Greece's Hellenic Data Protection Authority (HDPA) issued 89 enforcement decisions in 2024. That is a 162% rise from 34 decisions in 2022. Two sectors face the most pressure: tourism and maritime.
Updated for 2026
Tourism: Seasonal Mass Processing
Greece had more than 30 million foreign visitors in 2024. Each visit creates personal records. Hotels, POS systems, tour firms, and restaurants all collect them. The core problem is time. Records arrive in bulk from June to September. They must be kept safe for far longer than that.
HDPA's 2024 hotel audits found three common fault types.
POS retention faults: Restaurant POS systems held card and receipt records past stated limits. Most hotel firms had no written retention plan. Records sat with no end date, marked "for accounting."
Booking platform gaps: Hotels using global booking platforms often had no Data Processing Agreement. Many had also skipped Transfer Impact Assessments for transfers to non-EU systems.
Seasonal access faults: Peak-season workers got access to guest management systems. Checks on those workers were rare. Login credentials often stayed open months after they left.
Tourism makes up the largest share of HDPA cases by sector. See how EU national identifier detection works across Europe for a wider view.
Maritime Compliance: Crew Records at Scale
By vessel tonnage, the country leads the world in ship ownership. The Hellenic fleet employs more than 90,000 seafarers. Athens firms manage crew records for fleets with workers from many countries.
Crew records raise four GDPR problems.
Flag-state law: Flag-state law applies on the vessel no matter where it sails. GDPR covers crew record use on the ship, not just in the shore office.
Multi-national crews: Many crews have no local nationals at all. Workers from the Philippines, Ukraine, India, and Indonesia are common. Their passports, STCW cards, and health records all flow through Athens-managed systems.
Health records: Maritime jobs need regular fitness checks. Health records are a special GDPR category under Article 9. They need a clear legal basis, strong security, and tight access rules.
Seafarer ID numbers: STCW cards and Seaman's Books use unique number formats by issuing country. These IDs appear in crew systems and need detection for full PII coverage. For confidence scoring across ID types, see binary PII detection and confidence scoring.
National IDs: AFM and AMKA
ΑΦΜ (Tax Number): The AFM is a 9-digit number. A check digit is set by a weighted sum rule. It is the main commercial ID in the country. It appears in business deals, employment files, and public services.
Generic NLP tools often miss AFMs. The 9-digit pattern clashes with dates and reference codes. That leads to false positives when no checksum step runs. Tools also miss AFMs written without spaces or with odd separators.
ΑΜΚΑ (Social Insurance Number): AMKA is an 11-digit number. It holds birth date, gender, and a sequence code. It appears on employment contracts, drug prescriptions, and hospital forms.
National ID card (Αστυνομική Ταυτότητα): One letter then six or seven digits, with Hellenic issue rules.
Passport: Standard EU format with local issue rules.
Language NER for Hellenic Text
The local script is not Latin. Most commercial NLP models train on Latin text. A Latin-trained tool cannot find names or addresses in Hellenic-script files.
Sound NER for this language needs four things:
- spaCy el_core_news or an equal Hellenic NLP model
- Right tokenization for local character ranges
- Local name patterns, which differ from English and German ones
- Address terms: "Οδός" (street), "Πλατεία" (square), "Λεωφόρος" (avenue)
For firms in tourism or maritime here, HDPA-level PII detection needs AFM and AMKA checksum checks plus Hellenic NER in one pipeline.