Greece: TMT

There is no specific regulatory regime for technology in Greece per se. The existing framework of several areas falling within the scope of the term (Internet of Things, AI and machine learning, IT service agreements, e-commerce and blockchain technology) is explained below, while the regulatory framework of the topics of telecommunications and data protection is referenced under the relevant questions that follow.

Internet of Things Projects

IoT Devices

With regard to the sale of IoT devices, in the absence of a tailor-made regime, the traditional national set of rules on the seller’s liability, guarantees and other relevant issues is applicable, while end-users as consumers are protected under the consumer protection legislation. Also, of relevance are the legal provisions concerning the import and distribution of products (covering, for instance, the interference of a commercial agent or the conclusion of an exclusive distribution contract).

The main objective pursued under the IoT technology is to offer end-users enhanced control over differentiated devices by means of a connectivity network. As a result, the providers of connectivity services (primarily, wireless networks) must comply with numerous rules provided by the EU and national law. In particular, electronic communications, networks and devices are covered by the European Electronic Communications Code (EECC) (implemented in Greece by Law 4727/2020), the roam-like-at-home rules established in 2017 under the respective regulation; and the 2002 e-Privacy Directive which was implemented in Greece by Law 3471/2006 and which introduced new rules for privacy in the digital age.

Data Privacy and Cybersecurity

Concerning the issue of data privacy, the principle of data protection by design and by default constitutes a crucial aspect. Moreover, the techniques promoted by the GDPR relevant to data anonymisation, pseudonymisation and encryption are thought to encourage the use of IoT in conjunction with the use of other, complementary tools such as data protection certifications and data protection impact assessments.

The greatest challenge the IoT faces is its full compliance and compatibility with security, liability, privacy and data protection law, the objective of which lies in the enhancement of transparency, in the verification (and liability) of the data controller, in the restriction of indiscriminate collection, processing and overall use of personal data, in the rights afforded to data subjects, as well as in the periodical inspection of all the relevant procedures.

With respect to cybersecurity, the Ministerial Decision harmonising the Greek regulatory framework with Directive 2016/1148/EU (NIS Directive) was issued in October 2019, in execution of Law 4577/2018 (implementing the NIS Directive into national law). According to these instruments, new system security measures are required from industries operating in e-commerce and information society services, providing also for a number of sanctions in case of non-compliance.

Product Liability

The provision of data through an IoT system is considered a service, according to the European Commission. Therefore, the standard rules governing product safety and liability in cases of infringement are not applicable, while the rules governing the information service providers liability may be applicable, especially as regards electronic communications, protection of personal data and the confidentiality of information (also covering copyright infringement cases), as well as the traditional contract regime.

Artificial Intelligence (AI) and Machine Learning (ML)

Data protection

Since AI systems analyse vast amounts of data in order to function and improve their performance, whenever personal data forms part of the large pools of data used in an AI system’s algorithmic decision-making process, this activity must be in compliance with Law 4624/2019 and the GDPR. Data subjects have the right to object to decision-making based solely on automated processing, including profiling and where such decision-making exists, meaningful information about the logic involved in the process, as well as its significance and its envisaged consequences ought to be provided to them.

Liability

The Greek Civil Code sets out five conditions that need to be fulfilled in order for tortious liability to be attributable to a party: (i) human behaviour, (ii) illegal action, (iii) fault, (iv) damage, (v) and causal link between the behaviour and the damage. It is apparent that where a system operating in the spectrum of autonomy causes damage, a number of these conditions are challenging, if not impossible, to substantiate.

In addition, all AI technologies in Greece ought to meet the essential health and safety requirements laid down in the EU safety legislation, as it has been transposed into Greek law.

The EU product liability regime is complementary to that of product safety. It was introduced by the Product Liability Directive (D 85/374/EEC) and was implemented by amendments of the Greek Consumer Protection Law No 2251/1994. The existing framework regulates all types of products and is also applicable to new digital technologies. The Greek Consumer Protection Law establishes a strict liability regime under which producers of defective products are held liable when such products cause damage to natural persons or their property, while the injured consumers are not required to prove the fault of the producer.

So far, the current legal framework of extra-contractual liability can be applied to damages caused by robots or AI.

Intellectual property

Greek Copyright Law (Law No 2121/1993) is human-centric, as it is traversed by the “principle of truth” according to which only a natural person shall be considered as the author of a work. Therefore, devices cannot be recognised as “authors”, and subsequently any work they produce cannot be qualified as copyright-protected content. Computer-generated and AI works may only be protected if the prerequisite of “human intervention” is fulfilled (i.e. through the selection of the data to be entered into a machine or of the parameters determining the objective of the machine’s activity); inversely, works autonomously and exclusively produced by information technology systems, are not copyrightable. Accordingly, non-humans are excluded from the relevant rationae personae.

IT Service Agreements

Licensing Model

In Greece, IT service agreements are mainly ruled by the provisions set out in the Civil Code and Commercial Code, while as an EU member-state, Greece also adheres to EU legislation.

Recipient of the IT service (B2B –B2C)

A significant factor that an organisation procuring IT solutions in Greece must take into consideration is whether this solution will be ultimately addressed to other businesses (B2B) or to consumers and individuals (B2C). In the first case, contracts between professionals are generally ruled by the parties’ freedom to agree on the content and the extent of their rights and obligations under the agreement (freedom of contract). In the second case, however, apart from the Greek applicable law, a rather elaborate body of consumer laws is in place, primarily driven by EU initiatives and instruments, aiming for the protection of the weaker party, i.e. the consumer, and prohibiting unfair terms, abusive clauses and clauses that have not been negotiated between the parties.

E-commerce

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 (Directive on electronic commerce) relates to certain legal aspects of information society services, in particular the conduct of electronic commerce in the Internal Market. The Directive regulates an important part of the services provided online. The purpose of the Directive is to remove obstacles to cross-border online services in the EU and to provide legal certainty to business and consumers. The Directive sets out basic requirements on mandatory consumer information, determines certain steps to follow when establishing contracts online, as well as certain rules on commercial communications. Presidential Decree 131/2003 constitutes the –almost verbatim- adaptation of the above Directive into Greek legislation.

Some of the issues regulated in the Presidential Decree, are, among others, the following: the prohibition of any restriction on the free circulation of the services within the European market, due to national regulations, the obligation of information society service providers to provide their recipients and competent authorities with easy, direct and continuous access to basic information concerning their activities (name, geographical address, e-mail address, registration number register, etc.), the freedom of assumption and exercise of activity, the responsibility of service intermediaries, the extrajudicial settlement of disputes in cases of disagreement between a provider and a recipient of an information society service and the sanctions in case of violation of provisions of the Presidential Decree.

In addition to the above, Law 4933/2022 which adapted the Greek legislation to (EU) 2019/2161 amending Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and of the Council as regards the better enforcement and modernisation of Union consumer protection rules, contains information requirements which are added to the relevant requirements provided in Presidential Decree 131/2003.

Telecommunications and Media sectors

The telecommunications and media sectors have developed quite separately in Greece.

The key law for liberalisation of communications was enacted in 2000. The revised Electronic Communications Framework was transposed into national legislation through Law 4070/2012. The new European Electronic Communications Code (Directive 2018/1972) was transposed into national legislation in September 2020 through Law 4727/2020.

Regardless of the specific technologies used to provide a network or a service, the applicability of the electronic communication regulatory framework depends on whether it falls within the scope of electronic communication networks (ECNs) and/or electronic communication services (ECSs). ECNs encompass all transmission systems, whether or not based on a permanent infrastructure or a centralised administration capacity, and, where applicable, switching or routing equipment and other resources, including network elements which are not active, used to convey signals, operated for public or private use, including wireless networks (eg mobile, Wi-Fi), cable (eg IP broadband networks) and electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed by them. ECSs encompass all services normally provided for remuneration via electronic communications networks, which encompass, with the exception of services providing or exercising editorial control over content transmitted using electronic communications networks and services, the following types of services: (a) ‘internet access services’ as defined in point (2) of the second paragraph of Article 2 of Regulation (EU) 2015/2120; (b) interpersonal communications services; and (c) services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

In the media sector, the liberalisation of the market in Greece and the transition from the state-controlled radio and television to the regime of radio and television operated by privately owned companies has been the result of a de facto development in the market that occurred before the appropriate legal framework. An immediate effect of this is that the market developed in a totally unregulated way. Free-to-air peripheral television stations and free-to-air peripheral and national radio stations operate legally under certain temporary provisions. Ιn 2018 the National Radio and Television Council (ESR) awarded five of seven available free-to-air national terrestrial digital television licenses, while in 2019 it awarded one more.

Law 3592/2007 provides that controlling more than one licence holder in the television or radio sector is prohibited. Participation in more than one licence holder in television or radio is allowed to the extent that one does not exercise control i.e. can substantially influence the decision-making process or has the power to appoint at least one member of the board of directors or an administrator in another operator. Foreign investors have the opportunity to participate in broadcasting activities in Greece, subject to the generally applicable restrictions. The concentration of media is prohibited, which occurs if an undertaking acquires a dominant position that is defined in Law 3592/2007, which provides also for complementary application of Competition Law 3959/2011. The Competition Commission is the competent authority to consider competition law issues in the media sector, including issues of concentration. Market share is calculated on the basis of income from advertising and exploitation of programmes or provision of other similar services during the previous year.

Nevertheless, Law 4339/2015 sets the following restrictions on shareholders holding more than 1% board members and legal representatives of entities that participate in tenders for digital terrestrial TV content providers: (i) no convictions by irrevocable court decision for specific crimes; (ii) no participation in any manner in companies conducting research in the radio or TV market and in advertising companies, as well as in companies conducting telemarketing. The law also refers to the general prohibition from participating in companies that execute public contracts and require licence applicants to submit evidence proving how the applicant acquired the financial means used or intended to be used for the operation of the content provider.

Finally, except for online gambling, e-commerce and the data protection legislation, there is no other internet-specific legislation. General provisions of law are applicable, along with certain guidelines or ad hoc decisions of the Hellenic Data Protection Authority (HDPA) that are used as guidelines for the interpretation of such general provisions on specific electronic communications services.

