Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — GRStylized flag-color motif for editorial reference. Not an official symbol.GR
Greece Ελληνική Δημοκρατία / Hellenic Republic

WEB ANALYTICS · COOKIE COMPLIANCE · SOUTHERN EUROPE · GR

Greece — analytics & cookie compliance reference

What you can run on a Greek-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. HDPA enforces a moderate but consistent line · Greek-language privacy notices required · specific DPO recognition rules.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Greece. Sectoral rules (gambling, telecoms, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

Law 4624/2019  Stricter
Νόμος 4624/2019 — Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα, μέτρα εφαρμογής του Κανονισμού (ΕΕ) 2016/679
National GDPR implementation. Sets DPO formalities, employee data rules, special-category permissions, and lowers the digital-consent age for information-society services to 15. Defines HDPA powers and procedural rules.
  • Art 8 Child consent age — lowered to 15 for information-society services (GDPR floor is 13, ceiling 16)
  • Art 21 Employee data — necessity for employment relationship; restrictions on workplace monitoring
  • Art 22 Special-category permissions — public health, social security, employment law
  • Art 27 DPO recognition — qualifications, duties, contact-point obligations
  • Art 38–39 Administrative fines and criminal penalties — up to 10 years' imprisonment for aggravated offences
Government Gazette A' 137/29.08.2019. Implements GDPR opening clauses + Law Enforcement Directive (EU) 2016/680.
Law 3471/2006  Stricter
Νόμος 3471/2006 — Προστασία δεδομένων προσωπικού χαρακτήρα και της ιδιωτικής ζωής στον τομέα των ηλεκτρονικών επικοινωνιών
Cookies + terminal-equipment access + electronic communications privacy + direct-marketing rules. Article 4(5) transposes ePrivacy Art 5(3) — prior, informed, granular consent for any non-strictly-necessary storage/access on terminal equipment.
  • Art 4(5) Storage / read access on terminal equipment requires prior, informed consent — analytics, marketing, and A/B testing never qualify as strictly-necessary
  • Art 11 Direct marketing — email/SMS opt-in (double-opt-in standard); soft opt-in for existing customers' similar products with opt-out at every contact
  • Art 13 Unsolicited communications — fines and individual right of action
Government Gazette A' 133/28.06.2006. Transposes ePrivacy Directive 2002/58/EC (as amended by 2009/136/EC).
Law 3979/2011
Νόμος 3979/2011 — Για την ηλεκτρονική διακυβέρνηση και λοιπές διατάξεις
Rules for public-sector digital services, electronic identification, and government website analytics. Imposes additional documentation requirements on public bodies that deploy analytics, and sets accessibility/transparency baselines that interact with cookie-consent layers.
  • Art 4 Public-sector digital service principles — transparency, data minimisation, audit trails
  • Art 26 Government website obligations — accessibility, retention limits, processing notices
Government Gazette A' 138/16.06.2011. Greek e-Government Act.

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
HDPA · Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα (Hellenic Data Protection Authority)
Single national supervisory authority for the private sector, public bodies, and law-enforcement processing. No state/regional DPAs in Greece.
https://www.dpa.gr/en

Coordination body

HDPA Plenary · Plenary Session of the Hellenic Data Protection Authority
Issues binding opinions, decisions, and guidelines. Meets monthly; decisions published on dpa.gr.
  • 2022-01-31 · Cookies and tracking technologies — HDPA Guideline 1/2020 (recap and reinforcement) — non-essential cookies require prior, granular, informed consent; pre-ticked boxes invalid; equal-prominence reject button required.
  • 2023-09-15 · GA4 and international transfers — HDPA aligned with EDPB position — Google Analytics permissible only with explicit consent under Law 3471/2006 Art 4(5); post-DPF transfers acceptable while Google LLC remains certified.
  • 2024-06 · Consent Mode v2 — HDPA confirms that cookieless pings still constitute access to terminal equipment under Law 3471/2006 Art 4(5) — consent required regardless of GDPR Art 6 basis.
https://www.dpa.gr/en/enimerwtiko/prakseisArxis

Notable enforcement

HDPA enforcement style is moderate but consistent — fines are smaller than the German or French peaks but cover a steady stream of cookie-banner failures, telecom security breaches, direct-marketing violations, and gambling-sector targeting issues. OPAP (national gambling monopoly), Cosmote/OTE (incumbent telco), and Eurolife/Eurobank (financial services) anchor the enforcement narrative. The HDPA tends to publish detailed decisions in Greek with English summaries, and frequently signals expectations through guidelines before issuing fines.

  1. 2022-03 €20.0M
    Clearview AI HDPA · Art 5, 6, 9, 12, 14, 15, 16 stood

    Coordinated EU action — facial-recognition scraping. Greece's HDPA contribution to the cross-DPA enforcement wave (FR, IT, EL, UK).

  2. 2024-04 €5.9M
    Cosmote / OTE HDPA · Art 5, 32 stood

    Security failure leading to exposure of customer data following a 2020 incident. €3.25M to Cosmote + €2.6M to OTE for parent-company oversight failures.

  3. 2022-07 €3.0M
    OPAP HDPA · Art 5, 6, 7 stood

    Telephone marketing without valid consent + insufficient opt-out handling. Largest gambling-sector fine in Greece; HDPA decision 35/2022.

  4. 2024-12 €700k
    Eurolife / Eurobank HDPA · Art 6, 7, 21 stood

    Direct-marketing consent failures + insufficient honoring of objection requests across the Eurobank insurance group.

  5. 2023-05 €175k
    Greek Ministry of Migration HDPA · Art 5, 25, 35 stood

    Centaur/Hyperion border-surveillance systems deployed without DPIA. Public-sector fine; cited in Council of Europe reports.

