority and ratified by Presidential Decrees, which will be issued upon proposal of the Justice Minister.

Article 6 Notification

1. The Controller will be obliged to notify the authority in writing of the establishment and operation of a file or the commencement of data processing.

2. By the notice referred to in the preceding paragraph, the Controller will be obliged to declare the following:

a) His name, trade name or distinctive title as well as his address and the full name or trade name or title and address of the persons he uses for the execution of processing in accordance with the of Article 10. If the Controller is not established in the Greek territory or at a place, where the Greek law applies, then the name, trade name or distinctive title and the address of his representative in Greece should be additionally declared.

b) The address at which the file or the main hardware which supports data processing are established.

c) The description of the purpose of the processing of personal data being contained or to be contained in the file.

d) The sort of personal data which are being processed or they are to be processed or are contained or they are to be contained in the file.

e) The time period during which he intends to carry out data processing or preserve the file.

f) The recipients or the categories of recipients to whom he announces or he will probably announce personal data.

g) The probable transfer of personal data and the purpose of transfer of personal data to third countries.

h) The basic characteristics of the system and the safety measures pertaining to the file or data processing.

i) In the event that the data processing or the file falls within one of the categories for which the Authority has issued special data processing rules, then the Controller will submit to the authority a statement whereby he will confirm that data processing will be carried out or the file will be kept according to the special rules established by the Authority, which will prescribe in detail the form and contents of such statement.

3. The details referred to in the preceding paragraph will be entered in the Files and Data Processing Register kept by the Authority.

4. Any change in the details referred to in paragraph 2 must be communicated in writing and without any delay by the Controller to the Authority.

Article 7 Processing of sensitive data

1. The collection and processing of sensitive data will be forbidden.

2. Exceptionally, the collection and processing of sensitive data, as well as the establishment and operation of the relevant file, will be permitted following permission on the part of the Authority, when one or more of the following conditions concur :

a) The data subject has given his consent in writing, except if the consent has been extracted in a way contrary to the law or bonus mores or if the law provides that any consent given may not lift the relevant prohibition.

b) Data processing is necessary for the purpose of safeguarding such person's vital interests, if such person is physically or legally unable to render his consent.

c) Processing exclusively pertains to data belonging to the subject which he publicises or which are necessary for him for the recognition, exercise or defence of one of his rights before a court of law.

d) The data processing is in connection with health matters and is performed by a person who is involved, as an occupation, in the rendering of health services and is subject to a secrecy duty or to similar codes of practice, on condition that such data processing is necessary for medical prevention, diagnoses, treatment or the management of health services.

e) Data processing is necessary for satisfying the national security requirements, as well as for satisfying the requirements pertaining to criminal or correctional policy, when this is performed by a public Authority and pertains to the detection of crimes, penal sentences and precautionary or security measures.

f) The data processing is effected for research or scientific, exclusively, purposes and on condition that anonymity is observed and on condition that all necessary measures for the protection of the rights of the persons to whom the data are connected are taken.

g) Processing concerns data pertaining to public figures, provided such data are in connection with the holding of a public office or the management of third parties' interests, and provided such processing is exclusively carried out for journalistic purposes. The authority's permit will be granted only if such processing is absolutely necessary to ensure the right to information on matters of public interests as well as within the framework of literary expression and provided the right to protection of private and family life is not violated in any way whatsoever.

3. The Authority shall issue a permit for the collection and processing of sensitive data, as well as a permit for the establishment and operation of the relevant file, following an application submitted by the Controller. If the Authority discovers that processing of sensitive data is effected, the notice of the existence of a file, according to Article 6 of this law, shall stand for an application for the granting of a permit. The Authority may impose terms and conditions for the more effective protection of the right to private life of the data subjects or the third parties. Before granting the permit, the Authority shall summon the Controller or his representative and the Processor.

4. The permit will be issued for a determinate period of time, depending on the purpose of the data processing. It may be renewed following an application submitted by the Controller.

5. The permit shall, by all means, contain the following:

a) The full name or trade name or distinctive title as well as the address of the Controller and his representative, if any

b) The address of the place where the file is established.

c) The sort of personal data which are permitted to be included in the file.

d) The time period for which the permit is granted.

e) The terms and conditions, if any, imposed by the Authority for the establishment and operation of the file.

f) The obligation of announcement of the recipient or recipients immediately they are particularized.

6. A copy of the permit will be entered in the Permits Register kept by the Authority.

7. Any change in the details referred to in paragraph 5 will be communicated without undue delay to the Authority. Any change other than a change in the address of the Controller or his representative shall entail the issuance of a new permit, provided the lawful prerequisites concur.

Article 8 Interconnection of files

1. Interconnection of files is permitted only subject to the conditions of this article.

2. Every interconnection will be communicated to the Authority under a declaration being jointly submitted by the Controllers or the Controller who interconnects two or nor files serving different purposes.

3. If one, at least, of the files which are about to be interconnected contains sensitive data or if the interconnection results to the disclosure of sensitive data or if for the implementation of the interconnection a uniform code number is about to be used, such interconnection will be permitted only upon the Authority's previous permission (interconnection permit).

