HomeAnalyticsAlertsData Protection Enforcement in Greece: Recent Regulatory Actions

Data Protection Enforcement in Greece: Recent Regulatory Actions

Greece's data protection authority has significantly raised its enforcement tempo. International businesses that process the personal data of Greek residents. whether from offices in Athens or from abroad – are now facing a regulatory climate that can no longer be treated as a low-priority concern.

The Hellenic Data Protection Authority (HDPA), Greece's national supervisory authority under EU data protection legislation, has issued a wave of enforcement decisions targeting failures in consent mechanism design. Cross-border data transfer documentation. Additionally, accountability obligations for both the data controller and data processor. These actions carry financial penalties that can reach into the millions of euros. Businesses operating in or directing services toward Greece should treat GDPR compliance as an immediate operational priority, not a future project.

This alert explains which business categories are in scope, what the HDPA is targeting, and the five actions international companies must take now to reduce exposure.

What the HDPA is targeting and why it matters now

The HDPA has concentrated its recent enforcement activity on three failure patterns. Each one carries a distinct enforcement risk for international operators.

Consent mechanism failures. The HDPA has found that cookie banners and marketing opt-in flows at many organisations do not meet the standard required under data protection legislation. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and accept-or-leave designs are being challenged directly. Businesses that have not updated their consent mechanism since 2018 are particularly exposed.

Cross-border data transfer gaps. Where a Greek-established entity or a foreign entity targeting Greek users transfers personal data to non-EU countries, the HDPA requires documented transfer mechanisms. Standard contractual clauses must be current, and transfer impact assessments must exist on file. The HDPA has penalised organisations that rely on outdated or generic transfer documentation without a genuine assessment of the destination country's legal regime.

Controller and processor accountability failures. The HDPA has scrutinised whether data controller entities maintain up-to-date records of processing activities and whether data processor agreements with vendors satisfy the requirements under data protection legislation. Gaps in vendor contracts – particularly with cloud providers and analytics platforms – have led to enforcement action.

For international companies, the critical point is jurisdictional reach. The HDPA can investigate and penalise any organisation that targets goods or services at Greek residents or monitors their behaviour, regardless of where the company is incorporated or where its servers are located. A company based in the United States, the United Kingdom, or Singapore with a Greek-facing website is fully within scope.

The enforcement pattern also signals a directional shift. The HDPA is no longer issuing warnings as a first step. Organisations that receive a formal inquiry should treat it as the beginning of a sanction process, not a preliminary dialogue. Engaging a lawyer in Greece with cross-border data protection experience at the earliest stage is strongly advisable.

For a full picture of GDPR compliance obligations in Greece, see our dedicated service page on data protection law in Greece.

To receive an expert assessment of your organisation's data protection exposure in Greece, contact us at info@ferrazwhitmore.com.

Which businesses are affected and by when

The HDPA's current enforcement focus is not limited to large corporations. The following categories face direct and immediate risk.

  • E-commerce and digital platforms serving Greek consumers, regardless of the company's country of incorporation.
  • Financial services firms, insurance providers, and fintech companies processing Greek residents' personal data.
  • Healthcare and wellness platforms handling special-category data of Greek users.
  • Employers with staff based in Greece, including remote-work arrangements where employee data is processed outside the country.
  • Marketing agencies and adtech businesses operating behavioural targeting or profiling in the Greek market.

Threshold criteria for the HDPA's jurisdiction are straightforward: if your organisation offers goods or services to individuals in Greece. Alternatively. Monitors the behaviour of individuals in Greece, you are a data controller within scope of Greek data protection enforcement. There is no minimum turnover threshold and no minimum number of data subjects required to trigger obligations.

Organisations that have not yet appointed a Data Protection Officer (DPO) where one is required under data protection legislation. notably those carrying out large-scale processing of special-category data or systematic monitoring – are at immediate risk. The HDPA has treated the absence of a DPO as an aggravating factor in recent penalty decisions.

Companies operating across multiple EU jurisdictions should also note that a Greek enforcement action can trigger scrutiny from other EU supervisory authorities under the one-stop-shop mechanism. A finding of non-compliance in Greece is not contained to Greece alone.

International businesses working at the intersection of data protection and emerging technology should also review our alert on AI and technology regulation in Greece, where data processing obligations intersect with AI-specific requirements.

Five immediate actions for international companies

The following actions address the specific failure patterns the HDPA has targeted. They are listed in order of urgency.

1. Audit your consent mechanism. Review every point at which you collect consent from Greek users. This includes cookie banners, marketing subscription forms, and any profiling opt-ins. Verify that consent is granular, revocable without penalty, and recorded with a timestamp. If your banner pre-selects any category, it must be corrected immediately.

2. Review and update cross-border data transfer documentation. Identify every transfer of personal data from Greece – or relating to Greek residents – to countries outside the European Economic Area. Confirm that current standard contractual clauses are in place. Conduct and document a transfer impact assessment for each destination country. Generic assessments are insufficient.

3. Verify your data processor agreements. Obtain and review every contract with third-party vendors who process personal data on your behalf. Agreements must contain the mandatory clauses required under data protection legislation. Cloud providers, analytics tools, CRM platforms, and HR software vendors are frequently overlooked. If agreements are outdated, issue updated contracts now.

4. Update your records of processing activities. Every data controller subject to Greek data protection enforcement must maintain a current, written record of all processing operations. This record must include the purpose of processing, categories of data subjects and data, retention periods, and transfer details. The HDPA reviews this document as a primary compliance indicator during investigations.

5. Confirm DPO appointment status. If your organisation meets the threshold for a mandatory DPO under data protection legislation. Verify that the appointment is current, that the DPO is properly resourced. Additionally, that the DPO's contact details are registered with the HDPA. A DPO who exists only on paper – without genuine independence or access to decision-makers – will not satisfy the HDPA.

Companies that have received an HDPA inquiry, or that have identified gaps through an internal review, should obtain legal advice before responding. Submissions to the HDPA made without counsel frequently narrow the organisation's subsequent options and can convert a correctable gap into a confirmed violation.

For a parallel view of enforcement trends in another EU jurisdiction, our alert on data protection enforcement in Portugal sets out comparable patterns and lessons from the Portuguese DPA.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice supports international organisations in managing GDPR compliance obligations, responding to supervisory authority inquiries, and designing defensible consent mechanism and data transfer structures across EU and non-EU markets. As a law firm in Greece and across Europe, we combine Portuguese civil law expertise with English common law tradition to deliver cross-border solutions for organisations facing multi-jurisdictional data protection risk. Our attorneys have experience before EU supervisory authorities including the HDPA and have advised on data controller and data processor compliance programmes spanning more than 20 countries. The firm's Lisbon base provides direct access to EU regulatory frameworks, while our common law expertise supports enforcement defence in English-speaking jurisdictions. To discuss your organisation's exposure under Greek data protection legislation, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.