GDPR
Regulation 679/2016/EU
The general regulation applying to all personal data in the EU. Sets legal bases of processing, data-subject rights (access, deletion, portability), DPO, DPIA and penalties up to 4% of global turnover or €20M.
HDPA and GDPR in practice: consent for marketing to a Greek audience
The Hellenic Data Protection Authority (HDPA / ΑΠΔΠΧ) has fined Greek companies up to €9.25M for marketing rule breaches. The framework that applies in Greece combines three layers: the general GDPR regulation (679/2016/EU), the Greek implementation Law 4624/2019 and the specific Law 3471/2006 for electronic communications. 4notify turns those three layers into a working checklist for your flow — not into 80 pages of legalese.
Three legal layers, three duties
N. 4624/2019
Greek GDPR implementation
Implements GDPR for the Greek legal order: digital-consent age of 15, special-category data (article 22), research and journalism exemptions, transfer to third countries. HDPA oversight as an independent authority.
N. 3471/2006
Electronic communications
The specific law for marketing calls, SMS and email. Article 11: prior consent for every marketing message, with a soft opt-in exception for existing customers on related products. Also creates the 11888 Consumer Ombudsman do-not-call register.
How the flow works with 4notify — 4 phases
- 01
Per-channel consent
The signup form needs separate checkboxes for SMS, email and WhatsApp/Viber. A general „I have read the privacy policy“ does not suffice. Each checkbox has its own log entry with timestamp + IP + UA + hash of the shown text.
- 02
Soft opt-in for existing customers
Article 11 of Law 3471/2006 allows you to message an existing customer about related products without explicit consent, provided every message offers an easy unsubscribe path. 4notify flags those campaigns as „soft_optin" in the consent ledger.
- 03
11888 register screening
For each cold marketing campaign (not existing customers), the recipient list is cross-checked against the Consumer Ombudsman's 11888 register. Listed numbers are dropped automatically. An exclusion log is kept for audit.
- 04
Proof of consent on HDPA request
If HDPA opens a complaint or audit, you can export from 4notify a CSV/PDF report containing: subject ID, consent timestamp, channel, purpose, displayed text and reference to the privacy policy in effect. All cryptographically signed.
Frequently asked
What fines does HDPA levy on SMS spam?
From €5,000 for an isolated incident up to €9.25M for repeated systemic breach (HDPA decision 26/2021). The size depends on volume, degree of fault and prior warnings. Example: in 2023 a €750,000 fine was imposed on an IT firm for systematic SMS sending without consent.
Does soft opt-in apply to WhatsApp?
HDPA has not issued an explicit ruling. Conservative approach: explicit consent for WhatsApp marketing, soft opt-in restricted to transactional WhatsApp (e.g. order confirmations). HDPA treats WhatsApp as a more proactive channel than SMS.
How long is consent valid?
GDPR sets no specific duration. In practice, HDPA recommends review every 24 months or on material change of processing purposes. For accounts inactive > 24 months, re-consent is required before the first new marketing message.
Is a DPO mandatory for a small Greek company?
Not always. GDPR Article 37 mandates a DPO for public bodies, companies whose core activity is large-scale systematic monitoring or processing special-category data. For a small e-shop, the legal representative can appoint a „contact officer“ instead of a DPO.
What about EU citizens outside Greece?
For recipients located in Greece the Greek framework (HDPA) applies. For recipients in other EU Member States, the national supervisory authority there applies (one-stop-shop principle). 4notify supports per-country compliance configurations.
How long do we retain consent logs?
Recommended duration: the length of the customer relationship + 5 years after account deletion (matching civil-claim limitation periods under Greek law). Beyond that, anonymise.
Start a free consent ledger
14 days, no card. HDPA-ready export from the very first opt-in.