4. The interconnection permit referred to in the preceding paragraph will be granted after hearing the Controllers of the files and shall include by all means the following:

a) The purpose for which the interconnection is deemed necessary.

b) The sort of personal data to which the interconnection refers.

c) The time period for which the interconnection is permitted.

d) The terms and conditions, if any, for the more effective protection of the rights and liberties and, in particular, of the right to private life of the data subjects or the third parties.

5. The interconnection permit may be renewed upon application submitted by the Controllers.

6. The declarations referred to in paragraph 2 of this article as well as any copies of the interconnection permits will be entered in the Interconnections Register kept by the Authority.

Article 9 Cross-border flow of personal data

1. The transmission of personal data to Countries of the European Union is free. The transmission to a country which does not belong to the European Union or personal data which have been undergone or they are about to undergo a processing after their transmission will be permitted following permission granted by the Authority. The Authority shall grant its permission only if it judges that the above mentioned country ensures a satisfactory protection level. For this purpose, it shall take into account especially the nature of data, the purposes and the duration of processing, the relevant general and special rules of law, the codes of practice, the security measures for the protection of personal data as well as the protection level in the countries of origin, transit and ultimate destination of data.

2. The transmission of personal data to a country which does not belong to the European Union and which does not ensure a satisfactory protection level will be exceptionally permitted upon permission granted by the Authority as long as one or more of the following conditions concur: a) The data subject has given his consent for such transmission, except if the above mentioned consent has been extorted in a way which is contrary to law or bongs mores.

b) Transmission is necessary:

i) For the purpose of ensuring a vital interest of the data subject, if the latter is physically or legally unable to render his consent, or

ii) For the purpose of entering into or performing a contract between the data subject and the Controller or between the Controller and a third party for the benefit of the data subject's interests, as long as the data subject is physically or legally unable to render his consent, or

iii) For the purpose of executing precontractual measures which have been taken upon request of the data subject.

c) Transmission is necessary for coping with an exceptional need and for the purpose of safeguarding a higher public interest, especially for the purpose of performing memoranda of understanding or cooperation agreements with public Authorities in the other country provided the Controller grants sufficient guarantees for the protection of private life and fundamental liberties and the exercise of the relevant rights.

d) Transmission is necessary for the recognition, exercise or defence of a right before a court.

e) Transmission is effected from a public register, which, according to law, is utilised for rendering information to the public and is accessible to the public or to any person who proves the existence of a legal interest, as long as in the specific case the lawful conditions for access to the register are fulfilled.

3. In the cases referred to in the preceding paragraphs, the Authority shall inform the European Commission and the respective Authorities of the other member countries, when the Authority believes that a specific country does not ensure the existence of a satisfactory protection level.

Article 10 Secrecy and security of data processing.

1. The processing of personal data shall be secret. It will be solely and exclusively affected by persons who are subject to the control of the Controller or the Processor and only upon his instructions.

2. For the carrying out of the data processing the Controller will be obliged to select persons with respective professional qualifications rendering sufficient guarantees insofar as technical knowledge and personal integrity are concerned for keeping secrecy.

3. The Controller will be obliged to take suitable organisational and technical measures for the security of data and their protection against any haphazard or unfair destruction, fortuitous loss, alteration, forbidden dissemination or access to them and any other form of unfair processing. These measures must ensure a safety level commensurate with the risks arising from processing and the nature of the data which are subject to processing. The Authority shall give from time to time instructions about the data's degree of security as well as about the security measures which are necessary for every category of data, also in view of high technology evolution.

4. If the data processing is carried out on behalf of the Controller by a person not depending on him, the relevant assignment will be made obligatorily in writing. Such assignment shall obligatorily provide that the Processor will carry out such data processing only upon instructions of the Controller and that the other obligations deriving from this article shall burden him mutatis mutandis.

CHAPTER C DATA SUBJECT's RIGHTS

Article 11 The right to be kept informed

1. The Controller will be obliged, during the stage of collection of personal data to advise in an expedient and clear way the data subject of the following details at least:

a) his identity particulars and the identity particulars of his representative, if any,

b) the purpose of data processing

c) the recipients or the categories of recipients of data

d) the existence of a right to access

2. If for the collection of personal data. The Controller asks for the data subject's assistance, he will be obliged to advise the data subject specifically and in writing of the details referred to in paragraph 1 of this Article as well as of the data subject's rights according to Articles 11-13 of this Law. With the opportunity of such briefing the Controller will advise the data subject of whether the data subject is obliged or not to render his assistance, on the basis of which provisions the data subject is obliged to do so, as well as of any consequences deriving from the data subject's refusal to act.

3. If the data are announced to third parties, the data subject will be kept informed of such announcement a priori.

4. Under a decision of the Authority, following an application submitted by the Controller, the obligation to render the information referred to in paragraphs 1 and 3 of this Article may be lifted in whole or in part as long as the collection of personal data is effected for national security reasons or for the detection of particular serious crimes.

5. Subject to the rights referred to in Articles 12 and 13 the obligation to render the above mentioned information does not exist when the collection of data is exclusively effected for journalistic purposes and refers to public figures.

