E-commerce and Data Protection in Greece – the legal framework

A. E- Commerce:

A.1. The Legal Framework

Α.1.1. Directive 2000/31/ΕΚ – The Electronic Commerce Directive

The Directive, adopted in 2000, establishes standard and harmonised rules on various issues related to electronic commerce on a supranational level. The Directive regulates an important part of online provided services such as selling (books, financial services, travel services, etc.), advertising, professional services (lawyers, doctors, estate agents) and entertainment services. The objective of the European legislator had been to provide legal certainty for business and consumers alike. In order to address any irregularities arising from the inconsistency between the national laws of each member, the Directive introduces the principle that operators of these services are subject to only in the EU country where they have their registered headquarters – not in the country where the servers, email addresses or postboxes they use are located.

Amongst other provisions (for example information requirements for the providers and the freedom of establishment (art. 4-5), commercial communications (art. 6-8) and liability of intermediary providers (art. 12-15)), the Directive, in articles 9-11, regulates contracts concluded by electronic means (Online contracts).

The basic conditions for a legally bounding Online contract for the provisions of products or services are:

– To spell out in clear and explicit way all the technical steps consumers must follow to conclude the contract, whether or not the contract will be filed by the service provider and whether consumers can view it at a later stage, how consumers can identify and correct typing errors before placing their order and the languages in which the contract can be signed.

– Consumers must be able to save and print out contracts and general conditions. One is important to have also into account that the Directive 2011/83/EU on consumer rights, which will be analysed below.

– Regarding the online orders the service provider must confirm receipt of the order without undue delay and electronically (email, other electronic message) the order (or receipt confirmation) is considered to have been received when the seller (consumer) is able to access it. Regulation (EU) 910/2014 on electronic identification and trust services is also handy for a complete guide on the matter.

The important issue of “intermediaries” is also addressed, even if the definition is not expressly outlined, providing that online service providers who act as mere conduit, caching or hosting services providers are not responsible for the information they transmit or host if they fulfil certain conditions. In the case of hosting service providers, they are exempted from liability as long as they do not have actual knowledge of illegal activity or information and if they obtain such knowledge or awareness, they act at once to remove or to disable access to the information. National governments cannot impose any general monitoring obligation on these ‘intermediaries’ over the information they send or store, to look for and prevent illegal activity.

A.1.2. P.D. 131/2003 for the adaption of the E-commerce Directive in the Greek legislation

In order to adapt the above Directive in the Greek legal framework, Presidential Decree 131/2003 constitutes an almost exact copy of the European legislation. Therefore the provisions of the decree cover a large spectrum of e-commerce operation and gives explicit definitions for the services of the information society, the service providers, the establishment of the providers, the consumers and the end-users and the electronic communications system. Certain professions and services are excluded from the implementation of the decree, such as tax sector, cartel agreements, notarial services and betting sites.

Following the rationale of the Directive, article 2 of the decree clearly provides that any restriction on the free circulation of the services within the European market, due to national regulations, is forbidden.

The Decree follows the structure of the Directive and develops in fourteen articles the principles of the e-commerce strategy. Freedom of information and services is highlighted in article 3, whereas in articles 4 and 5 the service provider must explicitly offer to the users of the service clear and explicit information on the legal status of the entity engaging in online commercial services and the proper authorization of the latter.

Electronic Communications must be transparent and any advertisement is deemed to include all the important information in order for the consumer to make a free choice. Most important, online contracts are also regulated with provisions outlining that the service provider must always offer to the user the opportunity to fully understand all the stages of the service completion, the general terms and conditions of the service and the technical means of the online platform.

Article 10 – ordering process – provides for a clear and simple ordering procedure, where the consumer must obtain the receipt without any undue delay and the provider must have all the necessary technical means to make any changes and adjustments to the ordering process.

Intermediaries’ liability is regulated in the same way as in the Directive, in three different articles providing for the transmission providers, the temporary storage of information and the hosting services. These service providers are not obliged to generally monitor and control the information they transmit or store or be vigilant about any illegal data transmitted. Nevertheless, in order to set some boundaries to the absence of liability, article 14 provides that the providers must notify the competent national authorities in case they have any suspicion of illegal activity happening during the use of their services.

A.1.3. The Consumer Protection aspect of online contracts

Consumer protection is the cornerstone of the e-commerce development and is always underlined in all legislative pieces relating to online marketing. European Directive 2011/83 on consumer rights replaced Directives 97/7/EU and 85/511/ΕΕC on the distance contracts and accordingly, in the Greek territory, the Joint Ministerial Decision Ζ1-891/2013 has added to the Consumer Protection Law 2251/1994, two new articles, namely 3 and 4, regulating consumer rights.

