Greece

EU Member State: Greece has been a member of the European Union since January 1, 1981 and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Greece’s national implementing legislation, the Hellenic Data Protection Authority, intelligence and surveillance architecture, the Predator/Intellexa scandal, and Greece’s role as a Mediterranean communications infrastructure hub.

Overview

Greece occupies a distinctive position in European privacy law, shaped by strong constitutional protections that have been repeatedly tested by surveillance scandals of international significance. The Greek Constitution, revised in 2001, enshrines both the right to data protection (Article 9A) and the absolute inviolability of communications secrecy (Article 19), and mandates independent authorities to safeguard each right.^[1] The Hellenic Data Protection Authority (HDPA), known in Greek as the Archi Prostasias Dedomenon Prosopikou Charaktira (APDPC), has constitutional status and has issued some of the GDPR’s most significant fines, including a EUR 20 million penalty against Clearview AI.^[2]

On the intelligence side, Greece’s Ethniki Ypiresia Pliroforion (EYP), the National Intelligence Service, was placed under the direct control of the Prime Minister in July 2019.^[3] Three years later, Greece became the epicentre of a spyware scandal when it emerged that the phones of Nikos Androulakis, leader of the opposition PASOK party and a Member of the European Parliament, and financial journalist Thanasis Koukakis had been targeted with the Predator spyware, marketed in Greece by the Intellexa consortium founded by former Israeli intelligence officer Tal Dilian.^[4] The scandal prompted resignations, legislative reform through Law 5002/2022, the addition of Intellexa to the U.S. Commerce Department’s Entity List in July 2023, and a criminal trial that opened in April 2025 and remains ongoing as of February 2026.^[5][6]

Greece’s surveillance history extends further back. The 2004–05 Vodafone Greece wiretapping affair, in which more than 100 mobile phones belonging to senior government officials were illegally tapped through rogue code inserted into Ericsson AXE telephone switches, remains one of the most technically sophisticated surveillance operations ever documented and has never been fully resolved.^[7]

Data Protection Authority: HDPA

The Hellenic Data Protection Authority (HDPA) was first established in 1997 under Law 2472/1997, Greece’s original data protection statute implementing EU Directive 95/46/EC. Its role was elevated to constitutional status when the 2001 constitutional revision introduced Article 9A, which establishes the right to protection from the collection, processing, and use of personal data and mandates an independent authority to safeguard this right.^[1]

The HDPA’s members are appointed with the guarantees defined in Article 101A of the Constitution, which ensures both personal and functional independence. The authority has its own Secretariat, operates at management level, and maintains its own budget. In practice, however, the HDPA has faced persistent staffing and budget constraints. A 2022 survey of EU data protection authorities found that over 80% reported insufficient budgets, and Greece experienced a budget cut of nearly EUR 300,000 from 2020 to 2021. Proposals by the HDPA President to improve remuneration for staff have gone unaddressed.^[8]

Major Fines

The Clearview AI fine is particularly notable. In Decision 35/2022, the HDPA found that Clearview AI violated principles of lawfulness and transparency by scraping facial images of individuals in Greek territory without legal basis, failing to provide information to data subjects, and failing to respond to access requests. The authority ordered Clearview to cease all collection and processing of personal data of individuals in Greece and to delete existing data. The decision was issued following a complaint by the Greek civil society organisation Homo Digitalis.^[2]

Key Legislation

Constitution: Articles 9A and 19

Article 9A, introduced in the 2001 constitutional revision, establishes the right to protection from the collection, processing, and use of personal data and mandates an independent authority (the HDPA) to safeguard this right.^[1]

Article 19(1) provides that the “secrecy of letters and all other forms of free correspondence or communication shall be absolutely inviolable.” The Constitution permits only two exceptions: for national security reasons and for the investigation of especially serious crimes, both requiring judicial authorisation. Article 19(2) mandates the establishment of an independent authority to ensure the confidentiality of communications, which is the ADAE. Article 19(3) prohibits the use of evidence obtained in violation of communications secrecy.^[12]

Law 4624/2019 – GDPR Implementation

Law 4624/2019 entered into force on August 29, 2019 as Greece’s national implementation of the GDPR. It serves three purposes: supplementing the GDPR through opening clauses, transposing the Law Enforcement Directive (2016/680) into Greek law, and re-establishing the HDPA’s organisational framework. Key national provisions include setting the age of consent for data processing at 15 years (below the GDPR default of 16), establishing rules for processing special categories of data by public and private entities, and detailing the HDPA’s powers and procedures.^[13]