Article 12 Right to access

1. Every one is entitled to know whether personal data pertaining to him constitute or have constituted the object of data processing. For this purpose, the Controller will be obliged to answer in writing.

2. The data subject will be entitled to ask for and receive from the Controller, without undue delay and in a way clear and comprehensible, the following information:

a) All the personal data pertaining to him as well as the origin thereof.

b) The purposes of data processing, the recipient or the categories of recipients.

c) The progress of data processing over the time period prior to the next preceding briefing made to him.

d) The logic of the automated data processing. The right to access may be exercised by the data subject and with the assistance of a specialist.

3. The right referred to in the preceding paragraph and the rights referred to in Article 13 are exercised by submitting the relevant application to the Controller and by the simultaneous payment of money whereof the amount, he way of payment and any other similar matters will be regulated under a decision taken by the Authority. This amount will be returned to the applicant if the application for correction or deletion of data is judged valid either by the Controller or by the Authority; in the event that the data subject applies to it. The Controller will be obliged in that case to give the applicant, without undue delay, gratis and in a comprehensible language, a copy of the corrected part of the data processing pertaining to him.

4. If the Controller does not reply within a period of fifteen (15) days or if his answer is not satisfactory, the data subject will be entitled to apply to the Authority. In the event that the Controller refuses to satisfy the request of the party concerned, he will communicate his reply to the Authority and inform the party concerned that he may apply to it.

5. Under a decision issued by the Authority, following an application submitted by the Controller, the obligation to render the information referred to in paragraphs 1 and 2 of this Article may be lifted in whole or in part if the processing of personal data is effected for reasons of national security or for the detection of particularly serious crimes. In that case the President of the Authority or his substitute will perform all the necessary acts and shall have free access to the files.

6. Data pertaining to health will be communicated to the data subject through a doctor.

Article 13 Right to objection

1. The data subject will be entitled to submit any objections to the processing of data pertaining to him. Such objections will be addressed in writing to the Controller and must contain a request concerning a specific act, such as correction, provisional non-utilization, locking, non-transmission or deletion. The Controller will be obliged to reply in writing on the above mentioned objections within a peremptory time limit of fifteen (15) days. In his reply he will be obliged to advise the data subject of the acts which he performed or probably, of the reasons why he didn't satisfy the request. The reply in the event the objections are dismissed must also be communicated to the Authority.

2. If the Controller does not reply in time or if his reply is not satisfactory, the data subject will be entitled to apply to the authority and ask for the examination of his objections. If the authority conjectures that the objections are reasonable and that there is a risk of serious damage which may be caused to the data subject due to the continuation of data processing, then the authority may order the immediate suspension of data processing until a final decision on the objections is issued.

3. Everyone is entitled to declare to the authority that he doesn't want any data pertaining to him to become the object of processing by any person whatsoever for reasons the promotion of sale of goods or the rendering of services from a remote place. The Authority shall keep records comprising the identity particulars of the above mentioned persons. The Controllers of the relevant files will be obliged to consult prior to any processing the above mentioned records and delete from their files the persons referred to in this paragraph.

Article 14 Rights to provisional judicial protection

1. Everyone is entitled to ask the court of competent jurisdiction from time to time to order the immediate suspension or non-application of an act or a decision affecting him, which has been received by an administrative authority or a public or private law legal entity or a body of persons or a natural person exclusively through an automated data processing, as long as such data processing aims at the evaluation of his personality and, particularly, his productivity in work, his financial trustworthiness, his reliability and his behaviour in general.

2. The right referred to in this Article may be satisfied even when the other substantive conditions of provisional judicial protection, as they are provided for from time to time, do not concur.

CHAPTER D PERSONAL DATA PROTECTION AUTHORITY

Article 15 Establishment - Mission - Legal Nature

1. A Personal Data Protection Authority (the Authority) is constituted having as mission the supervision of the implementation of this law and the other rulings pertaining to the protection of individuals against the processing of personal data as well as to the exercise of the powers delegated to it from time to time.

2. The Authority shall constitute an independent public authority, it shall have its own budget and it will be assisted by its own secretariat. The Authority shall not be subject to any administrative control. Upon the exercise of their duties the members of the Authority shall enjoy a personal and functional independence. The Authority will be subject to the minister of Justice and will be seated in Athens.

3. The Authority's budget will be proposed by the Justice Minister following a proposal submitted by the authority. A percentage of the State's revenues of any nature deriving from the implementation of this law, including the fees and penalties imposed by the Authority, will be disposed of for the Authority's needs. This percentage will be determined from time to time under a joint decision issued by the Minister of Finance and the Minister of Justice.

Article 16 Composition of the Authority

1. The Authority will be composed of one judicial functionary with the rank of State Councillor or a rank corresponding to him, as Chairman, and six members as follows

a) A full professor or an associate professor from an institution of higher education specialized in law.

b) A full or associate professor from an institution of higher education in informatics.

c) A professor or an associate professor of an Institution of Higher Education.

d), e), f) Three persons of high standing and experience in the field of protection of personal data. The judicial functionary - Chairman and the professors - members may be on active service or not.

