Data Controllers must respect the provisions of Law 2472/1997 (and 3471/2006 regarding electronic communications) and more specifically:
1. They must collect personal data fairly and lawfully.
2. They must process only the data which are necessary for one or more specified purposes.
3. They must make sure that they keep data accurate and up to date.
4. They must retain data only for as long as is deemed necessary for the purpose of the collection and process thereof.
5. In order to carry out the data processing, the Controller must choose employees with relevant professional qualifications providing sufficient guarantees in terms of technical expertise and personal integrity to ensure such confidentiality.
6. The Controller must implement appropriate organisational and technical measures to secure data and protect them against accidental or unlawful destruction, accidental loss, alteration, unauthorised disclosure or access as well as any other form of unlawful processing.
7. If the data processing is carried out on behalf of the Controller, by a person not dependent upon him, the relevant assignment must necessarily be in writing.
8. The Controller must respect the data subject's rights to information, access and objection.
9. They must meet their obligations vis-?-vis the DPA (notification, granting of permit).
10. They must be kept informed on any Decisions, Directives or Recommendations issued by the DPA that may be important to them.
Learn more: Articles 4-14, Law 2472/1997