2 Likavittou Street, Kolonaki
210 36 41 214 - 210 36 46 874

main image

The Criminal Protection of Personal Data under Law 4624/2019


Summary: The unlawful processing of personal data is now criminalized in Article 38 of Special Law 4624/2019, which replaced the previous regime of Law 2472/1997 and, in particular, Article 22 thereof. The latter incorporates into Greek law the EU General Data Protection Regulation 679/2018, also known as GDPR (General Data Protection Regulation) and EU Directive 690/2016 on the processing of personal data by the competent authorities for the detection of offences and the execution of criminal penalties. Below we will try, briefly, to describe the individual offences under Article 38, their criminal treatment and those cases where the processing carried out was "by right", thus excluding the commission of a criminal offence. Particular reference is also made to the case of 'revengeful', as it is called, disclosure of data for the purpose not of the economic exploitation of the data subject but of his or her social disgrace.

i. Introduction - Necessary conceptual clarifications:

Law 4624/2019 took measures to implement the General Data Protection Regulation (GDPR) EU 679/2016 and EU Directive 680/2016 on special data processing by competent law enforcement authorities with regard to the commission of criminal offences and replaced the previous regulatory framework of Law 2472/1997. And both under the former regulation and the current one, it is accepted that the protection of personal data in general (and therefore the criminal aspect of it that we are interested in here) is based on the "rule-exception" scheme, in the sense that any processing of personal data of a natural person is unlawful unless there is a specific legal provision that provides for it and, therefore, allows it (such as the provisions, for example, that provide for the consent of the person, as discussed below).

Basic concepts in data protection law in general, to which reference must be made in order to understand the described regulation, are: that of (a) personal data, (b) the data subject, (c) the controller and (d) the filing system. Thus, therefore, we have the following basic definitions:

a. Personal data: constitutes any information relating to an identified or identifiable natural person (b. data subject). In particular with regard to the identifiable person, the identity of the identifiable person can be established directly (by reference to a first name, surname, identification number, example: the Identity Card Number is personal data as it can be linked to a specific natural person and identify him or her) or indirectly (by reference, for example, to data specifying the physical, psychological, economic, family or social situation of the person, example: references: "well-known, blonde, TV presenter from the northern suburbs" constitute personal data, if they can be linked to a specific natural person). 

b. Controller: is the natural or legal person, public authority or service, in general, responsible for determining the purpose of the processing or the manner of processing {example: A public limited liability company is a controller in respect of the personal data it holds about its customers and employees (such as name, contact details, identity details, medical data and so on) }.

c. Archiving system: is an organised set of personal data which is accessible on the basis of certain criteria (such as name, date, chronological order, type of data, etc.), examples: a list of passenger names on an airline's computers constitutes a filing system, as does an album of photographs of individuals held by another natural person in electronic or physical form, as well as recordings and recordings of television programmes (see also the list of the names of passengers on an airline's computers). (See CCP 4087/2016), video cameras and modern mobile phones (See CP 1306/2016), records of criminal judgments of criminal courts (See CCP 1247/2011). However, it has been held that a criminal case file which is in progress and has not been archived does not constitute a filing system (Cf. Council Decision 2942/2003 and Decision No 222/2021 of the Council of Ministers of the European Union, analysed below)}.

It is further noted that the provision of the criminal offence of "unlawful" processing of personal data aims to protect the so-called informational self-determination of the person, i.e. his/her right to control the information concerning him/her, whether this information constitutes special categories of data (sensitive data, as we knew them under the previous law) and is therefore at the core of privacy (such as, for example, sexual identity, physical and mental health, family life, etc. and so on), or constitute mere data (such as name, surname, address, telephone number and so on), even if these data have become widely known. And given the modern technological possibilities of information processing (see computers, smart phones, etc. ), the aim is, in particular, to protect the person from unfair profiling, i.e. from the creation of what is called a personality portrait through the fragmentary connection of seemingly unrelated information in order to give a meaning not intended and not sought by the person concerned, usually after the creation of new information - data {example: one is, clearly, the meaning and value of the information of a person's address that is, with his/her consent, listed on a debt account (objective: the correct sending of the debt notice) and another when, without consent, it is placed in a relevant journalistic article to identify, e.g. χ., his or her financial situation, which is assessed, in this case, on the basis of the person's choice of place of residence (objective: the person's unwanted identification of his or her economic and social class)}.