2. The Chairman of the Authority will be employed on a full time and exclusive basis and he will be appointed by a Presidential Decree being issued upon proposal of the Cabinet following a motion submitted by the Minister of Justice. If for the position of the Chairman a judicial functionary on active service is selected, then a decision of the pertinent supreme judicial council will be required The substitute for the Chairman will be selected and appointed on the basis of the same procedure.

3. The members of the Authority will be appointed under the following procedure: the minister of Justice submits to the Parliament Speaker a proposal for the appointment of the six ordinary members of the Authority and an equal number of substitutes. The proposal shall include a double number of candidates. The Parliament Speaker forwards the proposal to the Transparency and Institutions Committee which will deliver its opinion. The Authority's ordinary members and their respective substitutes will be selected by the Chairmen's Conference. The selected persons will be appointed under a presidential decree being issued upon proposal of the Minister of Justice and published in the Official Gazette.

4. The Authority's Chairman and members will be appointed for a specific term of office. Their term of office will be four years and may be renewed only once. None may serve over a total period exceeding eight (8) years. Half of the composition of the Authority's six members will be renewed every two years. After the first formation of the authority, a draw by lots will be effected among the six ordinary members thereof, so that three of them shall have a four year term of office and the other three of them shall have a two year term of office.

5. The Chairman and the members of the Authority will be appointed along with an equal number of substitutes who must have the same status and qualifications. The substitutes for the Chairman and the members will participate in the meetings of the Authority only in the event of a provisional absence or inability of participation on the part of a relevant ordinary member. Under its decision the Chairman of the Authority will delegate special duties to the substitutes. The term of office of each substitute will equal the term of office of the relevant ordinary member.

Article 17 Impediments-Incompatibilities of the Authority's members

1. No one may be appointed as a member of the Authority :

a) If he is a minister, undersecretary, a secretary general to a ministry or to an independent secretariat general or a member of Parliament.

b) I f he is a governor, manager administrator, member of the Board of Directors or a person performing managerial duties, in general, in an undertaking which produces, manufactures, sells or trades in materials being used in informatics or telecommunications or renders services in connection with informatics, telecommunications or personal data processing, as well as those persons being connected under a contract for work with such an undertaking.

2. Anyone who after his appointment does the following shall automatically forfeit its status as a member of the Authority

a) He acquires one of the forms of statue constituting an impediment with regard to his appointment, according to the provisions of the preceding paragraph.

b) He performs acts or undertakes any business or work/project or he acquires any other status which, in the Authority's opinion is not compatible with his duties as a member of the Authority.

3. The Authority shall proceed to the ascertainment of the incompatibilities referred to in the preceding paragraph without participation of its member, to whose person the above mentioned incompatibility probably concurs. The Authority shall decide after hearing the above mentioned member. The procedure will be moved either by the Chairman of the Authority or by the Minister of Justice.

4. The loss of status on the basis of which a member of the authority was appointed according to paragraph 1 of Article 16 of this law, shall entail his automatic forfeiture of his right, if such loss of status is due to on irrevocable disciplinary or penal conviction.

Article 18 Obligations and rights of the Authority's members

1. Upon the exercise of their duties the Authority's members shall obey to their conscience and the law. They will be subject to the duty of secrecy. As witnesses or experts they may submit details exclusively and solely pertaining to the observance of the provisions of this law by Controllers. The duty of secrecy continues to exist even after the withdrawal of the Authority's members in any way whatsoever.

2. Under a decision issued by the Minister of Finance and the Minister of Justice the monthly wages of the Chairman and the Authority's members as well as their remuneration for each session will be fixed by derogation from any other provision. To the substitutes 1/3 of the monthly wages of the Authority's members as well as a remuneration for each session in which they participate will be paid. The provisions pertaining to the transport expenses of the persons travelling upon the State's instructions for the performance of duties prevailing from time to time shall also apply to the travelling activities of the Authority's members and the Authority's Secretariat employees. The Authority's Chairman shall issue the relevant travelling instructions.

3. For every infringement of their obligations deriving from this law, the Authority's member will be disciplinarily liable. The disciplinary procedure will be instituted before the disciplinary council by the Minister of Justice with regard to the Chairman and the Authority's members and the Authority's Chairman with respect to the Authority's members. The Disciplinary Council will consist of one VicePresident of the Council of State, as Chairman, one Supreme Court Judge, one Councillor of the Court of Auditors and two professors from institutions of higher education specialized in law. An employee of the authority shall perform the duties of the Council's Secretary. The Chairman, the members and the Secretary of the Council will be appointed along with an equal number of substitutes. For the Council's members who are judicial functionaries a decision by the pertinent Supreme Judicial Council will be required. The Council will be formed under a decision of the Minister of Justice with a three-year term of office. The Council will hold its session in the presence of four members at least, among whom the Chairman or his substitute will always be included, and the Council shall pass its solutions by an absolute majority vote of the persons in attendance. In case of equality of votes the Chairman's vote shall prevail. If there are more than two opinions, those who have followed the weaker opinion will be obliged to accede to one of the more prevalent of them. The disciplinary council will decide at a first and last instance level on the discharge or the firing of the defendant. The fees of the Council's Chairman, members and Secretary will be determined under a joint decision issued by the Minister of Finance and the Minister of Justice by derogation from any other provision.