The general EU framework provisions on radio and television content applies to Greece, meaning that the programme must adhere to the general principles of the Constitution and there are further obligations concerning minors, rating of the programmes, advertising, pluralism and non-discrimination, etc. The EU’s current Audiovisual Media Services Directive 2010/13/EU (AMS Directive), as transposed in Greece by Presidential Decree 109/2010 governs EU-wide coordination of national legislation on all audiovisual media, both traditional TV broadcasts and on-demand services. This framework was amended by Directive (EU) 2018/1808 of the European Parliament and of the Council of 14 November 2018 (Audiovisual Media Services Directive (AVMSD) in view of changing market realities which in turn was transposed into the Greek legal framework through Law 4779/2021. Law 4779/2021 introduces the following significant changes to the current framework, in accordance with the AVMSD:

• the Country of Origin Principle (which states that providers only need to abide by the rules of one member state rather than those of multiple countries) is strengthened, with more clarity on which member state’s rules apply, derogation procedures for both TV broadcasters and on-demand service providers as well as possibilities for derogations in the event of public security concerns and serious risks to public health;
• for the first time, a number of audiovisual rules extend to video sharing platforms e.g. services such as YouTube as well as audiovisual content shared on social media services, such as Facebook;
• there is better protection of minors against harmful content in the online world: the new rules enhance protection of video-on-demand services and also extend the obligation to protect minors on video-sharing platforms, which need now to put in place appropriate measures;
• new provisions to protect children from inappropriate audiovisual commercial communications for foods and beverages not suitable for minors, including by encouraging codes of conduct and appropriate provisions in General Terms of Service where necessary. Video-sharing platforms also have to respect certain obligations for the commercial communications they are responsible for and be transparent about commercial communications that are declared by the users when uploading content that contains such commercial communications;
• reinforced protection on TV and video-on-demand against incitement to violence or hatred;
• video-sharing platforms are also required to take appropriate measures to protect people from incitement to violence or hatred and content constituting criminal offences under national or EU law;
• the independence of audio-visual regulators is reinforced in EU law by ensuring that they are legally distinct from their government and functionally independent from the government and any other public or private body; and
• there is increased flexibility in television advertising. Instead of the current 12 minutes per hour, broadcasters can choose more freely when to show ads throughout the day. An overall limit of 20% of broadcasting time is maintained between 6am and 6pm, and the same share allowed during prime time (from 6pm to midnight).
• broadcasters are required to reserve 50% of their transmission time for European works, excluding the time allotted to news, sports events, games, advertising, teletext services and teleshopping. There are also increased obligations to promote European works for on-demand services, which must reserve 30% of their content in their catalogue for European works and ensure the prominence of this content.

Electronic communications networks and services providers in Greece are required to obtain a General Authorisation from the Hellenic Telecommunications and Post Commission (EETT). The regime governing the provision of electronic communications is Law 4727/2020 and Law 4070/2012. Secondary regulation is issued by EETT. The laws define the responsibilities of the competent Ministries (currently the Ministry of Digital Governance), which are mainly related to defining the national strategy in the sector and the responsibilities of the EETT, which is the key entity responsible for the design, implementation and enforcement of electronic communications regulation. EETT has the power to issue regulatory decisions defining regulatory obligations for authorised operators, to grant authorisation to operators, to provide Rights of Use of numbers and spectrum, to control the market and to monitor compliance of authorised operators, enforce relevant obligations, impose sanctions and issue decisions on dispute resolution between authorised operators.

With EETT’s Decision no.934/03/27.04.2020, the previously regulated retail leased lines market with capacity up to 2 Mbps was deregulated, while with its Decision no. 968/01/16-11-2020 the EETT decided the deregulation of the fixed origination market.

The incumbent Greek legacy operator, OTE, has been designated a significant market power (SMP) operator in the following wholesale markets: call termination to individual fixed networks, fixed local access, fixed central access, terminating segments of leased lines and trunk segments of leased lines.

All fixed network operators have been designated as having SMP in the markets for termination to individual fixed networks and all (three) mobile network operators have been designated as having SMP in the markets for termination to individual mobile networks.

The ex-ante regulatory obligations for transparency, price controls, cost accounting separation, access to and use of specific network facilities and non-discrimination have been imposed on SMP operators in the above markets (with a few exceptions in specific markets).

According to EETT Decision No. 968/1/2020 on the analysis of termination market to individual fixed networks, the European Commission’s delegated act setting single maximum EU-wide voice termination rates, is implemented for fixed termination rates. In June 2017, EETT issued a Decision on 4th Round of Analysis of wholesale market definition for termination of calls to Individual Mobile Networks, designation of operators with Significant Power and Regulatory Obligations thereof. Moreover, in December 2019, the updated Bottom up pure LRIC Techno-Economic Model for the aforementioned markets, as implemented by EETT Decision 815/002/ 22.06.2017, was adopted. With Decision 920/14/23-12-2019, EETT defined a symmetric MTR at the level of 0.622 eurocents/minute, appropriate to be maintained until 1/7/2021 when the maximum union-wide mobile voice termination rate defined by EC entered into force.

Additional issues regarding telecoms regulation (fixed infrastructure)

In practice there are no cable networks in Greece.

Access to the local loop or LLU is regulated. OTE is designated as an SMP operator and specific obligations are imposed upon OTE, namely access to the local loops and associated facilities (e.g. collocation), transparency, non-discrimination, price control, cost accounting obligation and accounting separation.

The market analysis of the local access market, which designated OTE as an SMP operator, imposed an obligation to provide access for the deployment of NGA Networks based on VDSL Vectoring infrastructure and services by other operators (or based on other NGA technology) through a process managed by the EETT for the assignment of local sites to operators.

In this context, prices for LLU access and ancillary facilities such as co-location are regulated on the basis of cost-orientation. Wholesale broadband access is also regulated, including price and cost regulation. Wholesale price is cost oriented and defined by EETT through a bottom up LRIC+ model. For that purpose, ion 2020 EETT developed a Bottom up LRIC+ model and defined new wholesale cost-oriented prices.

On July 7th 2022, EETT published the Public Consultation on 5th round of analysis of fixed local access and fixed central access markets. In its analysis, EETT concludes that both markets require regulation and that the regulatory measures imposed on the SMP operator in the course of the previous round of analysis of those markets, in 2016, shall remain in place. In addition, EETT proposes a process for the smooth, effective and fast transition from traditional copper infrastructure to new ultra high capacity networks (copper switch-off), based on subscribers’ interconnection with optical fiber (FTTH). Finally, EETT proposes the reduction of regulatory obligations imposed on FTTH networks, until the market penetration of fiber optic services up to the final subscriber reaches a satisfactory percentage of broadband connections. The public consultation will last until September 9th, 2022 and the final Decision is expected at the end of the year.

On the third round of market analysis in 2020, OTE was found to hold an SMP in the market for i) terminating segments of leased lines and ii) trunk joint segments of leased lines, which has also led to cost regulation. Wholesale price is cost oriented and defined by EETT through a bottom up LRIC+ model. Until the development of the bottom-up model in 2020, EETT defined a temporary wholesale price using retail minus methodology.

In December 2021, with Decision no.1016/06/22.11.2021, EETT defined the temporary wholesale price for Ethernet circuits above 1 Mbps, determining the prices of wholesale urban and interurban Ethernet circuits with a capacity of over 1 Gbps, which will be applicable until EETT implements bottom-up LRIC+ models for the determination of the prices of wholesale Leased Lines, as well as the methodology for their calculation

Additional issues regarding telecoms regulation (mobile)

With the exception of free spectrum bands, an individual right to use frequencies is required for all wireless services and is granted by the competent authorities upon a relevant request. Only if the spectrum available is not enough to cater for existing demand from existing or new competitors will a limitation on the number of individual licenses be affected. This will be the result of a public consultation that the EETT must prepare following a ministerial decision to that effect. If, as a result of that consultation, the number of individual rights has to be limited, the EETT must decide how this limited number of individual rights will be granted. Any kind of tender can be held in accordance with the principles of transparency, etc., that are set by Greek law in accordance with EU directives.

The aforementioned rules are also applicable in the assignment of unused radio spectrum. No change of permitted use is allowed.

The law allows for spectrum trading under specific conditions. To transfer, lease or make any change in the control of the rights holder, an application must be filed to the EETT, which assesses the relevant application and decides based on specific criteria defined by law.

A relatively recent development is the new antenna construction licensing legal framework established by Law 4635/2019, according to which EETT’s issuance of antenna construction license is carried out through the Antenna Electronic Application System (SILYA), as in the previous legislative framework, but without requirement for planning permission to be granted, a development which helps simplify the process of modifying antenna constructions.\

A general obligation to provide access to MVNO operators is imposed on mobile network operators (MNOs) through a relevant provision included in the rights of use of frequencies. However, this obligation does not specify the pricing or non-pricing terms of access provision. In Q4 of 2018, the EETT issued a decision, following a dispute resolution petition by fixed operator Forthnet requesting MVNO access by mobile operators Vodafone and Cosmote, ruling on both the obligation but also the pricing terms thereof.

The provisions of the EU Roaming Regulation have been fully implemented as of 15 June 2017.

On the 16th of December 2020, the 5G auction for granting spectrum licenses for the 700 MHz, 2 GHz, 3400-3800 MHz and 26 GHz bands was completed after six binding rounds, as EETT mentioned in its Press Release. All available spectrum in the 700 GHz, 2 GHz, 3400-3800 MHz and 26 GHz frequency bands were awarded.

In May 2022, EETT awarded spectrum in the 410-430 MHz frequency bands.

Additional issues regarding internet services (including voice over the internet)

With the exception of radio and TV legislation, online gambling legislation, Presidential Decree 131/2003 and the data protection legislation, which includes specific provisions on internet services, there is no specific national regulation on internet services, however, in Law 4727/2020 the definition of “electronic communications service” was expanded to cover any interpersonal communications services provided over the internet, including VoIP services, messaging apps and email services that do not use telephone numbers. According to the same law, number-based interpersonal communications services (interpersonal communications service which connects with publicly assigned numbering resources, namely, a number or numbers in national or international numbering plans, or which enables communication with a number or numbers in national or international numbering plans) are subject to a general authorization. The general provisions of law and relevant EU framework, recommendations, opinions and self-regulation instruments also affect the provision of internet services.

There are no specific limits on an internet service provider’s freedom to control or prioritise the type or source of data that it delivers. The EU legislation on Open Internet Access, namely Regulation 2015/2120 is fully implemented. The Regulation prohibits operators from blocking, slowing down or prioritising traffic. Traffic management measures are authorised if they are reasonable, meaning that the measures shall be transparent, non-discriminatory and proportionate and based on objectively technical differences of traffic (Article 3(3)). Such measures cannot monitor specific content and cannot be maintained longer than necessary. EETT has issued Decision 876/7Β/2018 on National Open Regulation Issues – implementing and further specifying Regulation (EU) 2015/2120.

Additional issues regarding access and/or securing or enforcing rights to public and private land to install telecommunications infrastructure

Law 4463/2017 implemented cost reduction Directive 2014/61/EU. Until the operation of the Information System, which will support the one-stop procedure for the granting of the rights of way, the procedure of article 11 of Annex X of Law 4070/2012, as amended by Law 4463/2017, applies.

In December 2018, EETT issued Decision no. 874/2/3-12-2028 for the determination of fees for rights of way and rights of use of rights of ways.

Additionally, in August 2019, EETT issued its new Regulation on Collocation and common use of facilities. Pursuant to art. 152 of Law 4727/2020 a new Regulation on Collocation and common use of facilities is expected to be issued.