ii. The individual offences of Article 38 of Law No. 4624/2019: 

Article 38 of the Act describes the two main forms of the offence which is committed in two ways: a) by unlawful interference with the filing system, as we have defined it, in which the data are kept or by, primarily, reproducing and processing them; and b) by dissemination of data (which, following the above-mentioned unlawful interference, the offender knows or has acquired (this is the so-called offence of disclosure). Thus, the offence is punishable under paragraphs 1 and 2 of Article 38:

"1. Whoever, without right: a) interferes in any way with a personal data filing system, and by this act acquires knowledge of such data; b) copies, removes, alters, damages, collects, registers, organizes, structures, stores, adapts, alters, retrieves, searches for information, correlates, combines, restricts, deletes, destroys" (Examples: a domestic helper gains access to the computer of her employer, who is popular in the art world, and, without his consent, copies a series of photographs of him using her mobile phone, see. and conviction Aegean Court of Appeal (Con) 112/2019 in which " ... the defendant placed electronic orders and transactions regarding the purchase of computer products from the online stores under the names ...... and ...... using, among other things, the details of the credit cards issued by foreign banking institutions, all of which he had intercepted after interfering with the computer file of the hotel ...... where he worked as a receptionist, belonging to customers of the said hotel...).

"2. Whoever uses, transmits, disseminates, communicates by transmission, makes available, communicates or makes accessible to non-entitled persons personal data obtained in accordance with point (a) of paragraph 1 or allows non-entitled persons to obtain knowledge of such data" (Example: Cf. See for example the judgment of the Court of First Instance in case 4033/2005 MonPlimCalam, in which the executives of a banking institution sent for publication in a newspaper of general circulation data concerning the financial debts of the victim, including data relating to the pending auctions of his property).

It follows, therefore, that the offence is not committed by anyone who makes use of information to which he has gained access by chance, that is to say, without having intervened and searched a file or without having received it from a third party who has intervened in that file. Only when the offender gains access to encrypted or pseudo-encrypted data, i.e. data that cannot be linked to a specific person (unless the intervening party manages to decrypt or destroy them, in which case the latter would constitute an offence of the second type of offence in the first paragraph (... copying, removing, altering, damaging, .... deleting, destroying ...).

iii. Their criminal treatment: 

The two basic forms of manifestation of the offence mentioned above are misdemeanours, with the second (that of disclosure) being treated more severely, due to the greater offence that the further dissemination of data by the offender entails for the victim. Thus, the latter is thus punishable by a maximum of one (1) year's imprisonment, if not more severely punished by another provision, for the commission of the acts of the first paragraph and by a maximum of five (5) years' imprisonment for the commission of the acts of the second paragraph. The same Article 38 further provides for a more severely punishable case of the offence of disclosure of data (this is, as it is said, the offence of disclosure of special categories of data or data concerning criminal convictions) as well as felony cases of the offence, based on a) the total benefit/damage sought from the act or the moral damage caused by the act, in general b) the danger caused to the democratic constitution or national security. Thus, paragraphs 3,4,5 of Article 38 of Law 4624/2019 read as follows: "...3. If the act referred to in paragraph 2 concerns special categories of personal data under Article 9(1) of the GDPR (such as, in particular, data concerning: sexual identity and sexual orientation in general, health, political opinions, religious beliefs) or data concerning criminal convictions and offences or related security measures under Article 10 of the GDPR, the perpetrator shall be punished with imprisonment of at least one (1) year and a fine of up to one hundred thousand (100. 000), if the act is not punished more severely by another provision. 4. The perpetrator of the acts of the preceding paragraphs shall be punished with imprisonment of up to ten (10) years, if he or she intended to obtain for himself or herself or for another illegal pecuniary benefit or to cause pecuniary damage to another or to harm another and the total benefit or total damage exceeds the amount of one hundred and twenty thousand (120,000) euros. 5. If the acts referred to in paragraphs 1 to 3 caused a danger to the free functioning of the democratic constitution or to national security, imprisonment and a fine of up to three hundred thousand (300,000) euros shall be imposed."