4. A member of the Authority who, in contravention of this law, disseminates in any way whatsoever personal data which are accessible to him due to his service or if he lets another person to take notice of them, will be punished by imprisonment for not less than two (2) years and a pecuniary punishment ranging from two million Drachmas (GRD 2,000,000) to ten million Drachmas (GRD 10,000,000). If, however, he has committed the act with the purpose of gaining unlawful benefits for himself or for another person or for the purpose of causing damage to another person, then he will be punished by confinement in a penitentiary. If the act referred to in the first section of this paragraph has been committed negligently, then the perpetrator will be punished by imprisonment for not less than three (3) months and a pecuniary penalty.

Article 19 Powers, operation and decisions of the Authority

1. The Authority shall mainly have the following powers:

a) It shall issue instructions for the purpose of a uniform application of the rulings pertaining to the protection of individuals against the processing of personal data.

b) It shall call on and assist trade unions and other bodies of persons or legal entity associations keeping data files of a personal nature in the preparation of codes of practices for the more effective protection of private life and the rights, in general, and the fundamental liberties of the natural persons in the sector of their activities.

c) It shall address recommendations/admonitions and instructions to Controllers or to their representatives, if any, and shall publish them, at its discretion.

d) It shall grant the permits provided for in the provisions of this law and it shall fix the amount of the relevant fees.

e) It shall denounce the infringements of the provisions of this law to the competent administrative and judicial authorities.

f) It shall impose the administrative sanctions provided for in Article 21 of this Law.

g) It shall assign to one or more of its members the carrying out of Administrative Examination.

h) It shall proceed ex officio or following the submission of a relevant complaint to administrative controls with regard to any files. It shall have, to that effect, a right of access to personal data and a right to collect any kind of information for the purposes of the control without the interference of any kind of secrecy. Exceptionally, the authority shall not have access to identity data pertaining to associates being contained in files kept for reasons of national security or for the detection of particularly serious crimes The control will be carried out by one or more members of the authority or an employee of the secretariat especially authorized to that effect by the Chairman of the Authority. During the control of files kept for reasons of national security the Authority's Chairman will be present in person.

i) It shall deliver an opinion with respect to any ruling pertaining to the processing and protection of personal data.

j) It shall issue regulations pertaining to the arrangement of special, technical and detailed matters to which the present law refers.

k) It shall announce to Parliament violations of the rulings pertaining to the protection of individuals against the processing of personal data.

l) It shall prepare every year a report concerning the fulfilment of its mission over the previous calendar year. In the report shall also be emphasized the necessary legislative changes, if any, in the sector of the protection of individuals against the processing of personal data. The report will be submitted by the Authority's Chairman to the Parliament Speaker and to the Prime Minister and it will be published in the Official Gazette on the authority's responsibility. The authority will also be entitled to give even another kind of publicity to the report.

m) It shall examine complaints relating to the implementation of the law and the protection of the applicants' rights when such rights are affected by the processing of data pertaining to them and its shall also examine applications whereby the control and detection is requested of the legality of such data processings and it shall advise the applicants of its relevant action.

n) It shall cooperate with the respective authorities of other member countries of the European Union and the Council of Europe on matters in connection with the exercise of its powers.

2. The Authority shall hold its sessions ordinarily upon invitation sent by its Chairman. It shall hold extraordinary sessions following an invitation by the Chairman or the application by at least two of its members. The decisions of the authority will be taken by a majority vote of at least four of its members. In case of equality of votes, the Chairman's vote or the vote of his substitute shall prevail.

3. The authority shall prepare its rules of procedure whereby the allocation of powers among its members, the previous hearing of the parties concerned, matters pertaining to the disciplinary procedure as well as the way of carrying out the controls referred to in paragraph 1 (h) of this Article shall especially be regulated.

4. The authority will keep the following registers:

a) The Files and Processings Register, in which the files and the processings communicated to the authority will be included.

b) The permits register, in which the permits issued by the Authority for the establishment and operation of files containing sensitive data will be included.

c) Interconnections register, in which the declarations and permits issued by the authority for the interconnection of data will be included.

d) Register of persons who do not want to be included in files, whereof the purpose is the promotion of the supply of goods or the rendering of services from remote places.

e) Transmission permits register, in which the transmission permits for personal data will be entered.

f) Secret files register, in which files kept by the Ministry of National Defence, the Ministry of Public Order and the National Intelligence Service for National Security reasons or for the detection of particularly serious crimes will be entered under a decision of the authority and following an application submitted by the competent, from time to time, Controller. In the secret files register shall also be entered the interconnections with one at least file pertaining to that case.

5. None will have access to the registers under a), b), c), d) and e) of the previous paragraph. Following an application by the party concerned and a decision of the Authority the access also to the secret files register may be permitted in whole or in part. Upon request of the Controller or his representative and under a decision of the authority the access to the transmission permits register may be prohibited in whole or in part as long as risk may arise therefore with regard to the private life of a third party, the national security, the detection of particularly serious crimes and the fulfilment of the country's obligations stemming from international contracts.

