Open Letter to the European Data Protection Board: how do the latest amendments of Greek private insolvency law (aka Katseli Law – 3869/2010) severely violate GDPR provisions



Dear Sirs and Madams,

My name is Victor Tsilonis, a lawyer before the Supreme Court of Greece, registered with the Thessaloniki Bar Association and the International Criminal Court’s List of Counsel. I am also the co-founder of NEWLAW, the first platform for online legal services in Greece, implementing in practice the principles of Data Protection Law.

In the course of my practice as a lawyer, I have filed on behalf of my clients a great number of applications for personal debt-relief under Law 3869/2010 (the so-called Katseli Law), a hybrid personal insolvency Greek Law, aiming to settle the debts of natural persons and families through a judicial procedure. This law has been heavily amended in the past 8 years, most recently with Law 4549/2018 “Provisions for the Completion of the Agreement on Fiscal Objectives and Structural Reforms – Medium-Term Fiscal Strategy (MTFS) 2019-2022 and other provisions” which introduced significant changes to the conditions of applicability of Law 3869/2010.

After a thorough study of the amendments of Law 4549/2018, it has come to my attention that the conditions it introduces violate the General Data Protection Regulation.

That is because Law 4549/2018 amends Section 4 (2) of Law 3869/2010, providing for the lift of banking secrecy, which was introduced into Greek Law by Section 1 of Law 1059/1971. In effect, according to the amended provision the confidentiality of an applicant’s bank deposits will be lifted through a statement which he/she will be submitting to the Secretariat of the competent court along with the application.

Specifically, Section 58 (1) of Law 4549/2018 provides:

  1. In Section 4(2) of Law 3869/2010, subparagraphs c and d are added, as follows:

“c) a declaration by the debtor that he authorises any credit institution in Greece or abroad, until the hearing of the case, to share with the creditors, towards whom the application is directed, details regarding the movement of his bank accounts and other financial products (removal of bank secrecy guaranteed by section 1 of Law 1059/1971) for the time period starting five years before the submission of the application until the day of its hearing, as well as [that he] grants permission to the creditors, towards whom the application is directed, exclusively for the purpose of judicial and extrajudicial handling of the application, to process and share the data they store or receive from credit institutions.

  1. d) a self-declaration by the debtor that he does not have the capacity to be declared insolvent.”

This provision applies to applications submitted from 14 June 2018, hence from the publication date of Law 4549/2018 in the Government Gazette (Government Gazette A ‘105).

The problematic aspects of the Katseli law on private insolvency which contradict the GDPR

At the same time, however, the transitional provisions of Article 68 provide for the automatic and retroactive removal of bank secrecy for all pending applications from 14 September 2018, unless the debtor withdraws his application:

  1. Three months from the entry into force of this law, the declaration of Section 4(2)(c) of Law 3869/2010 shall be deemed to have been submitted for all pending applications, unless in the debtor withdraws his application before that.

Essentially, this law introduces a legal presumption that the debtor who has submitted an application and does not withdraw it before September 2018, automatically consents to the removal of bank secrecy regarding his accounts.

Such a provision, however, could be contrary to the General Data Protection Regulation 2016/679 and in particular, to the conditions required for valid consent. That is because the bank details and account movements of the debtor fall within the meaning of personal data, as data that may lead to the identification of a natural person (Article 4 (1) and Recital 20). Therefore, any declaration through which the debtor consents to the transfer and processing of such data must fulfill the conditions set out in the GDPR, namely in Article 7 and Recital 32. The latter stipulates that:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

Nevertheless, contrary to the aforementioned GDPR provision, Law 4549/2018 interprets the submission of an application to benefit from the debt-relief provisions of the Katseli Law (Law 3869/2010) as consent to the removal of bank secrecy, even if that application was submitted 7 to 8 years before the recent amendments. Furthermore, in case the debtor/ data subject does not consent to the removal of bank secrecy regarding his accounts, the latest amendment to Law 3869/2010 forces him to withdraw his application.

What is more, overly wide, retroactive consent is assumed for the transfer of bank data between the creditors and the credit institutions, that is to say between private entities. Essentially, the financial interest of the creditors is ranked by the Greek state higher than the privacy of the debtor without any appropriate justification and with extensive retroactive force. Clearly, an appropriate and GDPR compliant provision would balance the two in a more adequate manner by authorising the transfer of data only among credit institutions and the court, allowing access to the judge but not to third parties.

Finally, yet importantly, it must be stressed that the assumed “consent” of the applicant concerns an immense time period which can reach or even surpass a whole decade, given that presently the Greek courts adjudicate private insolvency petitions which might have been originally submitted in 2012 or earlier; and so, pursuant to the latest amendments the time-period of the assumed consent can extend from 2008 to 2018!

It is evident that this does not under any circumstances qualify as free, explicit or informed consent on behalf of the data subject. Given the strict requirements of the GDPR and the Opinions of Article 29 Working Party regarding the form and the conditions of consent, this new provision of Law 3869/2010 is clearly invalid in light of European personal data protection law, since it assumes consent from the debtor’s inertia.

Hence, the latest provisions’ nullification is an urgent issue which requires and justifies the European Data Protection Board’s scrutiny and close attention.

Thessaloniki, 20 July 2018

Dr. Victor Tsilonis

Παράθυρα Λογοτεχνίας για Νέους

Intellectum 10