Law 2225/1994 – Wiretapping

Law 2225/1994 implements Article 19 of the Constitution by establishing the procedure for lifting the secrecy of communications. Applications for interception may only be made for national security (Article 3) or for the investigation of specified serious crimes (Article 4). Authorised interception may not exceed two months, with extensions capped at a total of ten months for criminal investigations. Critically, no time limit applies to surveillance conducted for national security reasons, and the law does not define “national security,” creating significant ambiguity.^[12]

Law 5002/2022 – Surveillance Reform

Enacted on December 9, 2022 in direct response to the Predator scandal, Law 5002/2022 reformed the framework governing the privacy of communications and cybersecurity. The law made it a criminal offence for non-state actors to possess, produce, purchase, or sell surveillance software capable of intercepting, recording, or extracting communication content, with a minimum two-year prison sentence. Greece became the first EU member state to explicitly prohibit and penalise spyware transactions on its territory.^[5]

However, the law has faced criticism from Human Rights Watch and other organisations for legitimising government procurement of such spyware under presidential decree, while lacking independent oversight safeguards against state misuse.^[5]

Law 3115/2003 – ADAE

Law 3115/2003 established the Hellenic Authority for Communication Security and Privacy (ADAE) as the independent authority mandated by Article 19(2) of the Constitution. ADAE has competence to issue regulations on communications confidentiality, audit telecommunications providers and the intelligence service, investigate complaints, and receive all lawful interception orders issued by judicial authorities.^[14]

Law 3917/2011 – Data Retention

Law 3917/2011 transposed the EU Data Retention Directive (2006/24/EC) into Greek law, requiring telecommunications and internet service providers to retain traffic and location data for twelve months. The law remains in force despite the CJEU’s invalidation of the underlying directive in 2014.^[15]

Surveillance and Intelligence

EYP: National Intelligence Service

The Ethniki Ypiresia Pliroforion (EYP), Greece’s National Intelligence Service, operates under the authority of the Prime Minister. In July 2019, Prime Minister Kyriakos Mitsotakis placed EYP under his direct personal control as one of his first acts upon taking office, reversing earlier reforms that had transferred oversight to the Ministry of Public Order.^[3] This decision became a central element of the subsequent Predator scandal, as it meant the intelligence service was operating with minimal institutional distance from the head of government.

Surveillance by EYP requires judicial authorisation under Law 2225/1994. For national security cases, authorisation is granted by a prosecutor designated by the Supreme Court, while criminal investigation interceptions require authorisation from a judicial council. In both cases, the proceedings are secret and the target is not notified.^[12]

The Predator/Intellexa Scandal

Greece’s surveillance crisis, sometimes called Predatorgate or the Greek Watergate, unfolded in stages beginning in 2021:

• November 2021: It emerged that EYP had placed a lawful wiretap on the phone of financial journalist Thanasis Koukakis, who was investigating banking and financial irregularities
• March 2022: The University of Toronto’s Citizen Lab confirmed that Koukakis’s phone had also been infected with Predator spyware on March 28, 2022
• July 2022: Nikos Androulakis, leader of the opposition PASOK party and a sitting MEP, revealed that his phone had been targeted with Predator. It subsequently emerged that EYP had also placed a lawful wiretap on his phone^[4]
• August 2022: The head of EYP, Panagiotis Kontoleon, and the Prime Minister’s chief of staff and nephew, Grigoris Dimitriadis, both resigned. Prime Minister Mitsotakis denied personal knowledge of the surveillance^[4]
• December 2022: Law 5002/2022 was enacted, banning private spyware and reforming surveillance procedures^[5]

Subsequent reporting identified additional targets. The Predator spyware, developed by Cytrox in North Macedonia and marketed by the Intellexa consortium, allows full remote access to a target’s smartphone, including encrypted messages, camera, microphone, and real-time location. The consortium was founded by Tal Dilian, a former Israeli military intelligence officer.^[6]

On July 18, 2023, the U.S. Commerce Department’s Bureau of Industry and Security added Intellexa S.A. (Greece), Cytrox Holdings (Hungary), Intellexa Limited (Ireland), and Cytrox AD (North Macedonia) to the Entity List for trafficking in cyber exploits. In March 2024, the U.S. Treasury Department imposed sanctions on Tal Dilian personally and on multiple Intellexa-linked entities.^[6]

In December 2025, the “Intellexa Leaks” investigation by Inside Story, Haaretz, and WAV Research Collective, with technical analysis from Amnesty International, revealed that Intellexa had maintained remote access to its government customers’ surveillance systems, giving company staff the ability to view personal data of hacked targets. Google’s Threat Analysis Group identified 15 unique zero-day exploits linked to the consortium.^[16]

The Predator Trial

The criminal trial opened at the Athens Criminal Court on April 10, 2025. Four defendants face charges of violating the secrecy of telephone communications: Tal Dilian (Intellexa founder), Sara Aleksandra Fayssal Hamou (Dilian’s wife, who provided managerial services to Intellexa), Felix Bitzios (beneficial owner of Intellexa), and Giannis Lavranos (reported owner of Krikel, a tech contractor). The charges concern the confirmed surveillance of journalist Koukakis and Artemis Seaford, a Greek-American former Meta employee. The defendants face a maximum five-year prison sentence. As of February 2026, closing arguments have concluded and a verdict is expected imminently.^[17][18]

ADAE: Communications Oversight

The Hellenic Authority for Communication Security and Privacy (ADAE), established by Law 3115/2003, is the constitutionally mandated independent authority that monitors compliance with communications secrecy laws. ADAE receives all lawful interception orders, conducts audits on telecommunications providers and EYP, and publishes annual statistics on surveillance activities.^[14]

ADAE’s 2024 annual report revealed a 23% increase in state wiretapping, with national security cases rising to 8,262 in 2024, up from 6,727 in 2023. By contrast, court-approved wiretaps for criminal investigations dropped from 3,307 to 3,050 over the same period. ADAE reported that EYP and the Special Violent Crimes Squad had failed to inform ADAE about hundreds of interception orders in a timely manner during 2023 and 2024, raising concerns about the adequacy of oversight mechanisms.^[19][20]

Council of State: Unconstitutionality Ruling (April 2024)

In a significant ruling on April 5, 2024, Greece’s highest administrative court, the Council of State, declared unconstitutional a March 2021 amendment that had barred ADAE from informing citizens about past state surveillance. Prior to 2021, individuals could request information from ADAE about surveillance targeting them once the surveillance had ended. The 2021 amendment removed this right entirely. The Council of State found that this change violated the Greek Constitution, the EU Charter of Fundamental Rights, and the European Convention on Human Rights.^[21]

The Vodafone Greece Wiretapping Affair (2004–05)

In a separate but historically significant case, Greece was the site of one of the most technically sophisticated surveillance operations ever documented. Between August 2004 and March 2005, more than 100 mobile phones on the Vodafone Greece network were illegally tapped, including those of Prime Minister Kostas Karamanlis, the Mayor of Athens, senior military officers, and officials at the Ministries of Defence, Foreign Affairs, and Public Order. The tapping was accomplished through 6,500 lines of rogue code written in the PLEX programming language used by Ericsson AXE telephone switches, requiring extremely specialised expertise.^[7]

Kostas Tsalikidis, Vodafone Greece’s Network Planning Manager, was found hanged in his apartment on March 9, 2005, the day before Vodafone was scheduled to brief authorities about the rogue software. His death was initially classified as suicide. In 2015, Greek investigators found evidence linking the wiretapping to the U.S. Embassy in Athens and issued an arrest warrant for a former NSA operative.^[7]

Internet Infrastructure

GR-IX: Greek Internet Exchange

The Greek Internet Exchange (GR-IX) is owned and operated by the National Infrastructures for Research and Technology (GRNET), a non-profit, state-owned company, which guarantees the exchange’s neutrality and independence. GR-IX operates two independent sites: GR-IX::Athens and GR-IX::Thessaloniki. The Athens exchange maintains three points of presence and has 67 peers with 93 connections and a total switching capacity of 4.4 Tbps.^[22]

Crete: Mediterranean Submarine Cable Hub

Greece’s geographic position at the crossroads of Europe, the Middle East, and Africa makes it, and Crete in particular, a strategically significant hub for submarine telecommunications cables. The island has six cable landing points and serves as a landing station for multiple international cable systems:^[23]

• AAE-1 (Asia-Africa-Europe-1): A 25,000 km cable system connecting Hong Kong to France via Southeast Asia, the Middle East, and the Mediterranean, landing at Chania, Crete. Operated by a consortium including OTEGLOBE^[24]
• BlueMed: Sparkle’s cable connecting Italy, France, Greece, and Mediterranean destinations, landed at Chania in May 2024. Part of the Blue & Raman systems built in partnership with Google, with initial capacity exceeding 25 Tbps per fibre pair^[25]
• MedNautilus: A 5,729 km ring system connecting Catania (Italy), Chania (Crete), Koropi (Athens), Istanbul, Tel Aviv, Haifa, and Cyprus, owned by Telecom Italia Sparkle^[26]
• IEX (India-Europe-Xpress): Vodafone Greece landed this cable at its Tympaki cable landing station in Heraklion, Crete, with operations commencing in 2025^[23]
• ARTEMIS: Grid Telecom’s ultra-high-capacity domestic cable connecting Crete with mainland Greece (Attica), with new cable landing stations in Chania and Attica designed to serve as gateways for international cables traversing the Eastern Mediterranean^[27]

Crete’s strategic value as a cable hub was further underscored by Vodafone Greece’s establishment of a point of presence at Digital Realty’s HER1 data centre in Heraklion, the first carrier-neutral interconnection point for all cable landing stations on the island. Greece’s position enables it to serve as a critical gateway for internet traffic between Europe, Africa, the Middle East, and Asia.^[23]

Data Retention

Law 3917/2011 transposed the EU Data Retention Directive (2006/24/EC) into Greek law. It requires telecommunications and internet service providers to retain traffic and location data for a period of twelve months after the data is generated. The retained data includes the source and destination of communications, date, time, and duration, the type of communication service, the equipment used, and mobile location data. Content of communications is excluded from the retention obligation. Retained data must be stored within Greek territory.^[15]

Despite the CJEU’s invalidation of the underlying EU Data Retention Directive in the Digital Rights Ireland judgment of April 2014, and subsequent rulings in Tele2 Sverige/Watson (2016) and La Quadrature du Net (2020) that further narrowed the permissibility of blanket data retention, Law 3917/2011 remains in force without comprehensive reform. Greece has not enacted targeted reforms to bring its retention regime into alignment with CJEU jurisprudence, creating ongoing legal uncertainty for telecommunications providers and for the individuals whose metadata continues to be retained under a regime that may not meet current EU proportionality standards.^[15][28]

International Data Sharing

Greece participates in extensive international data sharing frameworks through its memberships in NATO, the EU, and bilateral agreements with the United States.

Key Memberships

• NATO: Greece joined the North Atlantic Treaty Organisation on February 18, 1952, as part of the first round of enlargement alongside Turkey^[29]
• European Union: Member since January 1, 1981
• Schengen Area: Greece acceded to the Schengen Convention on November 6, 1992; internal border checks were abolished in January 2000

US-Greece Defence and Legal Agreements

• Mutual Defense Cooperation Agreement (MDCA): Signed in 1990, updated in 2019 and again in 2021 to expand flexibility and access for U.S. forces in Greece^[30]
• General Security of Military Information Agreement (GSOMIA): Signed in 1986, governing the exchange and protection of classified military information^[30]
• Mutual Legal Assistance Treaty (MLAT): The US-Greece MLAT was signed on May 26, 1999 in Washington, with a supplementary protocol signed on January 18, 2006. Additional EU-US MLAT instruments entered into force on February 1, 2010^[31]

EU Law Enforcement Data Sharing

Schengen Information System (SIS II): As a Schengen member, Greece participates in the EU’s largest law enforcement database, enabling real-time queries and contributing alerts visible to law enforcement across all Schengen countries.

European Investigation Order (EIO): Greece participates in the EIO framework, enabling Greek judicial authorities to make binding requests to other EU member states for evidence, telephone interceptions, and financial information based on mutual recognition.

Prüm Convention: Greece participates in automated DNA, fingerprint, and vehicle registration data comparison across EU member states. The Prüm II Regulation (2024) expands this to include facial images and police records.

Europol: Greece participates in Europol data sharing, including cooperation with non-EU law enforcement agencies through Europol’s external agreements.

