Employee Monitoring Laws in Greece: Hellenic DPA Requirements and GDPR Compliance 2026

What Legal Framework Governs Employee Monitoring in Greece?

Employee monitoring laws in Greece rest on four interlocking layers: EU law, national statute, constitutional protection, and HDPA enforcement guidance. Understanding how they interact is the foundation of a compliant monitoring program.

GDPR — The Directly Applicable EU Baseline

The General Data Protection Regulation (GDPR) applies directly in Greece without requiring domestic transposition. Every monitoring activity that collects personal data — activity logs, screenshots, email metadata, location data — triggers GDPR obligations. The primary lawful bases Greek employers rely on for monitoring are:

• Article 6(1)(b) — Contract necessity: Processing necessary to perform or manage the employment contract. Covers attendance tracking, timesheets, and productivity data used for performance management.
• Article 6(1)(c) — Legal obligation: Processing required to comply with Greek labor law or sector-specific regulations. Covers mandatory attendance records and health and safety monitoring.
• Article 6(1)(f) — Legitimate interest: Processing necessary for the employer's legitimate interests, provided they are not overridden by employee fundamental rights. This is the most commonly cited basis for productivity monitoring and network security monitoring. A balancing test is required.

Employee consent under Article 6(1)(a) is technically available but strongly discouraged by the HDPA as a primary basis, because the inherent power imbalance in employment relationships makes genuinely free consent difficult to establish.

Law 4624/2019 — Greece's National GDPR Implementation

Law 4624/2019 (Gazette Α' 137/29.8.2019) transposes GDPR into Greek law and exercises the employment-specific derogations available under GDPR Article 88. Key provisions for employers include:

• Employee personal data may be processed when necessary for the establishment, exercise, or fulfilment of rights and obligations arising from the employment relationship — without requiring individual consent in each instance.
• Data processing for performance assessment or disciplinary purposes must be based on documented operational necessity and communicated to employees in advance.
• Employee representative bodies (works councils, trade union representatives) must be informed before implementing monitoring systems, providing them an opportunity to raise objections through labor relations channels.
• Data Protection Officers (DPOs) are mandatory for organisations engaged in large-scale, systematic employee monitoring — not just public bodies.

The law also incorporates GDPR Article 88's requirement that national rules include "suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights." The HDPA references this standard in enforcement decisions involving disproportionate workplace monitoring.

Greek Constitution Article 9A

The right to personal data protection is enshrined in the Greek Constitution at Article 9A, added during the 2001 revision. This constitutional anchor means Greek courts apply heightened scrutiny to employer monitoring. In labor disputes, courts have used Article 9A to exclude evidence obtained through monitoring that violated employee privacy — even where the employer technically complied with procedural GDPR requirements. Proportionality is not merely a regulatory concept in Greece; it is a constitutional demand.

Law 3471/2006 — Privacy in Electronic Communications

Law 3471/2006, implementing the EU's 2002 ePrivacy Directive, governs employer monitoring of company networks and electronic communications. The law permits employers to monitor company network traffic and communications systems for security and operational purposes, but draws a clear line between metadata-level monitoring (who communicated, volume, timing) and content-level interception (reading message bodies). Content monitoring requires specific documented justification and prior employee notice.

Greek Labor Law — Employee Representative Consultation

Presidential Decree 156/94 and Labor Law 3863/2010 require employers to inform and consult with employee representative bodies before introducing technological monitoring systems into the workplace. Unlike Germany's Betriebsrat model — where the works council has blocking power — Greek law creates a consultation obligation without an absolute veto right. However, failure to consult is an independent violation that strengthens HDPA complaints and labor court claims. Collective agreements in sectors such as banking, telecoms, and the public sector may negotiate stricter requirements.

Which Monitoring Practices Are Permitted — and Which Are Restricted?

Not all monitoring is equally permissible under Greek law. The HDPA applies a proportionality and necessity test to each monitoring type, and different practices face different scrutiny levels.

What Is the Employee Representative Consultation Requirement?

Greek labor law requires employers to inform and consult with employee representative bodies before introducing monitoring systems. This obligation arises from Presidential Decree 156/94, Labor Law 3863/2010, and is reinforced by Law 4624/2019's employment data provisions.

Who Must Be Consulted?