6. The Chairman will represent the Authority before any other authorities as well as before committees and groups, in sessions and conferences of institutions of the European Union as well as in any other international organizations and institutions provided for by International Conventions or in which representatives of similar authorities of other countries participate. The Chairman may assign the Authority's representation to one of its members, a substitute or even an employee of the controllers branch of the Secretariat.

7. To the Authority's Chairman applies the liability of the Authority's operation as well as the operation of the secretariat. The Chairman may authorize a member of the Authority or the Secretariat's Head or the Head of the Secretariat's service to sign "by the order of the President" documents, payment warrants or other acts. The Chairman will be the Administrative Head of the Secretariat's Personnel. He will exercise disciplinary power on them and he will be entitled to impose a disciplinary punishment whereof the maximum limit will be a fine equal to half the defendant's monthly wages.

8. The Authority's regulations will be published in the Official Gazette. The other decisions of the authority shall come into force as of the date of their issuance or as of the date on which they were served upon.

9. Remedies versus the Authority's decisions may also be instituted by the State. The remedy will be instituted by the competent Minister according to each specific case.

10. Every public authority shall render its assistance to the Authority.

Article 20 The Authority's Secretariat

1. The Authority will be helped out by a Secretariat Section. The Secretariat shall operate at a management level. The official status of its employees will be governed by the provisions prevailing from time to time for the Administrative Civil Servants. The organization of the Secretariat, its division into departments and offices and the individual powers thereof, the number of the personnel's positions by branches and specialties as well as any other necessary details will be determined by a Presidential Decree being issued upon proposal of the Minister of the Interior, the Minister of Public Administration and Decentralisation, the Minister of Finance and the Minister of Justice following a motion submitted by the Authority which will be delivered within two months following its formation. Under the same decree the formation, as an official secretariat's unit, of a controllers department will be provided for. The engagement and the official status of the employees of the above mentioned Department will be governed by derogation from the provisions from time to time in force. The Head of the Secretariat will obligatorily come from the controllers' branch. The number of positions of any kind of the Secretariat's personnel may not exceed the number of thirty (30) persons.

3. Vacancies in the Secretariat Section will be filled according to the provisions from time to time in force pertaining to the engagement of civil servants. Especially for the employees of the Secretariat's controllers' branch, their engagement will be made by the Authority upon selection or an examination procedure following a relevant announcement.

4. The subjects pertaining to the Secretariat personnel's official status will be resolved by an official council being formed under a decision of the Authority's Chairman. Such council Authority's members, one (1) employee being appointed by it and two (2) elected representatives of the employees. Save as aforesaid the prevailing from time to time provision for the official council of the public services' personnel and the personnel of the public law legal entities shall apply.

5. The ordinary employees of the Authority's Secretariat will be subject, as to their secondary social security, to the Ministry of Justice Agencies Personnel's Assistance Fund. Those who come from other agencies may continue to belong to the social security funds of their previous agency. The Secretariat's employees shall be obligatorily insured by the Lawyers' Pension Fund under the same conditions as its other salaried insured persons have been insured by it. The provisions of this paragraph shall also apply to the employees who are transferred to the Authority's Secretariat from Private Law Legal Entities.

6. Upon the first implementation hereof, the filling of vacancies for the Heads of the Secretariat's Official Departments, except for the Controllers' Department, will be effected following an announcement by the Authority or through a transfer of employees of grade A or equivalent of the State or of Public Law Legal Entities or through an appointment. The appointment shall take place only for the vacancies which will not be filled through transfer. The selection of the persons being transferred or appointed will be effected by the Authority. The appointment of the selected persons by the Authority will be effected under a decision issued by the Minister of Justice and the transfer will be effected under a decision issued by the Minister of Justice and the relevant other Minister. For the transfer no opinion shall be required to be delivered by the pertinent Official Council of the agency from which the employee is transferred. The Head of the Secretariat will be selected by the Authority from among the employees of the controllers department by derogation from any other provision.

7.Upon the first implementation hereof the other vacancies in the Secretariat Section will be filled under the prerequisites and the procedure referred to in the preceding paragraph. Those candidates who have a proven experience on topics of informatics will be preferred. For the employees of the controllers department shall apply the provisions of paragraph 3 of this Article.

8. The period of the previous service of the persons being transferred from public law legal entities or from private law legal entities will be regarded as time of actual public (civil service) with regard to any consequence.

9. The provisions of paragraph 4 of Article 18 shall also apply to the Secretariat's employees.

CHAPTER E SANCTIONS

Article 21 Administrative Sanctions

1. The Authority shall impose on the Controllers or on their representatives, if any, the following administrative sanctions due to violation of their obligations deriving from this law and from any other ruling pertaining to the protection of individuals against the processing of personal data : ,

a) warning, under a peremptory time limit for the lifting of the violation. .

b) Penalty for an amount ranging from three hundred thousand Drachmas (GRD 300,000) to fifty million Drachmas (50,000,000)

c) provisional revocation of the permit

d) definitive revocation of the permit

e) discarding a file or interruption of processing and discarding the relevant data.