  6. 2023-09 €25k
    Skroutz S.A. HDPA · Art 12, 15 stood

    DSAR handling failures — incomplete responses to access requests on Greece's largest e-commerce comparison platform.

GA4 status

GA4 is usable in Greece only with prior, explicit, granular consent under Law 3471/2006 Art 4(5). After EU-US DPF (Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. HDPA aligned with EDPB position — moderate enforcement, no aggressive standalone fines on GA4, but consent-banner non-compliance is the primary risk vector.

DPAStance
HDPAAligned with EDPB — opt-in for non-essential analytics is non-negotiable; post-DPF US transfers acceptable; controllers expected to maintain DPF-status verification + fallback TIA for non-DPF vendors.

Cross-border transfers + Schrems II

HDPA accepts adequacy for DPF-certified US importers post-10 July 2023. Position is moderate — no aggressive Schrems II enforcement comparable to LfDI BW or CNIL pre-DPF, but HDPA expects controllers to verify DPF certification status before each transfer and to maintain a Transfer Impact Assessment for non-DPF recipients. Greek-language documentation of TIA + supplementary measures expected for any US transfer outside DPF.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. HDPA reviews SCC implementation in audit cycles but does not publish standalone TIA templates — controllers reuse EDPB Recommendations 01/2020.

Topic: International transfers

Employee data

Key thresholds

Child consent age
15 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Greece vs Italy
COMPARE
Greece vs Spain
COMPARE
Greece vs France
COMPARE
Greece vs Germany

Common questions

Is Google Analytics legal in Greece in 2026?
Yes, conditionally. GA4 is usable in Greece only with prior, explicit, granular consent under Law 3471/2006 Art 4(5). After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful in principle while Google LLC remains DPF-certified. Without consent or with DPF lapse, HDPA treats GA4 as non-compliant, in line with the EDPB position.
How is the HDPA structured and how does enforcement work?
Greece has a single national supervisory authority — the Hellenic Data Protection Authority (HDPA / Αρχή Προστασίας Δεδομένων Προσωπικού Χαρακτήρα). There are no regional or state DPAs. The HDPA Plenary issues decisions monthly, publishes guidelines on dpa.gr, and conducts audits. Enforcement style is moderate but consistent — smaller fines than Germany or France, but a steady stream covering cookies, telecoms, marketing, and gambling sectors.
Do I need a Greek DPO?
Greece does not impose a stricter DPO threshold than GDPR — Law 4624/2019 follows the GDPR Art 37 triggers (public authorities, large-scale systematic monitoring, large-scale special-category processing). However, Art 27 of Law 4624/2019 sets specific qualification, registration, and contact-point obligations for the appointed DPO that go beyond GDPR. Notification of the DPO to HDPA is mandatory.
What is the child digital-consent age in Greece?
Greece set the age at 15 in Art 8 of Law 4624/2019 — lower than the GDPR ceiling of 16, higher than the floor of 13. Below 15, parental consent is required for information-society services (social media, online games, analytics that profiles minors). Operators targeting Greek minors must verify parental authority through reasonable means.
What language must my privacy notice and cookie banner be in?
HDPA position: Greek-language notices for Greek-targeted sites are required — English-only is insufficient when the targeting test points to Greece. Targeting signals include .gr domain, Greek-language content, EUR pricing aimed at Greek consumers, Greek-language marketing, and shipping/service availability in Greece. Bilingual (Greek + English) is the safe pattern; Greek-only is acceptable; English-only is non-compliant for Greek-targeted services.
Is 'legitimate interest' a valid basis for analytics in Greece?
No, for non-essential analytics that store or read on terminal equipment. Law 3471/2006 Art 4(5) is independent of GDPR Art 6 — it requires opt-in consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. Art 4(5) governs the cookie/tracking layer; GDPR governs subsequent processing. HDPA's 1/2020 guideline reinforces this split.
Do I need a Greek Article 27 representative?
Yes if you are a non-EU controller offering goods/services to or monitoring behavior of people in Greece (or any EEA state), unless the small-business exception in Art 27(2) applies. HDPA actively pursues non-designation in audits and has issued warnings to non-EU operators with .gr-targeted services.
What's the OPAP fine and why does it matter?
OPAP is the Greek national gambling monopoly. In July 2022 HDPA fined OPAP €3M for telephone marketing without valid consent and insufficient handling of opt-out requests — Decision 35/2022. The case anchors HDPA's expectations on direct-marketing consent quality (granular, prior, demonstrable) and on opt-out plumbing reliability. Even regulated incumbents are not shielded from large fines.
What changed after the Cosmote/OTE €5.85M fine?
The April 2024 fine (€3.25M Cosmote + €2.6M OTE) covered a 2020 security incident exposing customer data. The decision emphasized that GDPR Art 32 (security of processing) failures attract significant fines even for incumbent telecoms, and that parent-company oversight failures (OTE) are independently sanctionable. After this, HDPA expects telecom-grade security controls from any large data controller — encryption-at-rest, access-control segmentation, breach-notification timeliness.
Does Schrems II still affect transfers post-DPF?
Yes for non-DPF transfers. The DPF restored adequacy for DPF-certified US importers (renewed by EU General Court Sep 2025, T-553/23). For non-DPF US recipients, Schrems II logic still applies — Transfer Impact Assessment + supplementary measures required. HDPA's position is moderate — no aggressive Schrems II enforcement comparable to LfDI BW or CNIL pre-DPF, but Greek-language documentation of TIA + DPF-status verification is expected.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Greece's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.