The consultation obligation applies where any of the following representative structures exist at the workplace:

• Works councils (Συμβούλια Εργαζομένων): Mandatory in workplaces with 50 or more employees under Law 1767/1988
• Health and safety committees (Επιτροπές Υγιεινής και Ασφάλειας): Required in workplaces with 50 or more employees; monitoring systems affecting work conditions fall within their scope
• Trade union representatives: Where sector or enterprise collective agreements give union representatives information rights over technology deployment

For smaller employers without formal representative structures, Law 4624/2019 still requires employee notification — meaning all employees must receive written information about the monitoring system before it becomes operational, even if no formal consultation body exists.

What Does Consultation Involve?

Consultation is not a simple notification exercise. Employee representatives are entitled to receive a description of the monitoring system including its technical capabilities, the categories of data collected, who has access, retention periods, and the employer's documented justification. Representatives have a reasonable period — typically 15 to 30 days — to review the documentation, ask questions, and raise concerns. While the works council does not have a German-style veto right, objections must be documented, and the employer should address them or provide written reasoning for proceeding despite objections.

Collective agreements in specific sectors, particularly banking, telecommunications, and the broader public sector, may negotiate additional rights including co-determination over monitoring scope or employee access to their own monitoring data beyond the statutory GDPR minimum.

What Data Retention Limits Apply to Monitoring Data in Greece?

GDPR Article 5(1)(e) requires that personal data be kept no longer than necessary for the purposes for which it was collected — the storage limitation principle. For employee monitoring data in Greece, the HDPA has not issued a single universal retention period but has established sector guidance and applied proportionality principles in enforcement decisions.

HDPA Position on Retention Periods

In CCTV enforcement, HDPA guidance and Decision 1/2011 set a 15-day default deletion period for CCTV footage absent an incident. For digital monitoring data such as activity logs, application usage records, and screenshot repositories, the HDPA applies a proportionality analysis: retention must not exceed what is necessary to serve the stated monitoring purpose. Routine productivity monitoring data held for more than three months without a specific justification risks challenge.

Recommended Retention Approach

• Real-time and daily activity logs: 30 to 90 days for routine operational purposes
• Timesheet and attendance records: 5 years minimum under Greek labor law record-keeping requirements (consistent with GDPR contract necessity basis)
• Screenshot repositories: 30 days for routine screenshots; longer only if specific incidents require preservation with documented justification
• CCTV footage: 15 days per HDPA guidance; up to 30 days for documented security-critical areas with written justification
• Incident investigation data: Duration of the investigation plus applicable legal proceedings period, documented in a retention schedule

Retention periods must be communicated to employees in the workplace privacy notice and incorporated into the DPIA for systematic monitoring. Automated deletion controls — not manual processes — are the HDPA-preferred approach to ensuring compliance with stated retention periods.

Greek Employer HDPA Compliance Checklist for 2026

Use this checklist to assess your organisation's readiness before deploying or reviewing employee monitoring systems in Greece. For each item, document your completion with dated evidence.

1. Identify the lawful basis — Document which GDPR Article 6 basis applies to each monitoring activity. Most employers use Article 6(1)(b) for attendance/timesheets and Article 6(1)(f) for productivity monitoring, with a documented legitimate interest assessment for the latter.
2. Conduct a DPIA — If the monitoring is systematic (screenshots, keystroke intensity, CCTV), complete a DPIA under GDPR Article 35 before deployment. Involve your DPO.
3. Update the employee privacy notice — Ensure the notice includes: categories of data collected; purposes and legal basis; who has access; retention periods; employee rights; and HDPA contact details.
4. Consult employee representatives — Provide the works council, health and safety committee, or union representatives with documented information about the monitoring system and a reasonable period to respond before activation.
5. Configure work-hours-only operation — Ensure monitoring software is activated only during declared work sessions. Document this configuration in the DPIA and employee notice.
6. Set and automate data retention — Configure automated deletion schedules aligned with your stated retention periods. Document retention logic per data category.
7. Restrict data access — Implement role-based access controls. Maintain an access log. Ensure only authorised personnel can access individual employee monitoring data.
8. Review CCTV compliance — Audit camera positions against HDPA Decision 1/2011. Remove or reposition cameras covering ordinary work areas without specific documented justification. Confirm 15-day deletion cycle.
9. Document email monitoring policy — If email metadata or content monitoring is in place, ensure a written policy exists, employees have acknowledged receipt, and the scope is proportionate and documented.
10. Establish an employee rights procedure — Create a documented process for handling GDPR access requests, objections, and erasure requests from employees within the statutory response periods (generally 30 days under GDPR Article 12).

Download a pre-populated version of this checklist in the eMonitor policy template library, which includes Greek law-specific clauses for employment contracts and employee privacy notices.

Frequently Asked Questions: Employee Monitoring Laws in Greece