2. The Administrative sanctions under b, c, d and e referred to in the preceding paragraph shall be imposed always after hearing the Controller or his representative. Such sanctions will be commensurate with the gravity of the violation imputed on. The Administrative sanctions under c, d, and e will be imposed in case of a particular grievous or repetitive violation. A fine may be imposed cumulatively also with the sanctions referred to in subparagraphs c, d and e. If the sanction of discarding the file is imposed, the Controller will be responsible for such discarding, to whom a fine may be imposed due to non-compliance. The amounts of fine referred to in paragraph 1 may be readjusted under a decision issued by the Minister of Justice, following a proposal on the part of the authority. The acts of the authority whereby fines are imposed shall constitute an enforceable instrument and will be served to the Controller or his representative, if any. The collection of fines will be effected according to the provisions of Public Revenues Collection Code (K.E.D.E,.).

Article 22 Penal Sanctions

1. Anyone who fails to advise the Authority, according to the provisions of Article 6 of this law, of the establishment or the operation of a file or any change in the terms and conditions regarding the granting of the permit provided for by paragraph 3 of Article 7 of this law, will be punished by imprisonment for not more that three (3) years and a pecuniary penalty for an amount ranging from one million Drachmas: (GRD 1,000,000) to five million Drachmas (GRD 5,000,000).

2. Anyone who, in contravention of Article 7 of this law keeps a file without permit or by infringement of the terms and conditions referred to in the Authority's permit, will be punished by imprisonment for not less than one (1) year and a pecuniary penalty for an amount ranging from one million Drachmas (GRD 1,000,000) to five million Drachmas (GRD 5,000,000).

3. Anyone who in contravention of Article 8 of this law proceeds to the interconnection of files without advising the authority of that, will be punished by imprisonment for not more than three (3) years and a pecuniary penalty for an amount ranging from one million Drachmas (GRD 1,000,000) to five million Drachmas (GRD 5,000,000). Anyone who proceeds to the interconnection of files without the Authority's permit, wherever such permit is required, or in contravention of the terms of the permit granted to him, will be punished by imprisonment for not less than one (1) year and a pecuniary penalty for an amount ranging from one million Drachmas (GRD 1,000,000) to five million Drachmas (GRD 5,000,000).

4. Anyone who, without having such a right, interferes in any way whatsoever, within a data file of personal nature or anyone who takes notice of such data or removes them, alters them, harms them, destroys them, processes them, transmits them, announces them, make them accessible to unauthorized persons or permit such persons to take notice of such data or any one who exploits such data in any way whatsoever, will be punished by imprisonment and a pecuniary penalty and if it has to do with sensitive data by imprisonment for not less than one (1) year and a pecuniary penalty for an amount ranging from one million Drachmas (GRD 1,000,000) to ten million Drachmas (GRD 10,000,000), if the act is not punished by heavier punishment by other provisions.

5. The Controller who does not comply with the Authority's decisions being issued for the satisfaction of the right to access according to paragraph 4 of Article 12, for the satisfaction of the right to objection according to paragraph 2 of Article 13, as well as with acts for imposition of the administrative sanctions referred to in subparagraphs c, d and e, of paragraph 1 of Article 21 will be punished by imprisonment for not less than two (2) years and a pecuniary penalty for an amount ranging from one million Drachmas (GRD 1,000,000) to five million Drachmas (GRD 5,000,000). By the punishments referred to in the preceding section will be punished the Controller who transmits personal data in contravention of Article 9 as well as the person who does not comply with the Court Decision referred to in Article 14 of this Law.

6. If the perpetrator of the acts referred to in paragraphs 1-5 of this Article purported to gain in his favour or in the of another person unlawful property benefit or to harm a third party, then he will be punished by confinement in a penitentiary for not more than ten (10) years and a pecuniary penalty for an amount ranging from two million Drachmas (GRD 2,000,000) to ten million Drachmas (GRD 10,000,000).

7. If from the acts referred to in paragraphs 15 of this Article danger was caused to the free function of Democratic Government or to national security, then confinement in a penitentiary will be imposed and a pecuniary penalty for an amount ranging from five million Drachmas (GRD 5,000,000) to ten million Drachmas (GRD 1,000, 000) .

8. If the acts referred to in paragraphs 15 of this Article were committed negligently, imprisonment will be imposed for not more than three (3) years and a pecuniary penalty.

9. With regard to the application of the provisions of this Article, if the Controller is not a natural person, then the representative of the legal entity or the head of the public authority or agency or organization - if he exercises also substantively the administration and management thereof - will be liable.

10. With regard to the offences referred to in this Article, the Chairman and the members of the Authority, as well as the employees of the Secretariat's Controllers Department who are especially authorized to that effect will be special investigating officers and will have all the rights provided for to that effect by the Code of Penal Procedure. They will be entitled to proceed to a preliminary investigation even without a public prosecutor's order, if the perpetrator was caught in the very act of committing a felony or a misdemeanour or if there is danger caused due to the postponement.

11. For the offences referred to in paragraph 5 of this Article as well as in any other case in which there was a previous administrative control by the authority, its chairman will announce in writing to the competent Public Prosecutor anything which constituted the object of an investigation by the authority and shall forward to him all the relevant records and evidence.