The basic amendments include:

  • The abolishment of «hidden charges». The providers must explicitly state in a way visible to the user that «the order is subject to a charge». Otherwise the consumer is not bound by the contract.
  • More transparency in the prices and charges, namely the VAT imposition.
  • Prohibitions of pre-filled option boxes during the process of the order.
  • 14 days’ notice for the consumer to change his mind and cancel the order.
  • Enhanced protection for insufficient information. If the provider does not inform the consumer clearly on his rights and obligations, the 14days notice is extended to 1 year notice.
  • The right of money refund process is clearly regulated. The same applies for the courier expenses.

Last but not least, Directive 2013/11/EU on alternative dispute resolution for consumer disputes (Directive on Consumer ADR) established the operation of an innovative platform for the consumers and suppliers to resolve any disputes that may occur without the resort to time-consuming and costly judicial procedures. Under the ODR Regulation, the European Commission will establish a European Online Dispute Resolution platform (ODR platform). The ODR platform is a web-based platform that is specifically designed to help consumers who have bought goods or services online and subsequently have a problem with that online purchase. It allows consumers to submit their contractual dispute and conduct the ADR procedure online and in any of the 23 official languages of the European Union.

B. The Data Protection Legal Framework

As it stands today and before the implementation of the new General Data Protection Regulation (2016/679), the basic European legal framework includes the Directives 95/46/ΕC for the protection of persons from the exploitation of personal data and the free movement of these data and the Directive 2002/58/EC, as amended by Directive 2006/24/ΕC for the protection of data in electronic communications.

In Greece, L. 2472/1997 for the protection of personal data, supervised by the Hellenic Data Protection Authority, is applied, as amended by L. 4139/2013. Also, L. 3471/2006 (as amended by laws 3783/2009, 3917/2011 and L. 4070/2012) for the protection of personal data in electronic communications follows the rationale of Directive 2006/24/ΕC as amended. Law 3783/2009 is also important providing for the rules applied in the identification procedure of mobile phone and equipment users.

Both the European and the Greek legislation, apply to data processed by automated means (e.g. a computer database of customers) and data contained in or intended to be part of non- automated filing systems (traditional paper files). The Directive aims to protect the rights and freedoms of persons with respect to the processing of personal data by laying down the key criteria for making processing lawful and the principles of data quality.

In a nutshell these are:

  • The person whose data are exploited has unambiguously given his consent; or
  • processing is necessary for the performance of a contract to which the data subject is party; or
  • processing is necessary for compliance with a legal obligation to which the controller is subject; or
  • processing is necessary to protect the vital interests of the data subject; or
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party; or
  • Processing is necessary for the purposes of the legitimate interest pursued by the controller or by the third party, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection.

Personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes. Also they must not be stored for longer than necessary and solely for the purposes for which they were collected. Exploitation of sensitive personal data is in principal forbidden, save where there is an explicit consent for the processing, the processing is necessary for protecting another vital right of the person, the processing is necessary for the identification of a person in the exercise of a judicial or disciplinary right, there is a matter of public health or national security or the process is anonymous in the context of scientific research.

The person whose data are processed, the data subject, can exercise three main rights in order to safeguard the integrity of his personal Data. First, the right to obtain information, second the right of access to data and third the right to object to the processing of data. What is more, the person should finally be informed before personal data are disclosed to third parties for the purposes of direct marketing, and be expressly offered the right to object to such disclosures.

As mentioned above, Law 3471/2006 implementing Directive 2002/58/EC regulates the exploitation of personal data electronic telecommunication service providers. The fundamental rule for these services is that any use of electronic telecommunications services offered by a public network as well as place and motion data are protected by the telecommunications privacy.  Recording of communications and the related data motion, when carried out in the course of lawful business practice for the purpose of providing evidence of commercial data transaction is permitted,  provided that both parties, after receiving proper notice,  do not object and that any processing is restricted to the minimum for the purpose intended.

C. Observations

European Commission is always vigilant for the protection of online merchants and service providers as well as the consumers. The latest actions in 2016 include the tackling of the VAT gap in cross-border trading and the support of SME’s (Small and Medium Enterprises).

On the Data Protection field, after a long legislative process lasting four years, the European Parliament adopted the new General Data Protection Regulation (GDPR), on 14 April 2016, in order to bring the European data protection framework into the 21st century.  The new and updated Regulation is expected to provide businesses operating within the European Union by providing with a harmonized protection regime across the Union. Among other matters the Regulation will include provisions for the “right to be forgotten” which remains the top controversial issue of the year and it remains to observe how the Regulation will be implemented in the Greek legal order.