Publication
Publication
Contacts
Karageorgiou & Associates
Dr. Stavros Karageorgiou
Tel: +30 210 7221021
www.kalaw.gr
Supervisory Authority
National Legislation
Law 4624/2019 (In Greek)
Law 4624/2019 (Official Translation)
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).
Contributed by Karageorgiou & Associates Law Firm
Last updated May 2026
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
The General Data Protection Regulation (EU) (2016/679) (“GDPR”).
The EU is currently considering the Digital Omnibus (2025/0360 (COD)). This proposes a number of amendments to the GDPR including: (a) protection from abusive subject access requests; (b) extending the deadline to notify breaches to a supervisory authority to 96 hours and only applying that notification to high risk breaches; (c) codifying the “relative” approach to the concept of personal data; (d) ensuring a consistent approach to DPIAs; and (e) providing an express legal basis for the training of AI systems. However, some changes are controversial, and it is not clear if they will all be adopted.
In Greece, Law 4624/2019 is the national law assisting with the application of the GDPR.
Entry into force
The GDPR has applied since 25 May 2018.
Law 4624/2019 entered into force on 29 August 2019.
Details of the competent national supervisory authority
The Hellenic Data Protection Authority acts as the supervisory authority in Greece.
Data Protection Authority (the “Authority”)
1-3 Kifisias Avenue
Athens
The Data Protection Authority will represent Greece on the European Data Protection Board.
Notification or registration scheme and timing
There is no obligation to notify regulators of any processing under the GDPR.
However, controllers and processors must keep records of processing and provide them on request.
Exemptions to notification
Not applicable.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
It is not permitted to make direct marketing calls to individual subscribers who have either: (i) previously objected to such calls; or (ii) are listed on the opt-out registers.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
It is not permitted to make direct marketing calls to corporate subscribers who have either: (i) previously objected to such calls; or (ii) are listed on the opt-out registers.
Exemptions and other issues
Calls can be made to a subscriber who is listed on the opt-out registers if they have consented to receiving such calls.
Contents