It should be noted, however, that following the new Article 463 para. 2 and 3 of the CC (effective from 1.7.2019), according to which {"2. Where in special criminal laws a prison sentence is threatened, a fine, as provided for in Article 57 of this Code ... 3. Where in special criminal laws imprisonment of up to ten years is threatened, a sentence reduced in accordance with Article 83, paragraph c) shall be imposed (instead of the sentence of imprisonment, imprisonment of at least one (1) year or imprisonment of up to eight (8) years shall be imposed)}. The act retains its felonious character ... "), the penalties provided for in the special criminal law under consideration are formulated accordingly.

iv. When is there a "right" to processing that precludes the commission of the offence:

 As mentioned above, if there is no specific legal basis allowing the processing of natural person data (both simple and specific), this is prohibited. In Law 4624/2019 the relevant bases for permissible processing are identified in Articles 21 to 30 and 46 to 52. The most important of these, which have been addressed in the case law of our courts and under the previous law, are (a) the consent of the data subject, (b) the overriding legitimate interest of the controller and (c) the disclosure of the data by the data subject himself. Thus, when the conditions for the application of the above cases of permissible processing are met, then the offence cannot be said to have been committed. In more detail:

a) Consent of the data subject: the consent of the data subject to the processing of his/her data is directly provided for in the GDPR (Articles 6(1a) and 9(2a)). Consent is defined in the Regulation as 'any freely given, specific, explicit and informed indication of the data subject's wishes by which he or she signifies his or her agreement to the processing of personal data relating to him or her by means of a declaration or explicit affirmative action'. Thus, therefore, consent should be free (i.e. not the result of coercion by the controller, in particular in cases where there is a relationship of dependence with the controller, such as, for example, dependent employment relationships), but also be given for a specific purpose of processing after, of course, the data subject has been clearly informed of (a) the controller, (b) the purpose of the processing, (c) the data on which the processing will take place, (d) the right to withdraw the consent given and (e) the possibility of transferring the data to a third country of the EU and the risk involved (see in particular Article 43 of the Regulation). 

Finally, it is worth noting that for processing to be lawful, not only the consent of the data subject is not sufficient but the processing in general should not be excessive in relation to the purpose of the processing. In other words, the so-called proportionality principle must be respected. Thus, it was held in PCT No. 3425/2021 P.P.R. Thessal that the inclusion in a statement of claim of non-defendants of their shareholding in a public limited company and their qualities in the management of that company was without consent, without further serving the purpose pursued by the claim. The use of such data by the persons themselves in earlier proceedings does not constitute consent to 'in rem' processing, making the latter unlawful and contrary to Art. 38 ν. 4624/2019, on which the relevant lawsuit was based. An excerpt of the judgment reads as follows " ... The defendant carried out the above processing without obtaining the consent of the data subjects, as it unfoundedly claims. This is because, despite the fact that all the plaintiffs have made use of some of that data in previous litigation with the defendant, as can be seen from the relevant No ... of the third plaintiff's ....... proposals, they never made an express and specific declaration of consent, in accordance with Articles 6 and 7 of the GDPR in conjunction with the recital in the preamble to Article 32 thereof, to further processing of that data {...} Furthermore, it was proven that the defendant further processed the personal data at issue without serving a specific legitimate purpose in violation of the principle of proportionality and the principle of minimization of personal data, in accordance with Art. 5,6 of the GDPR, because it was not relevant to the purpose of the processing as the actions in which it was incorporated were directed only against the second plaintiff and therefore there was no reason to include the personal data of the third plaintiff, while as regards the first plaintiff, the proof of the falsity of the allegations made by him in a previous affidavit given in the context of other proceedings concerning his (the defendant's) status as a husband, father and businessman is in no way related to the quotation of the percentage of the shareholding and his membership of the board of directors of the company ... ......... P.C.".