12. The preliminary investigation for the offences referred to in this Article will be completed within two (2) months maximum following the bringing of the penal prosecution and as long as there are sufficient indications for the defendant's remanding to trial, the date of hearing will be fixed for a date not longer than three (3) months from the completion of the preliminary investigation or, if such remanding was effected by a judicial council's order, not longer than two (2) months following the date on which, such order became irrevocable. In the event that the case is introduced to the courtroom by a direct summoning of the defendant, no application will be permitted against the writ of summons.

13. No postponement of the trial will be permitted with regard to the offences referred to in this Article, except where this is done once and for an exceptionally important reason. In that case, a date of hearing will be expressly fixed which will not be more than two (2) months afterwards and the case will be litigated, exceptionally, first.

14. The felonies, provided for in this law, will be subject to the jurisdiction of the court of appeal. Article 23 Civil Liability (Third party liability)

1. Any natural person or a private law legal entity, who in contravention of this law, causes a property damage will be liable to damages. If he/it has caused a nonpecuniary damage he/it will be liable to pecuniary indemnification. There will also be such liability if the person liable was obliged to know the possibility that such damage could be caused to another.

2. The pecuniary indemnification provided for by Article 932 of the Civil Code, due to nonpecuniary damage caused in contravention of this law, will be fixed at the amount of two million Drachmas (GRD 2,000,000) minimum, except if a lesser amount was asked for by the plaintiff or if the infringement of law is due to negligence. Such pecuniary indemnification will be awarded regardless of the compensation asked for with respect to the property damage caused.

3. The claims referred to in the present Article will be litigated according to Article 664 - 676 of the Code of Civil procedure, notwithstanding the issuance or not of the Authority's decision, in any, or the bringing, if any, of penal prosecution, as well as notwithstanding the suspension or the postponement thereof due to any reason whatsoever. The Court decision will be issued within a period of two (2) months following the first hearing in the courtroom.

CHAPTER F FINAL - TRANSITORY PROVISIONS

Article 24 Controller's liabilities

1. The processing supervisors of files which have been operating as of the entry into force of this law will be obliged to submit the announcement of operation referred to in Article 6 to the Authority within a period of six months following the commencement of the Authority's operation.

2. To the same obligation will be also subject the processing supervisors of sensitive data files which have been operating as of the effective date of this law, in order that the permit referred to in paragraph 3 of Article 7 may be issued.

3. For files operating and for cases of processing being performed upon the effective date of this law, the processing supervisors will be obliged to proceed according to paragraph 1 of Article 11 to the briefing of the subjects within a period of six 6 months following the date of commencement of operation of the Authority. If such briefing pertains to a large number of data subjects, it will be possible for it to be done through the Press. In that case the relevant details will be determined by the Authority. The provisions of paragraph 4 of Article 11 shall also apply in this instance.

4. With regard to files entirely notautomated the time limits referred to in the preceding paragraphs will be one (1) year.

5. The provisions of Articles 11, 12, 13 and 19 para. 1 of this law shall not apply to the penal records and the official records kept by the competent judicial authorities for the purpose of meeting the operation requirements of penal justice and within the framework of the operation thereof.

Article 25 Commencement of the Authority's operation

1. Within a period of sixty (60) following the effective date of this law, the Authority's Chairman and his substitute will be appointed. Within the same time limit the Minister of Justice will subject to the Parliament Speaker a proposal for the appointment of four ordinary members of the Authority and an equal number of substitutes.

2. The time of commencement of the Authority's operation will be determined under a decision of the Minister of Justice which will be issued not later than four (4) months following the formation of the Authority. From the date of the appointment of the Authority's members through the date, according to the provisions of paragraphs 6 and 7 of article 20 of this law, of filling the Secretariats vacancies, the Authority will be staffed by personnel who will be provisionally transferred to it under a decision issued by it, by derogation from any other provision.

3. Until the Authority comes to a point to operate according to the preceding paragraph, the liquidation of its expenses will be effected by the financial department of the central agency of the Ministry of Justice at the expense of the Budget of the Ministry of Justice.

4. The decision of the Minister of Justice according to paragraph 2 of this Article with regard to the date of commencement of the Authority's operation will be published in the Official Gazette and in four (4) at least daily political newspapers with a broad circulation in Athens and Thessaloniki and in two (2) at least daily financial newspaper .

Article 26 Effective date

1. The provisions of Articles 15, 16, 17, 18 and 20 of this law shall come into effect as of the publication of this law in the Official Gazette.

2. The other provisions shall come into effect as of the date of commencement of the Authority's operation according to the preceding Article.

Athens, 1997

THE MINISTER OF THE INTERIOR, PUBLIC ADMINISTRATION AND DECENTRALISATION

THE MINISTER OF NATIONAL ECONOMY AND FINANCE

THE MINISTER OF JUSTICE

THE MINISTER OF PUBLIC ORDER

THE MINISTER OF THE PRESS AND MASS MEDIA

True translation from Greek of the attached document.

Athens 30-4-1997

G. D. Goulandris, Translator

Hellenic Republic, Ministry of Foreign Affairs, Translations Office, Athens.

 

Document loaded May 28, 1998