3379
GOVERNMENT GAZETTE
OF THE HELLENIC REPUBLIC
29 AUGUST 2019
SERIES A
ISSUE NO 137
LAW NO. 4624
Hellenic Data Protection Authority (HDPA),
measures for implementing Regulation (EU)
2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural
persons with regard to the processing of personal
data, and transposition of Directive (EU) 2016/680
of the European Parliament and of the Council of
27 April 2016, and other provisions.
THE PRESIDENT
OF THE HELLENIC REPUBLIC
Hereby adopts the following Law which has been passed
by the Parliament:
CHAPTER A
GENERAL PROVISIONS
Article 1
Purpose
The purpose of this Law is:
a) to replace the legislative framework governing
the establishment and operation of the Data Protection
Authority,
b) to adopt measures for implementing Regulation (EU)
2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation, hereinafter: GDPR),
c) to transpose Directive (EU) 2016/680 of the European
Parliament and of the Council of 27 April 2016 on the
protection of individuals with regard to the processing of
personal data by competent authorities for the purposes
of the prevention, investigation, detection or prosecution
of criminal offences, or the execution of criminal penalties,
and the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA.
Article 2
Material scope
The provisions of this Law shall apply to the processing
of personal data wholly or partly by automated means and
to the processing other than by automated means of such
data, which form part of a filing system or are intended to
form part of a filing system carried out by:
(a) public bodies or
(b) private bodies, unless the processing is carried out
by a natural person in the course of a purely personal or
household activity.
Article 3
Territorial scope
The provisions of this Law shall apply to public bodies.
They shall also apply to private bodies, provided that:
(a) the controller or processor processes personal data
in the Greek territory,
(b) personal data are processed in the context of the
activities of an establishment of the controller or processor
within the Greek territory, or if
(c) although the controller or processor has no
establishment in a Member State of the European Union or
another contracting state of the European Economic Area,
it falls within the scope of the GDPR.
Article 4
Definitions
For the purposes of this Law:
(a) ‘public body’ means public authorities, independent
and regulatory administrative authorities, legal persons
governed by public law, first and second-level local
government authorities with their legal persons and their
legal entities, state-owned or public undertakings and
agencies, legal persons governed by private law which
are state-owned or regularly receive at least 50% of their
annual budget in the form of state subsidies, or their
administration is designated by the state,
(b) ‘private body’ means any natural or legal person or
group of persons without legal personality which does not
fall within the definition of a ‘public body’,
(c) ‘competent supervisory authority’ means the Hellenic
Data Protection Authority (hereinafter: the Authority).
Article 5
Legal basis for the processing of personal data by
public bodies
Public bodies may process personal data where
processing is necessary for the performance of a task
carried out in the public interest or in the exercise of official
authority conferred on the controller.