b) The legitimate interest of the controller: In Art. 1 f) of the Regulation states "processing is lawful where .... it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data ....". 2 of the same Article 9(2) further justifies the processing of special categories of data as the processing of the latter is permitted when "necessary for the establishment, exercise or maintenance of legal claims or when the courts are acting in their judicial capacity". A similar provision exists in Art. 25 par. 1 c' of Law 4624/2019 according to which the processing of simple personal data is lawful, even for a purpose other than that for which they were collected, if it is necessary for the establishment and exercise of legal claims and the interest of the data subject is not overridden. Whether or not there is therefore a legitimate interest in processing is therefore a matter for the courts to decide. The invocation of a legitimate interest in processing is mainly found in the following cases: 

- legal proceedings for the exercise of a substantive or procedural right: Thus, it was held in Council Decision 1001/2002 that an advocate who produced unfavourable financial evidence, i.e. entries in the debt collection register concerning bounced cheques and bills of exchange, which was absolutely necessary to prove the creditworthiness of the plaintiff and to satisfy a relevant legitimate interest of her client, did not act without right. On the contrary, under AP 1381/2009, the offence was committed by the perpetrator who "in order to refute the charge of fraud against him, collected criminal convictions of the plaintiff through the false representation that these were data necessary for his defence and then communicated them to non-judicial authorities with the purpose of damaging the plaintiff's reputation", the data in question were held, further irrelevant to the subject matter of the trial. 

With regard, in particular, to the processing of data relating to criminal convictions, the unpublished Order of the Prosecutor of the Athens Court of Appeal No. 21 - 288/2021 is of interest. 222/2021 Order of the Prosecutor of the Athens Court of First Instance concerning the filing of criminal offences for the felony, inter alia, of repeated illegal interference with a personal data archiving system concerning criminal convictions with an intended pecuniary benefit of more than 120. 000 (alleged violation of paragraphs 3 and 4 of Article 38 of the subpoena), which found that the defendant had a legitimate interest (satisfaction of a commercial claim) in the processing in question and therefore did not prosecute him. A crucial extract from the order reads as follows "In the above-mentioned applications for legal interest, the applicant .... has set out the legal relationship between him and the applicants and the claim he has under the agreement no. .... Order for Payment and on the basis of which he established his legal interest in obtaining the above-mentioned copies of the criminal files in order to make use of them in a legal claim. The judge who examined his applications found that there was indeed a legitimate interest and granted the applications. The defendant did not in fact bring an action for a declaration that the transfer of immovable property was invalid, as he had stated in his above-mentioned applications, since, once his claim had been satisfied, there was no need to bring an action. He made use of the copies obtained by him following his aforesaid applications in the applications for injunctive relief, in the petition and in the motions referred to by the respondents. However, those applications, the statement of objections and the proposals were based on the same fact of life and the same legal relationship which he had invoked in his applications to obtain the copies, and the purpose of their exercise was to satisfy the claim of the plaintiff. Therefore, on the record that has been exposed in the plaintiff's applications, it has been held that a case of legitimate interest exists and .... has made use of the copies lawfully obtained for the judicial assertion of his claim which has, already, been exposed and adjudicated and not for an unrelated purpose."