Any natural or legal person can apply to acquire a General Authorisation to provide electronic communications services or networks, which is processed at once. To obtain a general authorisation, the requesting entity needs to submit a Registration Declaration to the EETT, using the standard form provided by the EETT, along with the relevant supporting documents. This Registration Declaration must be submitted solely through the Online Application System for Electronic Communications Services Providers. The applicant may perform the specific electronic communications activity described in the Registration Declaration, immediately upon filing a complete Registration Declaration. For the Declaration to be deemed complete, relevant administrative fees must be paid. The requesting operator is included in the Registry of Authorised Operators and may obtain a relevant certificate by the EETT upon request within seven days of receipt of such request.

Any natural or legal person can apply for rights of use, which will be processed within three weeks from the application for a right of use of numbers or six weeks for numbers with significant economic importance; applications for rights of use of frequencies will be processed within six weeks if there is no limitation of the number thereof or up to nine and a half months from the application if such a limitation is imposed.

With the exception of free spectrum bands, for all wireless services an individual right to use frequencies is required and is granted by the competent authorities upon a relevant request. Only if the spectrum available is not enough to cater for existing demand from existing or new competitors will a limitation on the number of individual licences be effected. This will be the result of a public consultation that the EETT must prepare following a ministerial decision to that effect. If, as a result of that consultation, the number of individual rights has to be limited, the EETT must decide how this limited number of individual rights will be granted. Any kind of tender can be held in accordance with the principles of transparency, etc., that are set by Greek law in accordance with EU directives. In practice, in cases of limited number of rights of use of frequencies, the EETT usually awards them through auctions.

As far as licences for antennas and base stations are concerned, the relevant framework was reviewed in 2019 with Law No. 4635/2019 (articles 20 to 38) and new EETT Regulation No. 919/26/2019 on the licencing of antennas and base stations. According to Law No. 4635/2019, the EETT’s issuance of antenna construction licences is carried out through the Antenna Electronic Application System (SILYA), as per the previous legislative framework, but without any requirement for planning permission to be granted. The planning approval is issued following the EETT’s antenna construction permit, through the e-Licensing electronic system already used for buildings and intended to automatically interoperate with the SILYA at the request of an authorised engineer and followed by a building inspection. The new law greatly simplifies the process of modifying antenna constructions, while a recent joint ministerial decision also exempts low electromagnetic environmental nuisance antenna facilities from the licensing process, resulting in a significant number of antennas, mainly within urban centres, now requiring a simple registration procedure, also implemented through the SILYA. The duration of general authorisations is indefinite. The duration of rights of use of frequencies is defined in the relevant EETT Decisions, awarding the rights of use.

Fees imposed on operators with a general authorisation are paid on an annual basis and correspond to the costs of management, monitoring and compliance with the General Authorisation Regime and to the rights to use radio frequencies or numbers it derives from a formula included in the EETT Decision on General Authorisations. The main factors taken into account for the calculation of the fees are the total turnover from electronic communications networks or services minus the call termination wholesale cost paid to other operators. The fees are equal to a percentage that varies depending on the net revenues, calculated as described above.

According to EETT General Authorisation Regulation No 991/4/31-5-2021, should the natural or legal person registered in the Electronic Communications Networks and Services Providers Registry fail to submit a fee statement for over two financial years, the EETT shall, without further notice, consider deregistration. If the person fails to comply by 30 September, the EETT shall, following that date, proceed without notice to its deletion from the Registry. In this case, the EETT shall also revoke the rights to use numbers and (or) radio frequencies that have been assigned to this natural or legal person, as well as enforce the provisions of the Code for the Collection of Public Revenue to collect the relevant annual administrative fees and any other outstanding amounts payable by the person to the EETT. To re-register in the Electronic Communications Networks and Services Providers Registry, the person concerned must settle any outstanding financial issues with the EETT.

Fees for use of numbers are defined for each series of numbers in a decision of the EETT on allocation of numbering resources.

Fees for rights of use of spectrum are imposed by decision of the EETT and are usually paid on an annual basis, except for rights of use of frequencies that are granted through competitive procedures, such as auctions, in which case the EETT only defines the minimum bid, and the final fees result from the auction procedure.

All telecom operators are obliged to have registered themselves under the general authorisation regime and be granted individual rights to use frequencies or numbers and the appropriate licences for every antenna they use. Apart from that there is no other substantial difference in relation to the regulation of fixed, mobile and satellite services.

There is no exclusivity granted to any operator in any sector. However, there is a limited number of licences with regard to mobile and fixed wireless access and digital television networks. According to the relevant legislation, the EETT proceeds to a public consultation that leads to a proposal by EETT to the Minister of Digital Governance concerning the way in which licenses will be granted, the cost, the duration of the entitlement, etc.

The competent regulatory authority responsible for defining and implementing any sector-specific regulation in the electronic communications sector is the Hellenic Telecommunications and Post Commission (EETT). EETT is also responsible for the application of competition law in the electronic communications sector. Issues relating to data protection and privacy of communications are regulated by the Hellenic Data Protection Authority (HDPA) and the Independent Authority for Public Revenue (ADAE) respectively, both established by the Greek Constitution. Under Article 9 of Law 4463/2017 on the transposition of the cost reduction Directive 2014/61/EU EETT is also the National Dispute Settling Body for any dispute regarding:

• Access to existing physical infrastructure.
• Transparency of existing physical infrastructure.
• Negotiation of an agreement to coordinate civil work.
• Access to information regarding civil coordination.
• Access to in-building physical infrastructure or to the building access point.
• Refusal of rights of way.

EETT is an authority independent of governmental control, however it is not established as such in the Greek Constitution.

Law 4779/2021, by transposing the amended Audiovisual Media Services Directive (AVMSD Directive 2018/1808/EU) into the Greek legal order, updates the legal framework for audiovisual content, in all its forms of promotion and reproduction – i.e. traditional television, custom-made audio-visual services and also for the first time, both video-sharing platforms (VSPS) and social media services exclusively with regard to their audio-visual content.

The obligations imposed on VSPS under Greek jurisdiction, including social media and platforms where user-generated content is shared, mainly include the protection of minors, the protection of general public from content bearing incitement to violence or hatred directed against group(s) of persons and obligations regarding audiovisual commercial communications that are marketed, sold or arranged by those providers (Article 32, Law 4779/2021). While VSPS which do not fall under Greek jurisdiction, are not caught by the obligations set by the national regime, it is nonetheless recommended by the Law that these services be encouraged to develop codes of conduct with the aim of further protection of consumers, of minors, as well as of public health and of fair competition (Article 6 par. 1, Law 4779/2021). Furthermore, the Law sets obligations to “audiovisual media services” (i.e. services bearing editorial responsibility for their content, such as on-demand platforms like Netflix) applicable also at a country of destination basis and not only at a country of origin basis such as in VSPS. It is provided that the violation of specific aspects of public interest, may result in that National Council for Radio and Television (ESR) imposes a suspension of broadcasting on an infringing audiovisual service provider which targets Greek audience but is subject to a foreign jurisdiction. Secondly, the non-compliance to provisions of general public interest may trigger the intervention of ESR to request the competent authority of the member state having jurisdiction over the provider, for them to in turn call upon the provider to comply with the aforementioned rules of general public interest.

The conduct of platform providers, otherwise of any natural or legal person providing information society services (service providers, as defined under Presidential Decree 131/2003 in Article 1(b)) is primarily regulated under Presidential Decree 131/2003 that has transposed Directive 2000/31/EC (E-Commerce Directive) into the national legal order. Under this legal instrument, the information society services provided by a service provider established in Greece shall comply with the national provisions applicable within the coordinated field without restricting the freedom to provide information society services from another Member State (Article 2 par. 1 and 2 P.D. 131/2003). In addition, Article 3 provides that the pursuit of the activity of an information society service provider is free, meaning that it is not subject to any prior authorisation, or any other requirement having equivalent effect, with the exception of authorization schemes which are not specifically and exclusively targeted at information society services or those related to telecommunication services in accordance with the Law 2867/2000 and the Presidential Decree 157/1999 , as applicable. Moreover, the Decree provides, in accordance with Union law, for a number of tailor – made and specific obligations for service providers as related to the provision of general information – on a de minimis basis- to the recipients of the service and competent authorities (Article 4), of additional information when commercial communications are implicated (Article 5), as well as to their duty to consult on a regular basis and respect the opt-out registers in which natural persons not wishing to receive unsolicited commercial communications by electronic mail can register themselves (Article 6).

As regards the platform liability regime, the Decree exempts intermediaries from liability for the content they transmit or store provided that their services have a neutral, merely technical and passive role towards the hosted content, which implies that the service provider has neither knowledge of nor control over the information which is transmitted or stored. (namely “caching”, “mere conduit” and “hosting” services). To benefit from the liability exemption, the information society service provider,
consisting of the storage of information, upon obtaining actual knowledge or awareness of illegal activities has to act expeditiously to remove or to disable access to the information concerned. In relation to liability for copyright infringement, it should be noted that intermediaries will be subject to the new liability regime as provided under Directive 2019/790/EU (new Copyright Directive), which is due to be transposed into the national legal order.

Furthermore, platform providers are subject to the rules governing the confidentiality of communications (namely Law 2225/1994, Law 3917/2011 regarding data retention, which transposed Directive 2006/24/EC, and relevant ADAE Decisions and Regulations), as well as to the obligations set by the Personal Data protection framework namely Law 4624/2019 which implemented Regulation EU 2016/679 (GDPR), and Law 3471/2006, which transposed Directive 2002/58/EC (E-Privacy Directive). Platform providers also abide by the legislation set for the protection of systems and network security as well as for the protection of consumers. However, if the providers offer services to regulated entities (such as in financial services, or gaming etc.) they may also be subject to monitoring and supervision by the competent supervision authorities of the said industries.

In addition, Article 120 of Law 4727/2020 – which has transposed Directive (EU) 2018/1972 (known as the European Electronic Communications Code) – requires that the provision of electronic communications networks or services, other than number-independent interpersonal communications services, is subject to a General Authorisation. The framework for the provision of a General Authorisation by EETT is set out by EETT Decision 991/4/17-5-2021 (General Authorisation Regulation). It is also noted that Law 4727/2020 has expanded the definition of “electronic communications services” in such a way to include Over-The-Top services (OTT) , as well as services provided in exchange for the provision, not only of money, but also of personal or other data. Under a tax perspective, Article 29 of Law 4646/2019 establishes new obligations for digital platform administrators, amending Article 15 and introducing Article 54D to the Greek Tax Procedure Code (Law 4174/2013). In particular, Article 15 establishes the obligation for any digital platform administrator active on the sharing economy field, to provide information to the Independent Authority for Public Revenue (ADAE), when required to do so by a tax authority, regarding persons using its platform as business users/sellers, for which tax obligations under Greek territory arise. The added Article 54D refers to the sanctions, in case of non-compliance to the above obligation, such as blocking access to the Platform or imposition of a fine up to €100,000.

The Regulation (EU) 2019/1150 “on promoting fairness and transparency for business users of online intermediation services”, which has been implemented by Greece since November 2020 by Law 4753/2020, addresses the imbalance in bargaining power between online platforms and small businesses conducting their business on the platforms. Starting from that date, the terms and conditions of online platforms should: i) be drafted in plain and intelligible language; ii) cannot be changed without an advance notice of at least 15 days; iii) need to exhaustively spell out any reasons that could lead to the delisting of a business user; iv) list the main parameters that determine the ranking of search results (this also applies to search engines like Google); v) include information about any ways in which a platform that sells on its own marketplace might give preferential treatment to its own goods or services; vi) be clear about the data policy of the platform – what data it collects, whether and how it shares the data, and with whom. In addition, the Regulation makes it easier for business users to seek redress in case of problems.

In July 2022 the European Parliament adopted a package of legislation consisting of two pieces, the Digital Services Act (DSA) and the Digital Markets Act (DMA). DSA updates the framework for handling illegal or potentially harmful content online, the liability of online providers for third party content and the protection of users’ fundamental rights online. While the DSA is not intended to replace the e-Commerce Directive and its national implementations, it will amend its provisions referring to the liability of online intermediaries. The Digital Markets Act (the DMA) addresses market imbalances, arising from the gatekeeper role of large online platforms (such as search engines, social networking services, certain messaging services, operating systems and online intermediation services). The DMA aims to set out harmonized rules to combat certain unfair practices by gatekeeper platforms and to provide relevant enforcement mechanisms.

Finally, the Hellenic Competition Commission (ΗCC), taking into account the increasingly important role of e-commerce in Greek consumers’ habits as a reliable channel for the distribution of goods and services, as well as the ability of modern technology tools to facilitate restrictions of competition in the digital environment, initiated a sector inquiry into e-commerce. The sector inquiry primarily focuses on the markets of clothing and footwear, electronic and electric devices, books, mediation services to provide travel tickets, mediation services for the provision of tickets for events, mediation services to provide catering services, accommodation and rental and e-pharmacies. The HCC has completed the Interim Report of the sector inquiry, which was published on 2 August 2021.

In principle, there is no such an extension outside Greek jurisdiction with the exception of specific rules on special regimes; this is the case, for instance, under copyright law where tailor – made provisions are provided with regard to applicable law in various cases (Article 67, Law 2121/1993). In the case where foreign elements are implicated, the rules of private international law are applicable. When it comes to consumer protection and personal data protection, if the services are offered to residents of Greek jurisdiction, then the Greek supervision authorities may catch those service providers outside Greek jurisdiction.

Concerning the amended AVMSD regime, although it is in principle applicable at a country-of-origin basis, there are certain obligations for “audiovisual media services” (i.e.: services bearing editorial responsibility for their content, such as on-demand platforms) which are also applicable at a country of destination basis. It should be noted though, that those provisions applicable at a country of destination basis do not also catch video-sharing platform services (such as social media) under foreign jurisdiction. The latter services are only regulated on a country-of-origin basis, as mentioned above. In particular, it is set out for audiovisual media services that the violation of specific aspects of public interest, namely circulating content which contains incitement to violence/hatred against certain groups, content that may impair minors and content which may prejudice public health, may result in that National Council for Radio and Television (ESR) imposes a suspension of broadcasting on an infringing audiovisual service provider which targets Greek audience but is subject to a foreign jurisdiction. Secondly, the non-compliance to provisions of general public interest may trigger the intervention of ESR to request the competent authority of the member state having jurisdiction over the provider, for them to in turn call upon the provider to comply with the aforementioned rules of general public interest. Finally, media service providers established at another member state but targeting Greek audience must annually contribute an amount equal to 1.5% of their turnover relevant to the provision media services either a) for the production of Greek audiovisual works or b) for the purchase of rights to Greek audiovisual works that have not yet been released, or c) by paying this amount to a special account of the National Center for Audiovisual Media and Communication SA.

No, the purpose of European rules is to complete the internal market and the abolition of all obstacles to its completion, the corollaries of which are freedom of establishment and freedom to provide services.

Article 3 of the new Directive 2018/1972 – which has been transposed into the Greek legal order by Law 4727/2020 – establishing the European Code for Electronic Communications states that the national regulatory authority, (…), the Member States shall pursue each of the following general objectives : (…) contribute to the development of the internal market by removing remaining obstacles to, and facilitating convergent conditions for, investment in, and the provision of, electronic communications networks, electronic communications services, associated facilities and associated services, throughout the Union.

Both telecoms and audiovisual media distribution sectors are open to foreign investment including in relation to the supply of telecoms equipment, subject to generally applicable restrictions. In addition, there are no restrictions in place concerning the supply of telecommunications equipment from foreign companies. Besides, one of the objectives set out by Directive 2018/1972 establishing the European Code for Electronic Communications is to promote efficient investment and innovation in new and enhanced infrastructures, including by ensuring that any access obligation takes appropriate account of the risk incurred by the investing undertakings and by permitting various cooperative arrangements between investors and parties seeking access to diversify the risk of investment, while ensuring that competition in the market and the principle of non-discrimination are preserved. However, special conditions related to ownership apply to both local and foreign shareholders in the media sector (see Question 1, Telecommunications and Media sectors).

According to Art. 169 par. 1 of L. 4727/2020, a new regulation shall be issued by EETT, regarding the terms and conditions and the relevant details of the interconnection between the operators. Until the issuance of the above regulation, the current EETT’s regulation in force (No. 732/4/11-9-2014) sets the framework for access and interconnection between operators.

In cases of interconnection disputes, the EETT can intervene through the standard dispute resolution procedure, provided for by the Law on Electronic Communications and the relevant EETT Regulation mentioned above.

All fixed network operators have been designated as having Significant Market Power (SMP) in the markets for call termination to individual fixed networks and all (three) mobile network operators have been designated as having SMP in the markets for termination to individual mobile networks.

The ex-ante regulatory obligations for transparency, price controls, cost accounting separation, access to and use of specific network facilities and non-discrimination have been imposed on SMP operators in the above markets (with a few exceptions in specific markets).

EETT defined a symmetric mobile termination rate and a symmetric fixed termination rate, appropriate to maintain until 1/7/2021 when the maximum union-wide fixed voice termination rate and the mobile voice termination rate defined by EC entered into force.

Customer terms and conditions for the provision of electronic communications networks and services are subject both to general consumer protection legislation (Law 2251/1994) and to sector-specific regulation and particularly to Law 4727/2020, to the General Authorisation Regulation of EETT, which defines the minimum content of such terms and conditions and to certain Codes of Conduct (such as the Code of Conduct for the provision of electronic communications services to consumers, which was recently amended through EETT’s Decision 1032/6/2022 following a consultation). .

Art. 210 of Law 4727/2020 establishes certain information requirements before a consumer is bound by a contract with an operator or any corresponding offer.

EETT’s General Authorisation Regulation introduces obligations, among others, for:

• automatic service interruption to avoid overcharging;
• maximum termination rate for early termination of a fixed-term contract; seamless access of customers to conventional terms and price lists;
• provision of a minimum level of service to the subscriber in case of temporary or permanent interruption of services due to debts, such as receiving incoming calls and making outgoing calls that do not charge the subscriber;
• prohibition in fixed-term contracts to increase the fee within the duration of the contract, with the sole exception of technological changes in the network;
• warning of the subscriber about the imminent expiration of his contract no later than two months before its expiration.

The protection of computer programs was introduced in the Greek legal order with the adoption of Directive EU 91/250 (14.05.1991), as codified by Directive EU 2009/24. Under the Greek Copyright Act, namely Law No. 2121/1993 (Official Government Gazette Α΄ 25/1993), computer programs, as well as their preparatory design material, shall be deemed as literary works within the meaning of the law, meaning that they are copyright protected insofar as they constitute original intellectual creations. Accordingly, the protection applicable under national copyright law covers the expression (emphasis added) of a computer program in any form. However, it is explicitly stated that the ideas and principles which underlie any element of a computer program, including those underlying its interfaces, are not copyrightable. With regard to the identification of the notion of originality -as the sole prerequisite for copyright protection under the CJEU case – law-, the national legislator had adopted the relevant interpretation providing that a computer program shall be protected if it is original in the sense that it constitutes the author’s own intellectual creation (Article 2 para 3, Law No. 2121/1993).

Accordingly, creators of computer software are vested with the absolute and exclusive rights provided under Articles 3 and 4 of the Greek Copyright Act, being further analyzed to the bundle of rights deriving from the author’s economic and moral right respectively over his/her work. More precisely, the economic rights shall confer upon authors notably the right to authorize or prohibit: a) the fixation and direct or indirect, temporary or permanent reproduction of their works by any means and in any form, either in whole or in part; b) the translation of their works; c) the arrangement, adaptation or any other alteration of their works; d) the distribution to the public in any form by sale or otherwise of either the original or copies of their works. It must be noted that the law provides that the distribution right shall be exhausted within the Union only in case the first sale or any other transfer of ownership within the Union of either the original or copies is made by the right holder or with his/her consent. Moreover, the author’s economic right covers also: e) the rental or public lending of the original or copies of works (these rights are not exhausted by sale or any other act of distribution of the original or copies of works, while architectural works and works of applied arts are exempted from the relevant scope of application. In addition, the national legislator clarifies that both notions of “rental” and “public lending” have the meaning provided by the Council Directive 92/100 of 19 November 1992); f) the public performance; g) the broadcasting or rebroadcasting of works to the public by radio, television, wireless means or by cable or any kind of wire or any other means in parallel to the surface of earth or by satellite; h) the communication to the public by wire or wireless or any other means, entailing the making available to the public of works in such a way that the public may access these works from a place and at a time individually chosen by them (these rights shall not be exhausted by any act of communication to the public as set out in this provision) and; i) the import of copies of the works produced abroad without the creator’s consent or the import of copies from a country outside the European Union, when the right over such an import in Greece had been retained by the author through contract.

In parallel, authors -of any type of works, profoundly including software- are vested with moral rights under the scope of safeguarding the personal bond that connects them with their works. Respectively, authors have notably the right: a) to decide on the time, place and manner in which a work shall be made accessible to the public (right of publication); b) to demand that his/her status as the author of the work will be acknowledged and, in particular and to the extent possible that his/her name will be indicated on the copies of the work and noted whenever his work is used publicly. Under this right, an author may on the contrary decide that his/her work will be presented anonymously or under a pseudonym. In addition, copyright holders have the right to: c) prohibit any distortion, mutilation or other modification of his/her work and any offence caused by the circumstances in which a work is publicly presented; d) to have access to his/her work, even in the case where the economic right over work or the physical embodiment belongs to another person (access must be granted with minimum possible nuisance caused to the right holder) and; e) in the cases of literary or scientific works, the author has also the right to rescind a contract transferring the economic right or a contract concerning its exploitation or a relevant license insofar as this is necessary for the protection of his/her personality on the grounds of a change either in his beliefs or in circumstances. This rights though is aligned with the author’s obligation to the payment of material damages to his/her counterparty.

Moreover, Greek law provides for further tailor – made provisions with regard to computer programs and databases, i.e. the sui generis right granted to the maker of a database (Chapter 7, Law 2121/1993). Focusing on software, the national legislator had determined that the economic right over a computer program that is created by an employee in the execution of his/her employment contract or following the instructions given by the employer, shall be ipso jure transferred to the latter, unless otherwise provided by contract (Article 40). In addition, Article 41 provides that the first sale within the Union of a copy of a program either by the author him/herself or with his/her consent, shall exhaust the distribution right of that copy within the Union exempt from the right to control the further rental of the program or of a copy thereof.

Article 42 provides for a number of limitations to the rights conferred to authors of protected computer programs. It shall be noted that these special limitations are exclusively applicable to this type of works; consequently, the cumulative application of the exceptions and limitations provided under Chapter 4 of the Greek Copyright Act, shall be excluded. With regard to the wording of this provision, paragraph 1 provides that in the absence of an agreement to the contrary, the reproduction, translation, adaptation, arrangement or any other alteration of a computer program shall not require the author’s (prior) authorization by the author or necessitate the payment of a fee, where the aforementioned acts are necessary for the use of the program by the person who had legitimately acquired the right to use such a program. The correction of errors is also explicitly covered under the term “use”, while the law provides that the latter shall always take place in compliance with the program’s “intended purpose”. On the contrary, reproduction that is necessary for the purposes of loading, displaying, running or storage of a computer program shall be subject to the author’s authorization (paragraph 2). The next paragraph refers to the making of a backup copy by a person having the right to use the computer program thus dictating that this act may not be prevented by contract insofar as it is necessary for the use of the program. In addition, the author’s consent is not required neither the payment of a fee (paragraph 3). The same applies with regard to the right of a person who is legitimately able to use a copy of a computer program to observe, study or test its functioning in order to determine the ideas and principles that underlie any of its element. However, the scope of application of this limitation had been determined as to entail the aforementioned uses insofar as they take place during an act that falls within the concept of the program’s legitimate use. Lastly, paragraph 4 clearly states that any agreement to the contrary shall be prohibited excluding as such any contractual deviation. According to the next paragraph of this provision, the aforementioned circumstances (i.e. the circumstances provided under paragraphs (3) and (4)) consist of the sole reproductions of a computer program for private use that are permitted by the law. Last, following the implementation into the Greek legal order of the Directive 2017/1564 (EU), an addendum to this provision had been introduced (Paragraph 6, Article 42, Law No. 2121/1993 as added with Art. 9 par. 1 Law 4672/2020 implementing Article 3, paragraph 1 of the Directive 2017/1564/EU) dictating that the limitations to the economic right provided for the purpose of permitting certain uses for the benefit of print – disabled persons and persons with other disabilities (Article 28A, Law No. 2121/1993), shall be also applicable to the rights of the holder of rights over a computer program.

Concluding, it should be noted that the national legislator had also regulated the issue of decompilation providing for a tailor – made provision (Article 43, Law No. 2121/1993) according to which the person having the right to use a copy of a computer program shall be entitled to carry out reproduction, translation, adaptation, arrangement or any other alteration, as well as reproduction that is necessary for the purposes of loading, displaying, running or storage of a computer program (the acts referred to in paragraphs (1) and (2) of Article 42, Law No. 2121/1993) with no need to obtain the author’s permission and without the payment of a fee. This exception though applies to the case where such acts are indispensable in order to obtain the information necessary to achieve the interoperability of an independently created computer program with other programs insofar as the following prerequisites are cumulatively fulfilled; i) that this information has not previously been easily and readily available to the legitimate user and ii) that these acts are confined to the parts of the original program which are necessary to achieve the aforementioned interoperability.

However, it is clearly provided that the application of the first paragraph of this provision –as stated above- shall not permit this information –meaning the information received within the scope of its application: a) to be used for objectives other than to achieve the interoperability of the independently created computer program; b) to be announced to other persons except when necessary for the said interoperability or c) to be used for the development, production or marketing of a computer program, the expression of which is substantially similar to the initial program or for any other act that infringes the author’s copyright.

Last, paragraph 3 of Article 43 makes an explicit reference to the three – step test thus concerning (as in all cases) an exception and limitation to the author’s economic right. As a result, it is (also in this case) explicitly provided that the provisions established under Article 43 shall not be interpreted in such a way as to allow its application to be used in a manner that would conflict with the normal exploitation of the computer program or would unreasonably prejudice the author’s legitimate interests.

The protection of databases was introduced in the Greek legal order with the adoption of EU Directive 96/9 and they fall explicitly within copyright’s rationae materiae under the Greek Copyright Act thus being identified as deriving from the original selection or arrangement of their contents; on these grounds, databases constitute the author’s intellectual creation and shall be profoundly protected as such by copyright. However, the law provides that copyright protection shall not extend to the contents of a database and shall not prejudice any right subsisting in those contents per se. According to the relevant definition, a “database” is a collection of independent works, data or other material arranged in a systematic or methodical way that is also individually accessible by electronic or other means (Article 2(2)(a), Law No. 2121/1993).

Consequently, the author of a database is the (initial –as in all cases following the relevant presumption (Article 6(1), Law No. 2121/1993) holder of copyright over this type of work on the grounds of the original selection or arrangement of its contents.

Focusing on the contents of a database, national law provides for the sui generis right of the maker of a database (Article 45A, Law 2121/1993). More precisely, the maker of a database has the right to prevent extraction and/or re-utilization of the whole or of a substantial part of the content of a database, being evaluated qualitatively and/or quantitatively, provided that the acquisition, control or presentation of such a content demonstrate substantial qualitative or quantitative investment. The notion of the “maker of a database” had been determined as either the natural or legal person who takes the initiative and bears the risk of investment with the exception of the contractor of a database who shall not be considered as “maker” within the meaning of law.

Moreover, a number of critical definitions are provided under paragraph 2 of Article 45A of the Greek Copyright Act, being analyzed –for the purposes of this provision- as follows: a) “extraction” shall mean the permanent or temporary transfer of all or of a substantial part of the content of a database to another medium by any means or in any form, and b) “re-utilization” shall mean any form of making available to the public all or a substantial part of a database’s content by the means of distributing copies, by renting, by transmitting either online or through other forms. With regard to exhaustion, the law provides that the first sale of a copy of a database within the Union by the rightholder or with his consent shall exhaust the right to control the resale of that copy within the Union. In addition, it is clearly stated that public lending does not constitute an act of extraction or re-utilization.

It should be further stated that the sui generis right of the maker of a database applies irrespective of whether that database or the content thereof are protected under copyright law or under other provisions. The protection afforded to the maker of a database does not prejudice other potential rights over its content. With regard to the transfer of this right, the law provides that it may take place either with or without any consideration or that its exploitation may be assigned by the means of either a license or a contract.

The three – step test is also in this case applicable since paragraph 4 provides that in the case where the normal exploitation of a database or the legitimate rights of the maker of a database may be prejudiced through the repeated and systematic extraction and/or re-utilization of insubstantial parts of the content of the database, such acts shall not be permitted.

Moreover, it is provided that the maker of a database that had been made available to the public by any means cannot prevent the legitimate user of the database from extracting and/or re-using insubstantial parts of its content, being evaluated (i.e. the parts) either qualitatively or quantitatively, irrespective of the objective pursued at each case at issue. In the case where that user is entitled to extract and/or re-utilize only a part of the database, this provision is applicable only to that part. On the other side, the law provides for certain acts that (even) the legitimate user of a database that had been made available to the public shall not undertake; namely, to perform acts that conflict with the normal exploitation of that database or that unjustifiably prejudice the legitimate interests of its maker, and to cause damage to the holders of copyright or of related rights over the works or performances integrated into that database. We should also underlie that any agreements contrary to this provision (paragraph 5) shall be deemed as null and void.

On the other hand, the right of the maker of a database is subject to certain exceptions and limitations under the scope of providing the legitimate user of a database that had been made available (by any means) to the public the ability to extract and/or re-utilize a substantial part of its content in the following cases; a) in the case where such an extraction is made for educational or research purposes, provided that the source is quoted, and to the extent that it is justified on the grounds of the non – commercial purpose (profoundly) pursued; b) when the extraction and/or re-utilization is made for reasons of public safety or within the scope of administrative or judicial procedures.

The Greek legislator had further clarified that this sui generis right applies to databases whose makers or right holders are citizens of a Member – State or in the case where they have their habitual residence within the Union territory. It is also applicable to companies and enterprises that had been established in accordance with the law of a Member – State, and whose registered offices, central administration or main establishment is located within the Union. Moreover, the interpretation given under Articles 9 and 11 of the Directive 96/9/EC on the legal protection of databases had been introduced as such to national law thus it is dictated that in the case where certain company or enterprise has exclusively its registered office within the Union territory, business activities shall be genuinely and on an ongoing basis aligned to the economy of a Member – State. Last, the exceptions and limitations provided under the revised Article 28A –as amended on the grounds of implementation at national level of the Directive 2017/1564/EE- are also applicable to the sui generis right of the maker of a database.

The last paragraph of Article 45A, Law 2121/1993 provides for certain rules on the term of protection of this right; first, it is stated it shall run from the date of completion of the making of the database and shall expire fifteen (15) years from the 1st of January of the year following the date of completion. In the case of a database that had been made available to the public in any means prior to the expiration of the term of protection, the latter shall be calculated from the 1st of January of the year that follows the date on which the database was first made available to the public. Lastly, it is stated that any substantial modification, being evaluated on either qualitative or quantitative terms, of the content of a database, in particular any substantial modification resulting from the accumulation of successive addendums, deletions or alterations that result to the consideration of the relevant investment as a new substantial one, being also here evaluated on qualitative or quantitative terms, which would result in the database being considered to be a substantial new investment, attracts –in relation to the database deriving from this investment- a right of the same term of protection.

The protection of personal data and privacy of individuals constitutes a fundamental human right. Data protection laws grant the data subjects, i.e. individuals, certain rights and impose certain responsibilities on data controllers. In Greece, the data protection regime is primarily set out in the General Data Protection Regulation 2016/679 (EU) (GDPR) and Law 4624/2019, incorporating the Regulation 2016/679 (EU) (GDPR) and the Directive 2016/680 implemented into national law. Moreover, while the e-Privacy Law (Law 3471/2006) applies mainly to the electronic communications sector, certain provisions are not sector-specific, such as the provisions on unsolicited communications.

Based on the above-mentioned legal framework, processing of personal data must meet the following fundamental data protection principles and requirements regarding data subjects’ rights:

Lawfulness

The legal basis for the legitimate processing of personal data, according to the GDPR, might be consent, performance of a contract with the data subject, compliance with a legal obligation, protection of the individual’s vital interests, performance of a task carried out in the public interest or protection of the controller’s or a third party’s legitimate interest. For special categories of data (eg, data related to health, race, political or religious beliefs) processing is prohibited, unless one of the conditions defined in Article 9 paragraph 2 of the GDPR apply (eg, explicit consent, processing necessary for preventive or occupational medicine, etc).

In its Decision No 26/2019, the HDPA imposed a fine on a controller for invoking consent as the legal basis for processing personal data of employees, thus giving them a false impression that processing of their data depends on their consent. In addition, in its recent Decision 17/2021, the HDPA imposed a fine of 5,000 Euros on a private educational institution for unlawful data processing and incorrect response to the data subject’s access and deletion rights. In 2022, the HDPA issued numerous decisions, imposing fines to controllers for unlawful data processing, most of them concerning unlawful/unrequested commercial or political communication (e.g. Decisions No. 1/2022, 26/2022,16/2022,17/2022, 30/2022).

Transparency and fairness

Processing of personal data must be carried out in a fair and transparent manner. Controllers must provide data subjects with clear information concerning the processing of their data (eg, which data is processed, how, why, by whom, the recipients of the data). This information must be provided in a brief, easily accessible, comprehensible, clear and simple manner.

Purpose limitation

Collection and processing of personal data by controllers must be based on specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes shall not be considered to be incompatible with the initial purposes.

Article 24 of Law 4624/2019 provides that the authorities may process personal data for different purposes when such processing is necessary for them to exercise their duties. When it comes to private entities, processing of data for different purposes is allowed following a request from the authorities for reasons of national and public security, if it is necessary for the prosecution of criminal offences, or for the establishment, exercise or defence of legal claims, which are not overridden by the interests of data subjects (Article 25 of Law 4624/2019).

Data minimisation

Controllers must only process as much data as necessary. Data processed should be adequate, relevant and limited to what is necessary for the purposes of processing.

Indicatively, the HDPA has issued Opinion 4/2013 and relevant official decisions restricting the processing of criminal records and providing that, if not required by law, these should be replaced by solemn declarations of employees which would only refer to convictions for specific crimes related to the main activity of the controller.

Accuracy

Personal data must be accurate and kept up-to-date. In this context, an immediate erasure or rectification of inaccurate data is mandatory for controllers.

Storage limitation

Personal data should be retained for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as it will be processed solely for archiving purposes in the public interest, for scientific or historical research or statistical purposes subject to implementation of the appropriate technical and organisational measures.

The HDPA has defined specific retention periods (eg, Opinion 1/2011 on CCTV defining a retention period of 15 working days, without prejudice to sector-specific provisions) in certain cases where no statutory retention period is defined.

Integrity and confidentiality

Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Any breach of confidentiality, integrity or availability by “accidental or deliberate action” constitutes a data breach.

Accountability

According to the principle of accountability, controllers and processors must design their processes and technical and organisational systems in such a way that they can prove before the supervisory authorities or courts that they are fully compliant with the applicable framework for personal data (Law 4624/2019, GDPR). The introduction of the principle of accountability shifts the “burden of proof” of compliance from the data protection authorities to controllers and processors. The GDPR provides controllers and processors with a range of regulatory methods and tools for this purpose, such as:

• keeping records of processing activities;
• implementation of security measures;
• data protection impact assessments;
• appointment of a data protection officer;
• compliance with data breach notification obligations; and
• encouraging the adoption of codes of conduct.

Data Subjects’ rights

Controllers must ensure data subjects’ rights with respect to processing of their personal data and ensure that they may exercise them, as well. Data subjects have the right to request:

• Access to their personal data;
• Rectification of their personal data if it is inaccurate or incomplete.
• Deletion of their personal data, unless their processing is necessary for the exercise of legal rights of the Controller for the fulfillment of a legal obligation, for public interest reasons or for defending its legal rights before judicial or other Authorities.
• Restriction of processing of their personal data only for specific purposes.
• To withdraw at any time their consent to the processing of their personal data for marketing purposes and/or targeted advertising. In such case, their processing by the Controller will be suspended, nevertheless this will not impact the legitimacy of any processing performed until the time of withdrawal.

The HDPA has issued a number of recent decisions based on which fines have been imposed on Controllers for non-compliance with the principles of processing and satisfaction of the rights of data subjects (e.g. Decisions No. 28/2022, 23/2022, 27/2022, 61/2022).

The applicable personal data protection legal framework imposes restrictions on the transfer of personal data outside the European Economic Area (EEA), to third countries or international organisations. Personal data may be transferred outside the EEA, where the recipient of the personal data has provided adequate safeguards (eg, model clauses and/or binding corporate rules) or if the Commission has made an “adequacy decision” – in other words, if it has decided the country has an adequate level of data protection. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the transfer.

In addition, according to Article 75 and following Law 4624/2019 (implementing Directive 680/2016), if the requirements are met then data transfers to countries outside the EEA authorities or to international organisations are also allowed in the context of prosecution of criminal offences.

Article 83 of the GDPR states that supervisory authorities shall impose administrative fines that shall be effective, proportionate and dissuasive.

There are two tiers of administrative fines that can be levied as penalties for non-compliance with the GDPR, depending on the specific articles of the Regulation that the organisation has breached. In specific, data security breaches will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.

• Up to €10 million, or 2% annual global turnover – whichever is higher.
• Up to €20 million, or 4% annual global turnover – whichever is higher.

In Greece, regarding the private sector, the GDPR’s provisions (General Data Protection Regulation), apply, as there is no further specialization in the applicable national law (L. 4624/2019).

In July of 2022 the HDPA imposed a fine of €20.000.000 to Clearview AI Inc., for violating the principles of lawfulness and transparency with its controversial facial recognition services and banned it from collecting and processing the personal data of people living in Greece. It has also ordered it to delete any data on Greek citizens that it has already collected. This is the largest fine the Authority has ever imposed on a company.Also, in January of 2022, the HDPA imposed a fine of €6,000,000 on Cosmote Mobile Telecommunications S.A. (“Cosmote”), which is the largest MNO in Greece and €3,250,000 on its parent company, Hellenic Telecommunications Organization S.A. (“OTE”), following a data breach incident concerning call data leakage of subscribers. Also,

The HDPA had also imposed two fines to the Hellenic Telecommunications Organization (O.T.E.).totaling € 400,000 on the one hand for non-compliance with the right of objection and breach of the principle of data protection as well as breach of the principle of accuracy and data protection by design during the storage of its subscribers’ personal data.

On the other side, regarding the public bodies acting as Controllers, the national Law 4624/2019 (art. 39) sets a maximum fine of €10 million.

However, the HDPA can take a range of corrective actions, such as the following, given that not all GDPR infringements lead to serious fines:

• Issuing warnings and reprimands;
• Imposing a temporary or permanent ban on data processing;
• Ordering the rectification, restriction or erasure of data; and
• Suspending data transfers to third countries.

Ιn addition to the above-mentioned applicable legal framework (pls see answer in question No 14), the HDPA at regular intervals or when it deems it necessary, issues guidelines and recommendations to the Controllers regarding issues that require clarification. For example, recently the HDPA issued guidelines for the processing of personal data for the management of Covid-19, as well as the taking of security measures in the context of remote working, dated on 18.03.2020 and 15.04.2020 and 04.08.2021 respectively.

Other than that, the Greek State, proceeded to a specialization of GDPR’s provisions regarding the consent of minor. In particular, according to the Article 8 of the GDPR, the Member States were able to provide for the age at which a minor may consent alone to the processing of her/his personal data, provided that it is between 13 and 16 years of age. The national Law 4624/2019 on protection of personal data set this age at 15 years old. As a result, if the Greek minor is under 15 years of age, the processing of his/her personal data is legal only after the consent of his / her legal representative has been given.

Law 4727/2020 on Digital Governance defines cloud computing as a service standard that enables Internet access to an expandable and flexible group of shared physical or virtual resources. The provision of the service is based on the needs of the user and the management of resources by the service provider is done only at the request of the user. Law 4727/2020 references the following models of cloud computing:

• Public: services are potentially available to any customer and the resources of the service are controlled by the service provider. A public cloud can be owned, managed and operated by a business, academic or governmental organization or a combination of the above. The computing infrastructure is located on the premises of the service provider.
• Private: services are used exclusively by a single organization and resources are controlled by that organization. A private cloud can be owned, managed and operated by the organization itself or by a third party and the computing infrastructure may be located on-site or off-site. The private cloud service provider may allow access to other parties.
• Hybrid: uses at least two different cloud computing service models. The two services remain unique but are interconnected by the appropriate technology that enables interoperability, data and application portability. A hybrid cloud can be owned, managed and operated by the organization itself or by a third party and can be located on-site or off-site.

The Ministry of Digital Governance is responsible for determining the use of cloud computing infrastructure by public sector bodies and defining criteria for the selection of techniques and methods for the use of cloud services. To promote the use of cloud services by public administration, the Ministry will design and launch a digital marketplace of Cloud services and applications in which public sector bodies and Cloud service providers will be registered, where Cloud service providers will post the cloud services provided by them, the technical details and the costs of procurement.

Furthermore, personal data protection in cloud services is regulated by the EU’s General Data Protection Regulation 2016/679 (GDPR) applies, alongside the Law 4624/2019 on the Protection of Personal Data, implementing the GDPR, which introduces specific criminal penalties for the illegal processing of personal data, in addition to the administrative penalties applicable under the GDPR.

Concerning cybersecurity, the legal framework that applies to cloud providers offering computing services, as digital service providers, is Law 4577/2018, which transposes the Network and Information Security Directive 2016/1148/EU (NIS). Law 4577/2018 imposes obligations on businesses, such as the adoption of technical and organisational measures for the security of networks and information systems; for the prevention and minimization of the impact of security-related incidents; the notification of the National Cybersecurity Authority and the Hellenic Data Protection Authority of incidents with a serious impact on business continuity and the cooperation with the competent authorities.

Furthermore, Act No 3674/2008 provides the obligations of network operators and electronic communication service providers in terms of network security, decryption, system and supervision. Other provisions relevant to confidentiality of communications concern the criminalisation of the various acts of unlawful interception and further use of unlawfully acquired communications data (see articles 370–370D of the Greek Criminal Code) and the prohibition of using such unlawfully acquired evidence in the criminal procedure (see Article 177 of the Greek Code of Criminal Procedure).

Finally, there is also sector-specific legislation on cloud computing services. In the public administration sector, Law 4623/2019 and Law 4727/2020 contain provisions concerning the acquisition and use of cloud computing services by public administration in Greece.

In particular, the General Secretariat of Public Administration Information Systems (GGPSDD), the National Network of Technology and Research Infrastructures (EDYTE SA) and the Digital Governance of Social Insurance (HDIKA SA) must prioritize the acquisition of cloud computing services for all public sector entities over other technological solutions, for storing data, hosting information systems and other activities specified. Every new information system of public sector entities must be accompanied by a data classification study, which must be included in the analysis and design studies of the project.