The Privacy Backdoor Effect

Despite HDPA GDPR enforcement and constitutional privacy protections under Article 9A, Greece’s intelligence and law enforcement frameworks create collection pathways that operate outside data protection law — and foreign nationals whose communications pass through Greek territory are not protected by Greek privacy law:

• Predator Surveillance Extraterritoriality: The Predator spyware scandal established that zero-click surveillance tools can target individuals irrespective of nationality or location; operators using such tools against non-EU persons do so entirely outside GDPR.
• Mediterranean Cable Hub: Greece’s position as a Mediterranean submarine cable hub means foreign communications transiting cable landing stations at Crete and Attica can be accessed by EYP under Law 2225/1994 (as amended by Law 5002/2022) without those foreign nationals receiving GDPR protection.
• NATO SIGINT Sharing: Greece participates in NATO intelligence-sharing structures; intelligence about Greek persons shared within NATO frameworks is not subject to GDPR at the receiving-state level.
• EU Framework Sharing: Greek person data in SIS II, Prüm, or EIO channels is accessible to 27 EU member states and, through Europol, to US FBI.
• MLAT Channels: The US-Greece MLAT and EU-US supplementary instruments provide US authorities with data access pathways that do not require compatibility with Greek data protection standards.
• SWIFT/PNR Dragnet: International financial transactions and air travel data subject to US access.

For Greek persons, HDPA-enforced GDPR protections apply to data controllers subject to Greek jurisdiction — but EYP operates under Law 5002/2022 and its predecessors, explicitly exempt from data protection oversight. The ECHR in Panagioti v. Greece and the ADAE’s own wiretap statistics have confirmed the breadth of surveillance that operates outside public accountability. Foreign nationals whose communications transit Greece’s GR-IX or Mediterranean cable infrastructure are subject to EYP collection without any data protection law protection — GDPR Article 2(2) explicitly excludes member state national security processing from its scope.

Recent Developments

Predator Trial Nearing Verdict (2025–2026)

The landmark Predator spyware trial at the Athens Criminal Court, which opened on April 10, 2025, has reached its final stage. Over more than 40 hearings, the court examined evidence relating to the surveillance of journalist Koukakis and former Meta employee Seaford. The four defendants largely avoided appearing in court and declined to testify. Presiding judge Nikos Askianakis is expected to deliver a verdict in late February 2026.^[17][18]

Intellexa Leaks (December 2025)

A joint investigation published in December 2025 revealed that Intellexa maintained remote access to government customers’ surveillance infrastructure, used an advertising-based delivery system (“Aladdin”) to infect targets, and continued operations despite U.S. sanctions. Amnesty International confirmed active Predator infections in countries including Pakistan, Saudi Arabia, Kazakhstan, and Angola as recently as 2025.^[16]

ADAE Wiretap Statistics (2024)

ADAE’s reporting of an 8,262 national security wiretaps in 2024, a 23% increase from 2023, has intensified concerns about unchecked surveillance. ADAE called for stronger oversight of EYP and legislative reforms to constrain national security surveillance, noting that the rise in wiretaps came after the Predator scandal that was supposed to prompt greater restraint.^[19]

NIS2 Transposition (November 2024)

Greece published Law 5160/2024 on November 27, 2024, transposing the EU NIS2 Directive into national law. The law covers energy, transport, financial services, healthcare, digital infrastructure, and public administration entities. Security measures compliance provisions entered into force on June 1, 2025. Greece adopted a centralised enforcement model under the National Cyber Security Authority (NCSA), with penalties of up to EUR 10 million or 2% of global turnover for essential entities.^[32]

Council of State Unconstitutionality Ruling (April 2024)

The Council of State’s April 2024 ruling striking down the 2021 amendment that had barred ADAE from notifying surveillance targets represents a significant judicial check on government surveillance powers. The ruling found violations of the Greek Constitution, the EU Charter of Fundamental Rights, and the ECHR, and restored the ability of individuals to learn whether they were subjected to state surveillance after the fact.^[21]

Press Freedom

Greece ranked 89th in the 2025 Reporters Without Borders World Press Freedom Index, last among all EU member states. RSF cited the surveillance of journalists by EYP, the unsolved 2021 murder of crime reporter Giorgos Karaivaz, financial insecurity among journalists, frequent legal threats including SLAPPs, and a media landscape dominated by private groups with close ties to political elites.^[33]

Sources