- In the media field in the service of the public's right to free expression and information: In a. 28 par. 1c' of Law 4624/2019 provides that the processing of personal data is permitted when the right to expression and the public's right to information prevails, in particular on matters of general interest or when the data relate to public persons (thus, with Law no. 1567/2010 AP it was held that it is not permissible to publish personal - erotic moments of the public person concerned as they were not necessary for the satisfaction of the public's right to information, while, on the other hand, in Council Decision 1001/2002 it was held that "the need to protect citizens from insolvent traders allows the processing and disclosure of data of unfavourable economic behaviour as a public social life and action of the person".

c) The disclosure of the data by the data subject himself/herself: From a.  9 par. 2 e' of the Regulation and Art. Article 9(9)(a) of Regulation (EC) No 9.2 of the Act and Article 28(2)(a) of the Regulation. 1 b) of the Act, it follows that data processing is permissible (both for simple and for sensitive data of special categories) when the data subject himself has manifestly made the data public, in particular for reasons of academic, literary and artistic expression. When we have a manifest disclosure is usually easily identifiable (e.g. the person in a journalistic interview discloses his or her health problems). The problem arises, in particular, for publications via modern social media (facebook, instagram, twitter and so on). In these cases, the jurisprudence of our courts (see Trial Plenary Court of Aigio 791/2012) requires that the specific arrangements made by the user be checked, i.e. whether he himself made the publication public or whether he limited it only to his online friends (in the second case, it is obvious that we cannot speak of an obvious publication).

v. In particular, revengeful disclosure of data ("revenge" disclosure):

A particular case of unlawful processing of personal data is that of "revenge", as it is called, publication of data, in particular photographs and videos depicting, without consent, the offended person in intimate moments of sexual intercourse, usually with the offender himself. This is an act which, in most cases, is not intended to benefit the latter financially but to 'avenge' the victim and bring him or her into social disrepute, following internal personal disagreements and conflicts between the perpetrator and the victim. It is precisely in these cases that the legislator, bearing in mind these circumstances, has made an 'innovation' in relation to other offences for which a monetary threshold is provided for in order to be classified as felonies (e.g. fraud, unfaithfulness, embezzlement, etc.). In other words, it provides (see paragraph 4, Article 38 above) that in order to determine whether the offence is a misdemeanour or a felony, not only the intended pecuniary damage/benefit is taken into account, but, in general, the moral damage to the victim, i.e. the damage to the victim, which is not determined by economic criteria and which consists of the mental pain and upset experienced by the victim as a result of the publication. Thus, in the case of CP 686/2021, the accused was found guilty of the felony of repeatedly transmitting to non-entitled persons audiovisual material (video) depicting the defendant in an erotic intercourse with him (without distinguishing his own body and facial features), stating that "The creation of the audiovisual material of the erotic intercourse, by filming them via a digital mobile phone camera, constitutes a 'record' (in the terms of the law in question: archiving system) and no grouping or classification of it is required in order to determine the illegality of the interference .... The aforementioned tapes constitute a file of personal data ... which the defendant edited by editing them so that the scenes showing his face were cut out and only the face and naked body of .... and only parts of his own body were shown, so that it was not possible to identify and "expose" himself by posting them. He transmitted and disclosed the aforementioned films, without the consent of the victim, through the aforementioned websites to third parties not entitled to them, with the intention of brutally insulting her personality, as in the aforementioned ways he presented the victim as a person of low morals, thus brutally damaging her social status".

vi. Instead of an epilogue: 

From what has been stated, it is easy to understand that the legislator, by criminalizing the offence in question (even to the degree of a felony), is, in essence, trying to protect the person from the extremely easy, due to modern technological possibilities, processing of his/her data, by specifying in a limited way the cases of lawful processing, a regulation which is positively assessed in view of the aforementioned importance of the right of informational self-determination of the person. The existence or otherwise of the latter (in particular: legitimate interest and the satisfaction of a right to public information) is, in most cases, a substantive issue that requires a judicial decision. Furthermore, given the complexity of the law, a careful approach to each individual case under consideration is required, as it is very likely that in non-obvious cases where there is, for example, intent to harm, illegal economic exploitation or a manifest lack of consent to processing, the status of defendant will be attributed to persons struggling to assert their claims. However, through appropriate legal support, the extreme limits of the lawfulness of the processing in question can be drawn for both the data subject and the controller.

Read more
back to top