Following the guidelines of GDPR and the e-privacy directive, EU members have implemented regulations, including cookie laws, to protect user privacy. Various Data Protection Authorities, including the Hellenic DPA of Greece, have also issued guides to help businesses achieve compliance. This blog comprehensively overviews the requirements for Greek cookie consent and compliance strategies.

What is the cookie law of Greece?

As an EU member, Greece implemented the GDPR and e-privacy directive through the Greek Data Protection Act and 3471/2006

Later on, an audit conducted by the DPA revealed widespread non-compliance with these rules by many famous Greek websites. Considering this, the Greek DPA issued a concise guide on the lawful use of cookies to help businesses understand the law and make compliance easy. 

The Greek DPA’s guide on cookies outlines consent rules, provides examples, and highlights bad practices. Furthermore, it sets out specific recommendations on how to provide information to users. 

What is the scope of the Greek cookie guidelines?

The Greek cookie consent guidelines apply to entities that offer online services to users in Greece and utilize cookies or other tracking technologies to collect information from them.

What are the Greek cookie consent requirements?

The Greek cookie guidelines emphasize obtaining user consent before deploying cookies or other trackers on devices. This includes non-essential cookies such as those used for advertising and third-party trackers like Google Analytics.

What are the exemptions?

The obligation to obtain prior consent does not apply to cookies/trackers that are technically necessary for: 

  • The purpose of connecting to a website
  • Providing an internet service requested by the user 

Here are some relevant examples to understand the exemptions. Cookies used for any of the following purposes do not require prior consent:

  • To identify or maintain the content uploaded by the user during a session. Eg: an online shopping cart.
  • To connect the user to a service that needs authentication.
  • For the User’s security.
  • To perform load balancing during a session.
  • To maintain user preferences such as language preference.

Bad practices:

  • Using necessary cookies without providing relevant information to the user.
  • Using Google Analytics for web analytic purposes by just informing the user of such use without giving the option to decline or without providing information about the use.

What are the cookie consent guidelines issued by the DPA?

Understanding what constitutes consent is crucial for compliance. Let us break down the essentials of Greek cookie consent requirements influenced by GDPR.

  • Users must give explicit consent for each category of cookies (affirmative action).
  • Pre-checked boxes or continued scrolls are not valid consent.
  • Browser presets are not valid consent.
  • Users must be able to reject cookies with the same ease as accepting them, and they must be able to do both in the same number of actions/clicks.
  • Inaction from the user does not constitute consent. Therefore, do not deploy non-essential cookies on user devices if they neither accept nor reject cookies.
  • Consent withdrawal must be as easy as giving consent.
  • Avoid blocking access to the site due to non-consent( cookie walls).
  • Provide uniform accept and reject buttons to avoid influencing users to favor the “accept” option. Use buttons of the same size, color, and font.
  • Regardless of whether the user accepts or rejects the cookies, the reappearance of a cookie pop-up asking about the use of cookies must be made at the same intervals. The cookies used to remember this choice are technically necessary.

Bad practices:
  • Users are only given one choice, such as an “I agree” button, and they cannot continue using the service by removing the message.
  • No option to reject non-essential cookies.
  • The option to reject is given in a different layer/step, such as clicking on more information or hyperlinked settings.
  • Closing the cookie banner/pop-up results in the use of non-essential cookies.
  • Continuing to use the website/scrolling after the pop-up results in using non-essential cookies.
  • The accept button is predominant or pre-checked. 
  • The pop-up only allows users to accept non-essential cookies and directs to a generic privacy notice.
  • Not allowing users to change their consent preferences(accept/reject).
  • Users can change their consent preferences only through browser settings.
  • If the user rejects cookies, they are repeatedly invited to make a new choice, whereas accepting them maintains their choice for longer.

What are the Greek cookie notice requirements?

As we already know, transparency is a significant element of compliance. Therefore, before obtaining consent, websites must provide information regarding the types of cookies, their purposes, the controller’s identity, who has access to the data collected by cookies, etc. 

The Greek DPA also sets out guidelines on how to provide this information.

  • Information can be provided through suitable mechanisms such as a cookie banner or pop-up.
  • Providing information in multiple layers is acceptable if you inform users of the categories of cookies used.
  • The pop-up or banner must contain specific information about the purposes of each cookie rather than a general description.
  • For each cookie or category of cookies used for the same purpose, provide the following information:
    • Duration: How long it will be active or how long the controller will retain the collected data
    • Controller’s identity: Who handles the data collected by the cookies
    • Recipients/categories of recipients: Who has access to the data collected by the cookies
  • The information must be easy to read on all devices in which it is displayed.

Bad practices:

  • Providing generic cookie information within a generic privacy notice.
  • The information in the pop-up or banner only has a generic reference to using cookies. E.g., Cookies for a better experience.
  • The notice is not easy to read across all devices on which it is displayed.

Checklist: Greek cookie consent guidelines 

  • Obtain explicit, specific consent from users before deploying non-essential cookies or other trackers on user devices.
  • Ensure that users can reject cookies as easily as they can accept them.
  • Do not rely on pre-checked boxes, continued scrolls, inaction, or browser presets as a form of consent.
  • Ensure that consent withdrawal is as easy as giving consent.
  • Do not block access to the website if the user rejects cookies.
  • Provide uniform accept and reject buttons to avoid influencing users to favor the “accept” option.
  • Provide clear and transparent information regarding the use of cookies to users.
  • The necessary cookies must be accompanied by relevant information provided to the user.
  • Cookie pop-ups asking for the use of cookies must reappear at the same intervals, whether the user accepts or rejects cookies.
  • Allow users to change their consent preferences.

How can CookieYes help achieve Greek cookie compliance?

Implementing a cookie consent management platform is the most effective way to achieve cookie compliance. CookieYes offers a reliable solution with compliant features preventing tracking before user consent.

Why CookieYes is the best solution?

  • Customizable consent notice with clear Accept/Reject buttons
  • Option to add close button
  • Granular consent options
  • Convenient consent withdrawal
  • Consent logs for compliance
  • Language customization
  • Scan sites to detect and block third-party cookies until consent is given
  • Google-certified CMP and IAB TCF v2.2 compliant      

FAQ on Greek cookie consent guidelines

What are cookies?

Cookies are small files that websites place on internet-connected devices, such as smartphones or computers, to collect and store information about users. They perform various functions, such as saving user preferences and serving functional purposes. Additionally, websites use them for advertising, analytical purposes, and more.

What is the EU rule on cookies?

The EU cookie law requires websites to obtain explicit user consent before deploying non-essential cookies or similar technologies on user devices.

What is Hellenic DPA?

Hellenic Data Protection Authority oversees the implementation of GDPR and other national laws to protect individuals’ personal data.

What is valid consent?

A user gives valid consent through a freely given, specific, informed, and unambiguous affirmative action, signifying their agreement to the processing of personal data by data controllers.