The provision of digital public services by public sector bodies is carried out through the central infrastructure of the Government Cloud of the Public Sector (G-Cloud), managed by GGPSDD, the Government Cloud of the Research and Education Sector (RE-Cloud), managed by EDYTE, and the Government Cloud of the Health Sector (H-Cloud), managed by HDIKA. The entities responsible for the management of the Government Clouds must each retain a digital register of the central electronic applications and the central information systems installed in the respective Cloud. The above Government Cloud Computing Systems may be interconnected to provide optimal public services and to create backup, business continuity and disaster systems, in compliance with the provisions of the legislation on personal data protection.

All central electronic applications and information systems relating to transactions between public administration and natural or legal persons or legal entities and are maintained by all Ministries (except for the Ministry of Health and the Ministry of Education and Religious Affairs), public sector bodies (other than Hospitals and Health Centers), independent authorities and Information Society S.A., must be installed on the G-Cloud by 01.01.2023. By the same date, all electronic applications and central information systems of the Ministry of Education and Religious Affairs and its supervised bodies, as well as those offered by the Ministry to the education and research community, must be installed on the RE-Cloud. The same applies for the applications and central information systems of the Ministry of Health, of Hospitals and Health Centers, concerning the processing of medical data and citizens ’medical transactions. GGPSDD, E.D.Y.T.E. S.A. and H.D.I.K.A. must provide Service Level Agreements (SLAs) to the abovementioned entities.

In the financial services sector Act No 2577/2006 and Act No 2597/2007 of the Governor of the Central Bank of Greece on internal control and privacy systems for the banking sector, as well as in Law 3431/2006 and Law 2472/1997 are in force, to the extent that they do not conflict with the provisions of the GDPR.

For electronic signatures, the requirements set out in the eIDAS Regulation (EU 910/2014) regarding each specific kind of electronic signatures (Electronic Signature, Advanced Electronic Signature (AES), Qualified Electronic Signature (QES) came into direct effect to all EU member-states, including Greece. Regarding the requirements of validity of the AESs see Article 26 of the Regulation and regarding the requirements of validity of the QESs see Articles 29-32 Of the Regulation. Greece has primarily adopted the concept of a Qualified Electronic Signature (QES), for the issuance of electronic documents. A QES abiding by the requirements of the eIDAS Regulation, means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures . More specifically, Law 4727/2020 regarding “Digital Governance (Transposition into Greek Legislation of Directive (EU) 2016/2102 and Directive (EU) 2019/1024) – Electronic Communications (Transposition into Greek Legislation of Directive (EU) 2018/1972) and other provisions”, regulates the use of electronic signatures in Greece. Pursuant to Law 4727/2020, public electronic documents (originals, exact copies and digitized electronic copies), should bear QES in order to be valid (see article 13). The abovementioned electronic documents, if bearing a QES, are considered to have the same probative value as documents bearing a handwritten signature against all public bodies and courts (see article 14). Interestingly, and without prejudice to the provisions of the Single Digital Portal of Public Administration, certificates and attestations of any kind may be issued using either an advanced or Qualified Electronic Signature or an advanced or approved electronic stamp (see article 13).

Furthermore, an electronic document bearing a simple or advanced electronic signature or an advanced electronic stamp of its issuer, is considered as a mechanical display, within the meaning of article 444 of the Code of Civil Procedure, i.e. a private document. Electronic documents with a simple or advanced electronic signature are freely considered as legal means of proof according to the applicable procedural provisions (see article 16).

However,, private documents which are required by law or by the contracting parties to bear a personal signature, when in electronic form, must bear a QES in order for them to be valid, binding and have probative value (see article 16). Electronic private documents issued by natural or legal persons or legal entities using a QES or an approved electronic stamp, are obligatorily accepted by public sector bodies, courts of all levels and prosecutors throughout the country and by natural or legal persons or legal entities during their electronic circulation (see article 15).

Regarding the accreditation itself, Greece follows the European Telecommunications Standards Institute standards for the technical requirements of the Qualified Electronic Signatures, as well as the Decision of the Hellenic Telecommunications & Post Commission, which offers a list of Qualified Trust Service Provides publicized at its site. Complimentary to the relative provisions of the eIDAS Regulation (EU 910/2014), Law 4727/2020 and No. 837/1Β/2017 EETT Decision “Regulation on the provision of Trust Services” (EETT is the designated public authority responsible for the oversight of Trust Services) also contain provisions regulating the operation of Trust Services in Greece.

It should also be noted that companies and individuals that wish to participate in public tenders are obliged to use digital signatures (Qualified Electronic Signature).

Currently, electronic signatures are extensively used in the public sector and consistent efforts have been made to foster this trend. For instance, APED (Certification Authority of the Greek Public Sector), a qualified trust service provider especially for the public sector has been established. APED also provides services to the public. In the private sector a similar increasing trend can be observed, admittedly though not as significant as the one in the public sector. This rise in the use of electronic signatures in the private sector can be attributed significantly to the effects of the Covid pandemic

Not automatically. The content of an outsourcing contract is always determined on an ad hoc basis by the two counterparties the outsourcer and the outsourcing supplier. Without special contractual clauses dictating the transfer of employees, assets or third-party contracts, no such transfer can take place automatically, especially when the outsourcing agreement relates only to the outsourced activity. As far as the employees are concerned, even in cases where the outsourcing of IT services takes place between associated companies, the employee cannot be transferred to the outsourcing supplier automatically. In practice, this tends to be solved by the involved parties. Under Greek law, outsourcing is governed primarily by the contractual terms agreed on an ad hoc basis between the counterparties. No transfer of assets, employees, or contracts takes place automatically since the decision to outsource any king of services, including IT services, is subject to the freedom of contracts.

The principle of freedom of contracts derives from and is inexorably intertwined with economic freedom as provided by the Greek Constitution and is further analysed to the freedom to conclude or not a (given) contract, the freedom to choose the counterparty and the freedom to determine the exact content of a contract, meaning the contractual clauses that shall be binding upon the parties. Consequently, no one is (or could be) obliged to conclude a contract with the content of which he/she does not agree -and be respectively committed to the execution of a given clause-, profoundly covering contractual terms provided under an agreement concluded between third – parties. On the contrary, the determination of the exact content of contractual clauses is subject to the free willing of the parties and the relevant negotiations provided that they are not contrary to the law -profoundly referring to constitutional provisions and the mandatory rules provided under Greek legal system- or morality. These limitations applicable to the freedom of contracts -as in any individual right- are complemented by the obligation to respect the rights of third – parties meaning that a given contract shall not be cumbersome and shall not generate obligations for third – parties.

As a result, the outsourcing of IT -as of any- services is subject to the general principle of freedom of contracts -under the aforementioned limitations-, meaning that any relevant issue -including the employment status or assets- shall not be considered as being “automatically” transferred to any third – party unless otherwise provided by contract.

It should be noted that after the drafting of the outsourcing contract and depending on its specific terms, which are governed as mentioned above by the contractual freedom of the parties, an outsourcing contract could be regarded as a contract of legal transfer of part of the business, in the context of Council Directive 2001/23/EC and Presidential Decree No. 178/2002. This applies only to contracts that provide alongside the outsourced activity, the transfer to the outsourcing supplier of third-party contracts, assets, employees etc. of the original business. In this context, outsourcing falls within the meaning of the “legal transfer of business” of Directive 2001/23/EC (and the relevant previous Directives) as long as, the transferred (outsourced) activity or operation constitutes an economic entity that retains its identity, meaning an organised grouping of resources which has the objective of pursuing in a stable and not time-limited manner, an economic activity, whether or not that activity is central or ancillary. The mere transfer of some assets e.g. equipment or a nonsignificant number of employees would not transform the nature of the contract, on the contrary, it would take for an extensive transfer of employees and equipment and the retention of their operational connection under the control of the transferee, for the application of the above-mentioned pieces of legislation to even be considered. However, should an outsourcing contract be deemed to meet the above conditions and constitutes, in fact, a legal transfer of part of an undertaking, as required by the Directive 2001/23/EC and the Presidential Decree No. 178/2002, then the transferor’s (original business-outsourcer) rights and obligations arising from a contract of employment or from an existing employment relationship, connected to the transferred part of the business, shall, by reason of such transfer, be automatically transferred to the transferee. The transferee (outsourcing supplier) will in this case have to comply with the provisions of Presidential Decree No. 178/2002. This ipso jure transfer, relating to the employment contracts, takes place only in the event that, as we explained above, that the outsourcing contract already provides for the transfer of an economic entity/organised grouping of resources/part of the business and not only the outsourced activity.

Artificial Intelligence is not specifically regulated nor is there a specific legislative framework to cover its applications in Greece. Therefore, all legal questions, including the ones related to liability, are primarily approached based on the Greek Civil Code, although this may very often lead to dead ends. For the purposes of this answer, a distinction should be made between the liability of the user of the software and that of the software provider.

As far as the liability of the software provider is concerned, all AI technologies in Greece ought to meet the essential health and safety requirements laid down in the EU safety legislation (as it has been transposed into Greek law), such as Directive (EC) 2006/42 on machinery (the safety legislation applicable to robots), Directive 2014/53/EU on radio equipment (which applies to all products that use the radio frequency spectrum, including embedded software) and Directive 2001/95/EC on general product safety.

Additionally, EU product liability regime also applies, introduced by the Product Liability Directive (D 85/374/EEC) and was implemented by amendments of the Greek Consumer Protection Law 2251/1994. This framework, which applies to all new digital technologies, establishes a strict liability regime against the producers of defective products, holding them liable when these defective products cause damage to natural persons or their property, while the injured consumers are not required to prove the fault of the producer. Public Consultations on a possible amendment of the Directive in order for it to better address issues arising out of the use of AI took place from 18 October 2021 to 10 January 2022 and the Commission is expected to issue a Proposal in the third quarter of 2022.

On the other hand, for the tortious liability to be attributable to a party, the Greek Civil Code sets out five conditions that need to be fulfilled cumulatively: a) human behaviour, b) illegal action, c) fault, d) damage and e) causal link between behaviour and damage. It is obvious that if a software program characterised as Artificial Intelligence causes damage, some of the abovementioned conditions are rather difficult to substantiate, especially one party’s fault and the causal link between the human behaviour and the damage occurred.

Up until today, it appears that the current legal framework of extra-contractual liability, despite the challenges, can be applied to damage causes by A.I. software with regard to both the provider and the user. It should be noted that especially the scope of the user’s liability is heavily debated at the moment. It is mostly agreed that user liability cannot be completely excluded. However, the extent of it has yet to be clearly defined. For example, user liability could stem from the user’s failure to abide by certain safety or operational rules and perhaps be excluded in cases where he can prove that no such rules were violated. On the other hand, it has also been suggested that anyone who uses state-of-the-art (artificial intelligence) items should be responsible for the risks arising from their activity. Furthermore, in cases where an AI software is put to use by an enterprise in connection to its professional activity, it has been proposed that the rules of corporate governance with regard to outsourcing should be transferred and considered applicable regarding the application and treatment of AI software. The ambiguity regarding the matter arises mainly from the fact that no definite answers have been provided so far on a legislative level. National legislation under public consultation unfortunately does not directly address the matter of who is to be held liable for a possible malfunction of an AI software.

