You found out that a company holding your personal data suffered a cyberattack. You received an email from an organisation informing you that your data “may have been exposed”. You discovered that your information is being used without permission for marketing purposes or that personal details were disclosed to third parties without a lawful basis.
A personal data breach is not merely a technical incident. It may amount to a serious violation of a fundamental right and may have real consequences: loss of control over your information, risk of fraud, unwanted commercial use, exposure of sensitive information or harm to your personal and professional life.
The General Data Protection Regulation — GDPR provides specific rights to data subjects and imposes strict obligations on organisations that collect, store and process personal data.
What Is the GDPR and What Does It Protect?
The General Data Protection Regulation — Regulation (EU) 2016/679 — has applied since May 2018 in all EU Member States, including Greece. It regulates the way public authorities, companies, organisations and professionals collect, store, use, transfer and delete personal data.
Personal data means any information relating to an identified or identifiable natural person. This may include a name, email address, phone number, home address, ID number, financial information, health data, location data, online identifiers, IP addresses and information which, alone or combined with other data, can identify a person.
The GDPR provides enhanced protection for special categories of data, such as health data, biometric and genetic data, religious or philosophical beliefs, political opinions, trade union membership and data concerning a person’s sex life or sexual orientation.
What Is a Personal Data Breach?
A personal data breach is a security incident leading, accidentally or unlawfully, to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Malicious intent is not always required. A breach may result from a cyberattack, but also from human error, insufficient security measures or a flawed internal procedure.
Common examples include:
Cyberattacks or hacking of a company’s systems.
Sending an email containing personal data to the wrong recipient.
Loss of a laptop, mobile phone or USB device containing unprotected personal data.
Unauthorised employee access to customer, patient or colleague files.
Unlawful transfer or sale of a customer database.
Publication of documents or files containing personal information without a lawful basis.
What the Data Controller Must Do
When a personal data breach occurs, the organisation that determines the purposes and means of processing — the data controller — has specific obligations.
Notification to the supervisory authority
The controller must generally notify the competent supervisory authority of the breach without undue delay and, where feasible, within 72 hours after becoming aware of it.
In Greece, the competent supervisory authority is the Hellenic Data Protection Authority — HDPA.
Not every incident must necessarily be notified to the Authority. If the breach is unlikely to result in a risk to the rights and freedoms of natural persons, notification may not be required. However, the incident must still be assessed and documented.
Communication to affected data subjects
If the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also communicate the breach to the affected individuals without undue delay.
The communication must be clear and understandable. A generic announcement or a formal apology is not enough. Depending on the case, the data subject should be able to understand what happened, which data may have been affected, what the possible consequences are and what protective steps may be taken.
Documentation and remedial measures
The controller must document the breach, including the facts relating to the incident, its effects and the remedial action taken.
Documentation is critical because GDPR compliance is not enough to be asserted; it must be demonstrable.
Your Rights as a Victim of a Personal Data Breach
Right to information and access
You may request that the organisation informs you which personal data it processes, for what purpose, on what legal basis, for how long it keeps the data and to whom it has disclosed it.
In the context of a breach, the right of access may be essential in order to determine which data was affected and what risks may arise.
Right to rectification, erasure and restriction of processing
Depending on the circumstances, you may request rectification of inaccurate data, erasure of data that should no longer be retained or restriction of processing.
The so-called “right to be forgotten” does not apply automatically in every case. It depends on the legal basis of the processing, the purpose for which the data is retained and any legal obligations requiring its retention.
Right to lodge a complaint with the Hellenic Data Protection Authority
You may lodge a complaint with the Hellenic Data Protection Authority — HDPA if you believe that the processing of your personal data violates the GDPR or Greek data protection legislation.
The complaint may concern, among other things, unlawful processing, failure to satisfy an access or erasure request, unlawful transfer of data, insufficient information following a breach or unlawful marketing communications.
The HDPA may investigate the case and, if it finds an infringement, impose corrective measures or administrative sanctions.
Right to compensation
Any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to seek compensation from the controller or, where applicable, the processor.
Non-material damage may be linked to anxiety, distress, fear of misuse, loss of control over personal information or violation of privacy. However, compensation is not awarded automatically merely because a breach occurred. The infringement, the damage and the causal link between them must be established.
Judicial protection
A complaint before the HDPA and a compensation claim before the civil courts are separate legal options. One does not necessarily exclude the other.
The appropriate strategy depends on the type of breach, the seriousness of the harm, the available evidence, the organisation’s response and the objective pursued by the data subject.
Common GDPR Breach Scenarios
Data leak from a company or organisation
Banks, insurance companies, telecom providers, hospitals, private clinics, educational institutions and e-commerce platforms process large volumes of personal data. When a breach occurs, it is important to assess what type of data was affected, how many individuals were impacted, what security measures existed and how the organisation responded.
Unlawful use of employee data
The processing of employee data must be limited to what is necessary and lawful for the employment relationship and the operation of the business. Email monitoring, GPS use, productivity monitoring, disclosure of salary or medical information and the use of CCTV in the workplace require particular care, a clear purpose, a lawful basis and prior information where required.
Spam and unlawful marketing communications
Sending advertising emails, SMS messages or other marketing communications without a lawful basis may violate both the GDPR and Greek Law 3471/2006 on electronic communications. Consent, an easy opt-out mechanism and any prior relationship with the sender are particularly important.
Breaches by public authorities
The GDPR also applies to the public sector. Hospitals, municipalities, schools, social security bodies and public services must comply with the principles of lawfulness, transparency, data minimisation, security and accountability when processing personal data.
What You Should Do Immediately if You Suspect a Breach
First, document everything. Save every email, letter, notification, screenshot, message or other element showing what happened and when you became aware of it.
Second, request written information from the organisation. You may ask it to explain which data was affected, what caused the breach, what measures were taken and what the potential risks are.
Third, take practical protective measures. If the breach concerns login credentials, financial data or identity information, you may need to change passwords, enable two-factor authentication, notify your bank or be especially alert to phishing messages.
Fourth, assess your legal options. If the breach is serious, if the organisation does not respond adequately or if you have suffered harm, a complaint before the HDPA, a legal notice or a compensation claim may be required.
Frequently Asked Questions About GDPR Breaches in Greece
Am I entitled to compensation even if I suffered no financial loss?
Yes, compensation may be sought for non-material damage. Financial loss is not necessarily required. However, the mere existence of an infringement is not enough. It must be shown that the infringement caused specific material or non-material damage, such as distress, anxiety, loss of control over data or fear of misuse, depending on the circumstances.
What is the deadline for lodging a complaint with the HDPA?
The GDPR does not provide a single short limitation period for lodging a complaint with the supervisory authority by the data subject. Nevertheless, timely action is important, as it facilitates investigation and proof of the facts.
For compensation claims, the applicable limitation period requires specific legal assessment, depending on the legal basis of the claim and the facts of the case.
Can I lodge a complaint if I do not know exactly which data was leaked?
Yes. You do not need to have a complete technical picture of the incident in order to contact the HDPA or exercise your rights against the organisation. However, it is important to collect the evidence you have and request specific written information.
What fines can the HDPA impose?
Depending on the type and seriousness of the infringement, administrative fines may reach up to EUR 10 million or up to 2% of the total worldwide annual turnover for certain infringements, and up to EUR 20 million or up to 4% of the total worldwide annual turnover for more serious infringements, whichever is higher.
In practice, the amount of the fine depends on several factors, including the nature, gravity and duration of the infringement, the number of individuals affected, the degree of fault, the measures taken and cooperation with the supervisory authority.
Does the GDPR apply to small businesses?
Yes. The GDPR also applies to small businesses if they process personal data. The size of the business may be taken into account when assessing appropriate compliance measures, but it is not a general exemption from the Regulation.
Can I do something if the breach was caused by a foreign company?
Yes, where the GDPR applies. The Regulation may also apply to companies outside the European Union when they offer goods or services to individuals located in the EU or monitor their behaviour within the EU. Depending on the case, a complaint may be lodged with the HDPA or the cooperation mechanism with the competent supervisory authority of another Member State may be activated.
Work with an Experienced Data Protection Law Firm in Greece
A personal data breach is not merely a technical problem. It may affect privacy, financial security, professional reputation and the daily life of the person concerned.
Our firm provides specialised legal support in cases involving GDPR breaches, personal data leaks, unlawful processing, unlawful marketing communications, violation of data subject rights and compensation claims arising from personal data infringements.
We assist with the assessment of the incident, the collection and organisation of evidence, the drafting of requests to data controllers, the filing of complaints before the Hellenic Data Protection Authority and, where required, the pursuit of compensation claims before the competent courts.
In these matters, speed matters, but accuracy matters even more. Proper legal assessment from the outset can determine whether a case remains a standard request or develops into a meaningful enforcement of rights.
This article is for informational purposes only and does not constitute legal advice. Each case requires an individual assessment, based on its specific facts and the applicable legal framework. For tailored legal advice, please contact our office.
No comment