Cookie Consent Requirements in Greece [With Checklist]

Following the guidelines of GDPR and the e-privacy directive, EU members have implemented regulations, including cookie laws, to protect user privacy. Various Data Protection Authorities, including the Hellenic DPA of Greece, have also issued guides to help businesses achieve compliance. This blog comprehensively overviews the requirements for Greek cookie consent and compliance strategies.

As an EU member, Greece implemented the GDPR and e-privacy directive through the Greek Data Protection Act and 3471/2006. 

Later on, an audit conducted by the DPA revealed widespread non-compliance with these rules by many famous Greek websites. Considering this, the Greek DPA issued a concise guide on the lawful use of cookies to help businesses understand the law and make compliance easy. 

The Greek DPA’s guide on cookies outlines consent rules, provides examples, and highlights bad practices. Furthermore, it sets out specific recommendations on how to provide information to users. 

The Greek cookie consent guidelines apply to entities that offer online services to users in Greece and utilize cookies or other tracking technologies to collect information from them.

The Greek cookie guidelines emphasize obtaining user consent before deploying cookies or other trackers on devices. This includes non-essential cookies such as those used for advertising and third-party trackers like Google Analytics.

What are the exemptions?

The obligation to obtain prior consent does not apply to cookies/trackers that are technically necessary for: 

• The purpose of connecting to a website
• Providing an internet service requested by the user 

Here are some relevant examples to understand the exemptions. Cookies used for any of the following purposes do not require prior consent:

• To identify or maintain the content uploaded by the user during a session. Eg: an online shopping cart.
• To connect the user to a service that needs authentication.
• For the User’s security.
• To perform load balancing during a session.
• To maintain user preferences such as language preference.

Understanding what constitutes consent is crucial for compliance. Let us break down the essentials of Greek cookie consent requirements influenced by GDPR.

• Users must give explicit consent for each category of cookies (affirmative action).
• Pre-checked boxes or continued scrolls are not valid consent.
• Browser presets are not valid consent.
• Users must be able to reject cookies with the same ease as accepting them, and they must be able to do both in the same number of actions/clicks.
• Inaction from the user does not constitute consent. Therefore, do not deploy non-essential cookies on user devices if they neither accept nor reject cookies.
• Consent withdrawal must be as easy as giving consent.
• Avoid blocking access to the site due to non-consent( cookie walls).
• Provide uniform accept and reject buttons to avoid influencing users to favor the “accept” option. Use buttons of the same size, color, and font.
• Regardless of whether the user accepts or rejects the cookies, the reappearance of a cookie pop-up asking about the use of cookies must be made at the same intervals. The cookies used to remember this choice are technically necessary.

As we already know, transparency is a significant element of compliance. Therefore, before obtaining consent, websites must provide information regarding the types of cookies, their purposes, the controller’s identity, who has access to the data collected by cookies, etc. 

The Greek DPA also sets out guidelines on how to provide this information.

• Information can be provided through suitable mechanisms such as a cookie banner or pop-up.
• Providing information in multiple layers is acceptable if you inform users of the categories of cookies used.
• The pop-up or banner must contain specific information about the purposes of each cookie rather than a general description.
• For each cookie or category of cookies used for the same purpose, provide the following information:
  • Duration: How long it will be active or how long the controller will retain the collected data
  • Controller’s identity: Who handles the data collected by the cookies
  • Recipients/categories of recipients: Who has access to the data collected by the cookies
• The information must be easy to read on all devices in which it is displayed.

Checklist: Greek cookie consent guidelines 

• Obtain explicit, specific consent from users before deploying non-essential cookies or other trackers on user devices.
• Ensure that users can reject cookies as easily as they can accept them.
• Do not rely on pre-checked boxes, continued scrolls, inaction, or browser presets as a form of consent.
• Ensure that consent withdrawal is as easy as giving consent.
• Do not block access to the website if the user rejects cookies.
• Provide uniform accept and reject buttons to avoid influencing users to favor the “accept” option.
• Provide clear and transparent information regarding the use of cookies to users.
• The necessary cookies must be accompanied by relevant information provided to the user.
• Cookie pop-ups asking for the use of cookies must reappear at the same intervals, whether the user accepts or rejects cookies.
• Allow users to change their consent preferences.

Implementing a cookie consent management platform is the most effective way to achieve cookie compliance. CookieYes offers a reliable solution with compliant features preventing tracking before user consent.