In any event, taking into account the new generation of AI which approaches operational autonomy and behavioural unpredictability through their capacity to analyse and learn from their environments, it will be increasingly more difficult to identify the natural person at fault for the damage caused by the AI software which means that all implicated parties should aim to act proactively when operating A.I. software in Greece and regulate contractually all possible aspects of liability for such systems, while aiming for insurance coverage as well.

(a) In Greece, the legal and regulatory framework that governs cybersecurity issues mainly consists of Law 4727/2020 (particularly article 148 and 149). According to the applicable provisions, operators offering internet access networks and/or services should maintain and implement security policies, supported by relevant analytical procedures. More specifically, providers shall adopt appropriate and proportionate technical and organisational measures for the security of their networks and services. These measures, taking into account the most advanced technical capabilities, must ensure a level of safety commensurate with the existing risk. In particular, providers shall take measures, including encryption, where appropriate, to prevent and minimise the effects of security incidents affecting users and other networks and services. Public electronic communication networks or electronic communication service providers shall immediately notify ADAE (Hellenic Authority for Communication Security and Privacy) about any security incident that has had a significant impact on the operation of networks and services. ADAE in turn: a) immediately notifies any incident, of which it becomes aware, to the National Cyber Security Authority designated in accordance with the provisions of Law 4577/2018 (A` 199) and b) notifies the incidents that have an impact on the availability or integrity of networks or services to ΕΕΤΤ. ADAE Regulations 165/2011 and 205/2013 (as in force, amended by ADAE Decisions 99/2017, 37/2022 and 38/2022) are also applicable. In addition to the above, provisions of the Data Protection Law apply which require data controllers and processors to ensure the implementation of appropriate organisational and technical measures to ensure protection of personal data and provided that certain conditions are met, to report significant breaches of personal data to the Hellenic DPA (Hellenic Data Protection Authority) Especially with regard to the protection of personal data & privacy in electronic communications, Law 3471/2006 applies and imposes obligations upon operators including the obligation to inform the subscribers of an imminent security threat and propose appropriate measures. Another legislative act related to cybersecurity is Law 3674/2008, which states the obligations of network operators and electronic communication service providers in terms of network security, decryption, system and supervision. Finally, according to 837/1Β/2017 ΕΕΤΤ Decision, Trust Services Providers are obligated to take appropriate technical and organisational risk management measures for the security of the trust services they provide and shall inform, without undue delay and, in any case, within 24 hours after becoming aware, EETT and, as the case may be, other relevant bodies, of any breach of security or loss of integrity that has a significant impact to the trust services provided or to the relevant personal data. The reporting obligation applies to all trust services qualified or not.

In addition, in December 2018, Law 4577/2018 entered into force incorporating into Greek law Directive 2016/1148/EU (ΝΙS1), establishing measures to achieve a high level of security of network and information systems. The aforementioned law, inter alia, sets specific obligations for ‘basic services operators’, namely all public or private entities (of the kind referred to in Annex I), including regarding digital infrastructure: internet traffic exchange points (IXP), domain name system (DNS) service providers, and Top Level Domain Names Registry (TLD), that meets specific criteria. The criteria are as follows: (a) the entity should be providing a service essential for the maintenance of critical social or economic activities; (b) the provision of this service should be based on network and information systems; and (c) it should be causing a serious disruption to the provision of the service in question as defined in Article 5 4577/2018 have certain obligations, among which are: to adopt technical and organisational measures for the security of networks and information systems; to adopt measures to prevent and minimise the impact of incidents affecting the security of networks and information systems; to notify without undue delay the National Cybersecurity Authority and the Hellenic DPA of incidents with a serious impact on business continuity, while providing additional information regarding the severity of the relevant incident and to co-operate with the competent authorities. Pursuant to article 14 of Law 4577/2018, entities that have not been identified as basic service operators and are not digital service providers may voluntarily report events that have a serious impact on the business continuity of the services they provide, without taking on any kind of the aforementioned responsibilities.

A new Directive governing cybersecurity and replacing NIS1 is expected to be adopted soon by the EU institutions and a national law strengthening cybersecurity in the public sector is currently under public consultations in Greece.

(b) Hacking is now explicitly mentioned in article 370B of the Greek Penal Code (GPC) as an illegal act punishable by imprisonment. Pursuant to article 370B of the GPC, the accessing of an information system or electronic data, without right, by circumventing protection measures is punished with imprisonment of up to two years or a monetary fine(in particularly mild cases, the act might go unpunished). This article criminalises the unlawful access and attacks against the confidentiality, integrity and availability of computer systems and data. Paragraph 2 of the article provides for aggravating circumstances which are accompanied by more stringent penalties, such circumstances may include the unlawful access being gained by an employee without right or breaches relating to state, scientific or professional secrets or secrets of a public or private sector enterprise/utility or privacy breaches of significant economic value. This provision does not require damages to occur or data to be stolen in order to be applicable. In fact, it should be noted that the above provision complements article 370C of the GPC, which punishes breach of privacy (state, scientific or professional secrets or secrets of a public or private sector enterprise/utility), as it finds application in cases where the intrusion is related to a computer system and does not concern the content of the data that are being violated. Furthermore, article 370B may overlap with article 370D par.2 of the GPC, which prohibits the accessing of an information system or of data transmitted by telecommunications systems, when it is conducted without right and in violation of security measures taken by its rightful owner. However, most probably in cases where both articles are applicable, article 370B as the more specialized one shall apply and preclude the application of article 370D par.2.

The same chapter of the GPC, namely “Chapter XXII. Violation of Personal and Communication Secrecy”, which provides for the above-mentioned offences, contains also articles 370, 370A and 370E, which prohibit the interception of communications and more specifically aim to safeguard the confidentiality of electronic mail, of telephone communications and data communications respectively. These articles criminalise, inter alia, acts of hacking which may lead to the violation of the above-mentioned privacy rights.

Additionally, as far as hacking is concerned, article 386A of the GPC provides that one of the ways to commit computer fraud is via acts of hacking and namely, the unauthorized entry, alteration or deletion of computer data, in particular identity data.

A DDOS attack (distributed denial of service attack) is described as a cyberattack where a large number of PCs gets infected by a malware, that renders them under the control of one person, creating a zombielike botnet which can be utilized or rented to third parties, to carry out attacks on computer systems, by temporarily or indefinitely disrupting services of a host connected to the Internet. Under the GPC this type of attack is prohibited pursuant to article 292B. Article 292B stipulates that impeding or disrupting seriously and with no justification the operation of an information system by entering, transmitting, deleting, destroying, altering digital data or by blocking access to such data is to be punished by imprisonment and a fine. Paragraph 2 of the article provides for aggravating circumstances which are accompanied with more stringent penalties. These circumstances include causing serious or prolonged damages or attacking utilities. In the latter case, the perpetrator is threatened with being charged with minimum three years of imprisonment and a monetary fine. Preparatory actions for the commission of the abovementioned crime are punishable under article 292C of the GPC. In case that a DDOS attack is used to obstruct or disrupt the operation of a telecommunications facility, article 292E of the GPC may also be applicable. Article 292E provides that “A person who obstructs or disrupts to a large extent or for a long period of time, the operation of a facility for the provision of public telephony or electronic communications services or more importantly the internet by unlawful interference with an object or an information system or electronic data is threatened with imprisonment of at least one year and a monetary fine.”.

The same chapter of the GPC namely “Chapter II. Crimes against Telecommunications and other Public Facilities” which provides for the above-mentioned articles, contains also provisions relevant to the protection of the confidentiality of telecommunications that criminalise acts of hacking of telecommunication networks and more specifically the unauthorized access to software systems used to provide such services (see articles 292Α, 292D of the GPC).

The Internet of Things (IoT), advanced robotics, Artificial Intelligence (AI) and autonomous systems powered by AI (e.g. drones) will result in significant legal change. For example, autonomous vehicles (reliant on network-connected sensors) require a rethinking of legal relationships, from who bears liability in the event of an injury, to the nature of driver and vehicle insurance. Smart devices may be capable of entering into contracts with other devices, using self-executing provisions in smart contracts maintained on a blockchain. These technological developments will require a re-evaluation of basic principles of contract law. The complex enabling ecosystem and the feature of autonomous decision-making as well as the rollout of the Internet of Things bring substantial challenges in terms of the safety of connected systems, products and services, as well as for businesses’ liability. Many different layers are involved in these emerging digital technologies and, therefore, it could be difficult to determine who is technically and legally responsible for any ensuing damage. Also, legislation should address the issues of free movement of data, interconnected robots and AI network security, protection of personal data, and privacy in communication between humans, robots and AI.

The increasing momentum for privacy protections that fails to address big data and use of artificial intelligence could create serious impediments to economic growth. It’s important to point out that AI is not regulated in Greece by law (however, please see the final Question), and no regulatory guidance on the relationship between AI and personal data nor relevant decisions have been issued to date by the Hellenic Data Protection Authority (“HDPA”), out of which conclusions could be drawn as to the norms defining its use. This is why an optimal balance should be achieved between the predictability of the regulatory environment and the adaptability to scientific and technological progress. In other words, the forthcoming regulatory regime should strike a careful balance between protecting consumers and encouraging businesses to market innovative products.

Digital services are ruled in essence by EU legislation. As a member state of the EU, Greece implements and applies all EU legislation. National laws of Greece, not emanating from the EU, do not create any major impediments to the development of emerging digital technologies and services.

On 21 April 2021, the European Commission unveiled its Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts’.

On a national level, a draft bill regarding “Emerging Information and Communication Technologies, Strengthening of Digital Governance and other provisions” had been open to public consultation until 14.07.2022. Issues related to AI apply to the public sector and certain companies within the private sector. In particular, the draft bill attempts to establish the necessary safeguards, in order for public sector bodies to be able to utilize the benefits of artificial intelligence technologies and in particular the benefits of the use of algorithmic decision-making systems, through the formulation of a framework of transparent information and protection of the fundamental rights affected by the use of the above systems. Furthermore, regulations are introduced to ensure that artificial intelligence technologies will not bring about undesired consequences of an ethical nature in the labor sector and unfair interference with the fundamental rights of employees.

Moreover, it is worth mentioning that the Hellenic Competition Commission (HCC) created on April 2021 its own data analysis platform, the “HCC Data Analytics and Economic Intelligence Platform”, as part of its digital transformation program. This innovative technological tool uses the opportunities algorithms offer to more accurately detect collusion and other anti-competitive practices upon the basis of Big Data. Legal framework regarding the HCC’s opportunity to conduct research on methods of shaping commercial behavior, including algorithmic methods is expected to be adopted.