The antecedent
Recently enacted Greek law 4624/2019 (Government Gazette Bulleting A137/29.8.2019), which implements both the provisions of the EU Law Enforcement Directive (LED, 2016/680) and the General Data Protection Regulation (GDPR) into national level, was adopted hastily under the threat of hefty financial sanctions. Since the first days after the law was adopted, a lot of criticism was voiced concerning the lack of conformity of its provisions with the GDPR.
On 24 January 2020 the Hellenic Data Protection Authority (“HDPA”) published Opinion 1/2020, whereby they reviewed certain key or contested aspects of the Greek GDPR Law and their compatibility with the Regulation.
Hellenic Data Protection Authority’s Approach
A. In General
The HDPA noted that they shall not be applying Greek GDRP Law provisions, which: (a) are deemed not in line with GDPR, and/or (b) are not based on opening clauses, which make it possible for Member States to lay down specific national arrangements.
HDPA pointed out that the interpretation of the Regulation should be left to the European courts (meaning the national courts and ultimately the European Court of Justice) and not to the Member States’ legislators.
B. The case of article 25 of law 4624/2019 – a provision not in line with GDPRAs explained by Greek Government in the explanatory memorandum to Law 4624/2019, article 25 creates a “national legal basis” i.e. a lawful ground that allows processing personal data for a purpose other than that for which the personal data have been collected.
However, according to HDPA’s Opinion, the national legislator is not allowed to introduce new grounds for lawful processing other than those already set out in Art. 6 GDPR.
The purpose of the provisions of Article 25 of the Law is to permit further processing of personal data, i.e. processing for a purpose other than that for which they were originally collected, only provided that further processing is compatible with the purposes of the original collection, in accordance with the principle of limitation of purpose. According to GDPR in such a case, no legal basis separate from that which allowed the collection of the personal data is required, said the Authority.
Furthermore, HDPA stressed that the national legislator is not obliged to take implementing measures for further processing as the GDPR itself establishes the criteria of lawful further processing in Article 6 par. 4(a) to (e).
In a Nutshell
As foresaid, the Hellenic Data Protection Authority noted that they shall not be applying Greek GDRP Law provisions, which: (a) are deemed not in line with GDPR, and/or (b) are not based on opening clauses, which make it possible for Member States to lay down specific national arrangements. Amongst other the Authority concludes that provisions of Article 25 do not meet any of the substantive and procedural requirements and guarantees set out in GDPR. Therefore they cannot be considered as in line with GDPR and will not be applied by the Authority.
Concluding Thoughts
Given the fact that the Authority has neither legislative nor judicial competence, it may seems as a paradox that the processors should entrust in Authority’s Approach, as set in the Opinion and ignore the Law. However, this is the case. We should bear in mind that under GDPR the supervisory Authority (i.e. HDPA) shall monitor and enforce the application of the Regulation.
Besides, this is not a first-case scenario. The Spanish supervisory Authority has come to similar conclusions regarding the national law, which implements the provisions of the General Data Protection Regulation (GDPR) into national level. According to Spanish Authority’s Decision 58/2019 counterpart article also violates implementation of GDPR.