Greece's Hellenic Data Protection Authority (HDPA) issued 89 enforcement decisions in 2024 — a 162% increase from 34 decisions in 2022. The sharp upward trajectory reflects Greece's expanding digital economy, the HDPA's growing technical capacity, and two sectors with unique compliance challenges: tourism and maritime.
Tourism: Seasonal Mass Data Processing
Greece's tourism sector processed 30+ million international visitors in 2024 — each generating personal data through hotel check-in, payment processing, tour bookings, and restaurant POS systems. The compliance challenge is temporal: tourist data is created in massive volumes during peak season (June-September) and must be protected throughout a much longer retention period.
HDPA's 2024 enforcement focus on hotel guest data systems found systematic violations:
POS system data retention: Restaurant and retail POS systems retained payment card data and transaction histories far beyond their declared retention periods. HDPA found that many Greek hospitality businesses had no documented retention schedule — data was retained indefinitely "for accounting purposes."
Booking platform integration: Hotels using international booking platforms (which transmit guest data to overseas reservation systems) frequently lacked adequate Data Processing Agreements with platform providers or had not conducted Transfer Impact Assessments for non-EU platform transfers.
Staff access to guest data: Seasonal workers hired for peak season received access to guest PMS systems without background verification, adequate access controls, or formal termination of access at season end. HDPA found multiple cases where access credentials remained active months after seasonal employment ended.
Tourism sector accounts for 38% of HDPA enforcement cases — the highest sector concentration in Greek GDPR enforcement.
Maritime Compliance: 90,000+ Vessel Employees
Greece is the world's largest shipping nation by registered vessel tonnage. Greek-flagged vessels employ 90,000+ seafarers, and Athens-based shipping companies manage crew data for multinational fleets.
Maritime crew data presents unique GDPR compliance challenges:
Cross-border processing: Greek-flagged vessels operating internationally process crew data across multiple jurisdictions. The vessel's flag state law (Greek law, applying GDPR) applies to personal data processing aboard the vessel, regardless of where the vessel is located.
Multi-nationality crews: Modern shipping crews are often entirely non-Greek, with crew members from Philippines, Ukraine, India, and Indonesia. Their personal data — passports, seafarer certificates (STCW), medical fitness certificates — is processed in Greek-administered crew management systems.
Medical data: Maritime employment requires regular medical fitness certification. Crew health records are special category data under GDPR Article 9, requiring explicit consent or specific legal basis, heightened technical security, and restricted access.
Seafarer Certificate Numbers: STCW (Standards of Training, Certification and Watchkeeping) certificates and Seaman's Books have unique number formats by issuing country. These identifiers appear throughout crew management systems and require detection for adequate PII protection.
Greek National Identifiers: AFM and AMKA
ΑΦΜ (Αριθμός Φορολογικού Μητρώου): The 9-digit tax registration number, with a check digit validated using a weighted sum algorithm. The AFM is Greece's primary commercial identifier — appearing in all business transactions, employment records, and government services.
HDPA's 2024 technical assessment found AFM detected with only 52% accuracy by generic NLP tools. The primary failure mode: the AFM's 9-digit format matches date strings and reference numbers, generating high false positives without checksum validation; and tools miss AFM numbers formatted without spaces or with atypical separators in Greek documents.
ΑΜΚΑ (Αριθμός Μητρώου Κοινωνικής Ασφάλισης): The 11-digit social insurance number. Encoding includes birth date, gender, and a sequential component. AMKA appears in all Greek health and social security documents — employment contracts, prescription records, and hospital admission forms.
Greek national ID (Αστυνομική Ταυτότητα): Format of one letter followed by 6-7 digits, with unique issuance conventions.
Greek passport: Standard EU passport format with Greek-specific issuance conventions.
Greek Language NER Requirements
Greek uses a completely different alphabet (Greek script) from the Latin-based NLP models that most commercial tools are trained on. This creates a fundamental detection challenge: tools trained on Latin-script text cannot perform name entity recognition in Greek-script documents.
Greek-language NER requires:
- spaCy el_core_news model or equivalent Greek-language NLP
- Greek alphabet tokenization (different character ranges from Latin)
- Greek-specific name patterns (Greek names differ significantly from English/German patterns)
- Greek address format recognition ("Οδός," "Πλατεία," "Λεωφόρος")
For organizations with Greek operations — particularly in tourism and maritime — HDPA-compliant PII detection requires AFM and AMKA detection with checksum validation plus Greek-language NER support.
Sources: