Fintech in Greece 2024

Fintech in Greece 2024

Fintech in Greece 2024

FINTECH 2024

GREECE

Alexandra Th Kondyli, Nikos Askotiris, Eleana Rouga, Maria Chronak, Dimitris Passas, Dimitra Karampela, Anna Pechlivanidi, Sergios Charalambous

(Karatzas & Partners Law Firm)

FINTECH LANDSCAPE AND INITIATIVES

General innovation climate

  1. What is the general state of fintech innovation in your jurisdiction?

The fintech landscape in Greece is currently growing, considering several significant investors have entered the Greek fintech and neobank industry, particularly in connection with the carve-out of the merchant acquiring business of all four Greek systemically important banks, as well as in the field of cloud-based payments. In addition, key organizations and stakeholders (including financial institutions, universities and think tanks) have created fintech hubs and clusters, to support and promote the sustainable development of Greek fintech.

New technology-friendly legislation also has been enacted, recognizing and providing legal certainty on matters related, among others, to distributed ledger technology and smart contracts, as well as artificial intelligence (Law 4961/2022 on Emerging information and communication technologies, strengthening of digital governance and other provisions; the Digital Transformation Law).

This positive market climate, coupled with the absence of any local law peculiarities going beyond the scope of the EU financial regulatory framework, has reinforced confidence in Greece’s thriving technology ecosystem and is expected to promote innovation and lead to further development of the Greek fintech sector.

Government and regulatory support

  1. Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?

Both the central bank of Greece, the Bank of Greece (BoG), and the Hellenic Capital Market Commission (HCMC) encourage financial innovation.

The BoG has established a Regulatory Sandbox, enabling participants to carry out small-scale testing of innovations, in a controlled regulatory environment, within specified parameters and time frames, based on direct feedback and customized guidance from the regulator. The Regulatory Sandbox is aimed at facilitating innovation in Greece, through an ecosystem embracing emerging technologies, in compliance with the regulatory requirements applying to service providers. The regulatory dialogue in the context of the Regulatory Sandbox enhances legal certainty and is meant to contribute to the stability of the Greek financial system.

In addition, the BoG has created a FinTech Innovation Hub, a structure enabling the BoG to cooperate with relevant entities and provide non-binding guidance on regulatory expectations in relation to financial products, services or business models, including licensing or registration aspects of such projects. The BoG publishes the Report of its FinTech Innovation Hub on an annual basis.

The HCMC has established a Financial Innovation Hub, mainly to provide regulatory guidance to firms launching innovative financial products or services, to promote the sustainable development of fintech in Greece and to identify any need for clarification or amendment in the existing regulatory framework. The HCMC has also established a Fintech Forum that brings together academics, researchers, representatives of startup incubators or accelerators and agencies, for the dissemination of knowledge and information about the fintech industry.

FINANCIAL REGULATION

Regulatory bodies

  1. Which bodies regulate the provision of fintech products and services?

Greece follows, in principle, an institutional approach to financial supervision, in the sense that a firm’s activities (for example, an entity authorized as a credit institution, an investment firm, or an insurance company) essentially determines which regulator is entrusted with its supervision, from a safety and soundness and a business conduct perspective. As such, there are no special agencies or authorities regulating or supervising fintech products and services.

The BoG is the competent regulatory and supervisory authority for banking, financing, payment and insurance services and products, namely:

Credit institutions (the country’s four systemic credit institutions are subject to the European Central Bank’s supervision in the context of the Single Supervisory Mechanism, while less significant credit institutions continue to be subject to supervision by the Bank of Greece (BoG), subject to exceptions under EU law);

  • electronic money institutions;
  • payment institutions;
  • leasing companies;
  • factoring companies;
  • credit companies;
  • credit servicing firms;
  • bureaux de change;
  • microfinance institutions;
  • insurance companies; and
  • insurance distributors.

The Hellenic Capital Market Commission (HCMC) is the competent authority in relation to investment firms, crowdfunding platforms operators, asset managers (including alternative investment funds managers) and investment funds.

Fintech services falling under these broad categories are regulated and supervised by either the BoG or the HCMC.

Relevant also is the National Cybersecurity Authority, which is a General Directorate of the Ministry of Digital Governance; however, its supervisory scope is limited to systemic credit institutions.

Regulated activities

  1. Which activities trigger a licensing requirement in your jurisdiction?

All of the activities listed in Annex I to Directive 2013/36/EU (CRD), as transposed by article 11 of Greek Law 4261/2014 (the Banking Law) are regulated activities that trigger licensing requirements. The same applies for services listed in Section A of Annex I of Directive 2014/65/EU on markets in financial instruments (MiFID II). More specifically, activities trigger a licensing requirement include:

  • banking services (i.e, taking deposits and granting credit). Credit institutions are the sole entities that are eligible under Greek law to take and hold deposits, in terms of repayable funds;
  • provision of credit and loans on a professional basis;
  • investment services, as found under MiFID II Annex II;
  • the provision of payment services or payment-related services(third-party-providers) according to Greek Law 4537/2018 transposing Directive (EU) 2015/2366 in Greek law (the PSD2 Law). Where any service involves the issuance of e-money, a dedicated authorization to operate as an e-money institution is required according to Law 4021/2011, which transposes Directive 2009/110/EC;
  • leasing and factoring are also regulated and both require an authorization under Greek law;
  • credit companies and microfinance institutions (such as those eligible to offer ‘buy now, pay later’ services);
  • operating a bureau de change (foreign currency exchange) also requires a special license;
  • operating a crowdfunding platform;
  • managing claims, such as servicing NPL portfolios, require a special authorization for a claims management company, under Greek law; and
  • managing investment funds.

Consumer lending

  1. Is consumer lending regulated in your jurisdiction?

Greece has adopted the EU consumer protection framework. Under Greek law, a consumer is defined as any natural person acting for purposes outside the scope of their commercial, business, craft or independent professional activity.

Directive 2008/48/EC on credit agreements for consumers has been transposed into Greek law, applying to consumer credits above €200 but not exceeding €75,000. Consumer credit agreements are subject to pre-contractual and contractual information requirements (including interest rate transparency), and consumer borrowers are granted specific rights (including the right of withdrawal within 14 days of the conclusion of the credit agreement).

With respect to consumer loans relating to residential immovable property, Law 4438/2016 has transposed Directive 2014/17/EU. That law provides for precontractual information obligations, creditworthiness assessments, the valuation of real estate properties and loans denominated in foreign currencies. Mortgage credit intermediaries are regulated and subject to prior authorization.

Consumer lending-related prudential rules are supervised by the BoG, and consumer protection rules by the Ministry of Development and Investment.

Secondary market loan trading

  1. Are there restrictions on trading loans in the secondary market in your jurisdiction?

Secondary market loan trading is regulated in Greece. In particular, the transfer of loans can take place only to specific types of entities, while there is a parallel requirement to delegate the management of receivables to a special purpose vehicle that has been licensed as servicer by the BoG. The management of the receivables (including but not limited to any loan restructuring) is exclusively performed by the servicer, the latter being in compliance with the Banking Code of Conduct, which sets guidelines for designing and evaluating viable arrears resolution solutions for borrowers. The same restrictions apply equally to all subsequent transfers of receivables.

Business receivables can be transferred by way of sale to a special purpose entity in the context of securitization transactions in combination with the issuance and offer, by private placement only, of bonds, the repayment of which is funded by the proceeds from the transferred business receivables or by loans, credits or financial derivative instruments. The completion of the transfer requires certain formalities, including the registration of the transfer agreement with the pertinent public record, while the special purpose entity acquiring the business receivables must observe periodic reporting obligations with the BoG and the HCMC.

Collective investment schemes

  1. Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.

In Greece, both collective investment schemes (CIS) and the management of CISs are regulated. In general, a CIS is an investment vehicle that collects investments (funds) from the investors and creates a common pool of assets, managed collectively pursuant to a predefined investment policy.

The general regulatory regime for CIS in Greece consists of the transposition of Directive 2009/65/EU on the coordination of laws, regulations and administrative provisions relating to undertaking for collective investment in transferable securities (UCITS Directive) and Directive 2011/61/EU on Alternative Investment Fund Managers (AIFM Directive), in addition to the Greek regulatory regime that apply to specific types of CIS.

Fintech companies would not typically fall to be regulated as CIS.

Alternative investment funds

  1. Are managers of alternative investment funds regulated?

Managers of alternative investment funds are regulated in Greece under the AIFM Directive, which was transposed into Greek law by Law 4209/2013 (AIFM Law).

The AIFM Law provides for the licensing requirements, internal organizational requirements, enhanced reporting and investors disclosure obligations as well as investment and leverage restrictions.

Depending on the nature of their products or services, fintech companies will be outside the scope of the AIFM Law, if their activities do not constitute an investment fund.

Peer-to-peer and marketplace lending

  1. Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.

Peer-to-peer and marketplace lending are not specially regulated in Greece and are subject to the generally applicable regulatory provisions. The operator of a lending platform will be subject to the requirements set out in Regulation (EU) 2020/1503 (the Crowdfunding Regulation) and to prior authorization by the HCMC. Purchasing bonds issued in the context of a bond loan by a Greek société anonyme is not, in principle, a regulated activity.

Crowdfunding

  1. Describe any specific regulation of crowdfunding in your jurisdiction.

The Crowdfunding Regulation governs the provision of crowdfunding services in Greece (i.e, the matching of business funding interests of investors and project owners through the use of a crowdfunding platform). Crowdfunding services can be either lending-based or investment based (i.e, placing without a firm commitment basis of transferable securities and admitted instruments and the reception and transmission of client orders, for crowdfunding purposes).

The Crowdfunding Regulation provides for an EU-wide regulatory framework setting out a number of organizational and operational obligations, as well as of conduct of business rules. Pursuant to Greek Law 4920/2022, which transposes Directive (EU) 2020/1504 and implements the said Regulation, the HCMC has been designated as the national competent authority for licensing crowdfunding service providers established in Greece and for supervising them. Crowdfunding service providers authorized by the HCMC have a European passport for the provision of services in other EU member states on a cross-border basis or through a permanent establishment (branch), or both, following the completion of a simplified notification process.

In addition to the European Framework, HCMC offers a regulatory sandbox and a relevant forum to raise and discuss issues for, inter alia, firms providing or wishing to provide equity crowdfunding services. As of February 2023, the sandbox is operational.

Invoice trading

  1. Describe any specific regulation of invoice trading in your jurisdiction.

Pursuant to Greek Law 1905/1990, factoring, including factoring with or without recourse, the collection of receivables, the discounting of receivables and sales ledger administration are regulated activities that can be performed either by factoring companies licensed and supervised by the BoG or by banks lawfully established and operating in Greece. Factoring companies are subject to corporate governance, regulatory capital, reporting and conduct of business requirements.

Payment services

  1. Are payment services regulated in your jurisdiction?

Yes, payment services are regulated in Greece pursuant to the PSD2 Law, the relevant EU regulations and implementing regulatory provisions issued by the BoG. Only banks, payment institutions and electronic money institutions licensed by the BoG or by another EU regulator are allowed to provide payment services in Greece. All institutions entitled to provide payment services are subject to corporate governance, outsourcing and regulatory reporting requirements, as well as to the limits on the level of interchange fees set out in Regulation (EU) 2015/751.

The PSD2 Law largely reiterates the provisions of Directive (EU) 2015/2366, including the requirements in relation to credentials and authentication, safeguarding of funds, accounting and record keeping. Payment institutions and electronic money institutions are allowed to provide payment services through an agent, following a notification to the BoG.

Open banking

  1. Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?

The PSD2 Law regulates the following third-party payment services providers:

  • aggregators and account information service providers (AISPs), in relation to the online service to provide consolidated information on one or more payment accounts; and
  • payment initiation services providers (PISPs), in relation to the online initiation of orders for the transfer of funds from the payer’s payment account held at another financial institution to payment accounts of merchants, which are immediately informed of the payment initiation.

The PSD2 Law does not permit to financial institutions maintaining payment accounts from denying access to the accounts they maintain, provided an AISP or PISP is authorized, the relevant payment service user has given its explicit consent and there is no suspicion of fraud. No contractual relationship needs to exist between an AISP or PISP and the account servicing financial institution. However, the scope of this prohibition is limited to payment accounts that are accessible online.

PISPs can have access to a payer’s account either directly (through an adapted customer online banking interface) or indirectly (through a dedicated application programming interface).

The issuers of card-based payment instruments can also request confirmation on the availability of funds to process transactions depending on a payment by card.

Robo-advice

  1. Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.

Robo-advice, that is, the provision of investment advice or portfolio management services (in whole or in part) through an automated or semi-automated system, is not specifically regulated in Greek legislation. However, the supervisory expectations of the HCMC should be aligned with the relevant ‘ESMA Guidelines on certain aspects of the MiFID II suitability requirements’ (ESMA35-43-1163), which specify certain information requirements applicable to providers of robo-advice (e.g, explanation of the extent of human involvement and description of the sources of information used for the provision of investment services).

Insurance products

  1. Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?

Yes, fintech companies intending to sell or market insurance products in Greece must be registered with the competent Chamber as an insurance agent, an insurance broker, a coordinator of insurance agents or an ancillary insurance intermediary, and comply with relevant legislation, mainly Greek Law 4583/2018 transposing Directive (EU) 2016/97 (IDD) into Greek law (the IDD Law) and the regulatory provisions enacted by the BoG. Greek banks are, by definition, insurance agents. Insurance distributors registered in another EEA jurisdiction are also allowed to market insurance products in Greece, either on a cross-border basis or through a branch, following a notification process.

The kind of remuneration for each type of insurance distributor is defined in the IDD Law; for instance, an insurance agent is remunerated only through commissions paid by the insurers whose products are distributed, while an insurance broker is remunerated through commissions paid by the relevant insurer or fees paid by the customer and must not be legally or financially dependent on any insurer. The IDD Law contains a number of organizational, product governance and conduct of business rules applicable to distributors of insurance products (for instance, pre-contractual and contractual information requirements, or the requirement of prior advice to a customer, meaning that any insurance product sold must be consistent with the customer’s insurance demands and needs, as ascertained in advance by the insurance distributor). The relevant individuals must have sufficient knowledge and ability to discharge their duties, and there are specific principles and constraints applicable to the cooperation between different insurance distributors.

Credit references

  1. Are there any restrictions on providing credit references or credit information services in your jurisdiction?

The provision of credit references or credit information services is not specifically regulated in Greece. However, the relevant framework would be the Regulation 2016/679/EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and the Regulation 462/2013/EU on credit rating agencies.

It is noted that an anonymous interbank company, Tiresias, operates in Greece with shareholders being the largest Greek banks. Tiresias manages a credit profile databank and specializes in the collection and supply of credit profile data on corporate entities and individuals, as well as the operation of a risk consolidation system regarding consumer credit. Additionally, Tiresias develops inter-banking information systems and provides information and communication services to all parties concerned.

CROSS-BORDER REGULATION

Passporting

  1. Can regulated activities be passported into your jurisdiction?

EEA service providers have a European passport and can provide services through both an establishment (branch or tied agent) and on a cross-border basis to clients in Greece, after having completed a notification process initiated with their home state regulator. In contrast, non-EEA (third country) firms do not have any passport and cannot offer regulated services in Greece, unless they have established a branch or a subsidiary in Greece, which is licensed by the Bank of Greece (BoG) or the Hellenic Capital Market Commission (HCMC), as the case may be.

Requirement for a local presence

  1. Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?

There is no license available for the provision of financial services by non-EEA firms on cross-border basis, without establishing a branch or a subsidiary. If a fintech company intends to provide a regulated service to clients in Greece, it must have been licensed by the Greek competent authorities (the BoG or the HCMC) or by the competent regulator in another EEA jurisdiction.

SALES AND MARKETING

Restrictions

  1. What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?

Selling and marketing of financial services and products in Greece will trigger the respective licensing or passporting requirements.

Sales and marketing of financial services and products are subject to the generally applicable restrictions to marketing communication, namely, false or misleading information and unsolicited communication are prohibited, and the marketing material must be presented in an easy-to-understand manner. Minimum information requirements (e.g, risk disclosures), suitability checks or even requirements in relation to the professional skills of the individuals involved may also be applicable.

Services and products that fall within the Markets in Financial Instruments Directive (MiFID II) or the Banking Law framework are subject to the special marketing, minimum information and pre-contractual checks provided for by the relevant framework.

Where a customer qualifies as a consumer, additional requirements will apply under the consumer protection legislation (mainly Greek Law 2251/1994) (in relation to unfair general terms and conditions, misleading advertising, unfair commercial practices, et cetera), which generally transposes the relevant EU consumer protection framework.

CRYPTOASSETS AND TOKENS

Distributed ledger technology

  1. Are there rules or regulations governing the use of distributed ledger technology or blockchains?

The Digital Transformation Law introduces the concepts of distributed ledger technology (DLT), blockchain and smart contract in the Greek legal system, expressly recognizing transactions made through such novel digital tools, making use of the blockchain technology.

A smart contract is defined as the set of encoded computer functions, which is finalized and executed through DLT technology in automated electronic form, through instructions for the ‘execution’ of an action, omission or tolerance, which are based on the existence or not of specific conditions, in accordance with terms recorded directly in electronic code, programmed instructions or programmed language. The terms of a smart contract may either be formulated by the contracting parties and incorporated into the code of a computer program, or be predetermined in the blockchain or other DLT and selected or accepted by the contracting parties. It also is made clear that the parties to a smart contract are considered to be bound by it from the moment of completion of their ‘adherence’ to it.

The Digital Transformation Law created an innovative legal framework, which provides legal certainty, by extending the scope of application of the fundamental principles of the Greek Civil Code to smart contracts. Smart contracts can facilitate and render more attractive the conclusion of different types of financial contracts, such as derivative products, however the Digital Transformation Law did not regulate specifically the use of blockchain technology by fintech companies.

Cryptoassets

  1. Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?

Under the AML Law and Hellenic Capital Market Commission (HCMC) decision 5/898/3.12.2020, Virtual Currency Services Providers cannot provide any service, unless they have been registered in the specific registry established by the HCMC, by providing certain information on their AML compliance policy and internal audits, their corporate and ownership status, their management and their business plan. However, such registration does not amount to any type of licensing or authorization as a financial institution.

Apart from the above registration and generally applicable legislation regulating investment services (which may be applicable only to the limited extent that a financial instrument, e.g, a derivative in the form of a smart contract, is involved) there are no rules or regulations on the marketing and selling of cryptoassets. The PSD2 Law standards do not apply to cryptocurrencies, unless and to the extent that a payment instrument is involved.

It is noteworthy that the European Parliament is in the process of approving the Markets in Crypto-Assets Regulation (the MiCA Regulation), setting harmonized rules on cryptoassets that do not constitute financial instruments (including asset-referenced tokens, electronic money tokens and utility tokens). The MiCA Regulation is expected to provide for an authorization and passport regime for cryptoasset service providers, investor protection rules, and rules on the operation of a trading platform.

Token issuance

  1. Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?

There are no specific rules regulating the issuance and offering of tokens. To the extent a token qualifies as a transferable security within the meaning of the MiFID II Law, generally applicable financial law provisions (e.g, in relation to the publication of a prospectus) will apply. However, currently there is no provision explicitly enabling the token-based issuance of equity and debt securities.

The MiCA Regulation, after its entry into force, will regulate public offerings and the placing of cryptoassets.

ARTIFICIAL INTELLIGENCE

Artificial intelligence

  1. Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?

Subject to general data protection rules, the Digital Transformation Law provides for certain requirements applicable to businesses using artificial intelligence systems, notably that any medium-sized or large entity must keep a register of systems used, establish and implement a policy on the ethical use of data, and inform affected employees when artificial intelligence is used for purposes related to the human resources. That Law also regulates the public procurement of services related to the design or development of artificial intelligence systems, but it does not contain any specific provision on the use of artificial intelligence by fintech companies.

CHANGE OF CONTROL

Notification and consent

  1. Describe any rules relating to notification or consent requirements if a regulated business changes control.

Shareholders intending to hold, directly or indirectly, at least 10 percent (a qualifying holding) in the share capital and/or voting rights of certain regulated entities (including banks, payment institutions, electronic money institutions, investment firms, alternative investment fund managers, credit servicing firms) must submit a prior notification to the Bank of Greece (BoG) or the Hellenic Capital Market Commission (HCMC) (as the case may be), which is competent to approve or oppose the acquisition.

Prior notification and approval is also required, if it has been decided to carry out an acquisition, directly or indirectly, or the further increase, directly or indirectly, of a qualifying holding, as a result of which the proportion of voting rights or capital held would reach or exceed 20 percent, one-third or 50 percent, and/or which would result in the target entity becoming a subsidiary of the acquirer.

For these purposes, both individual shareholdings and aggregate stakes of shareholders acting in concert must be considered.

Special notification and consent requirements apply to specially regulated entities (for example, real estate investment companies).

Notification requirements apply and, under specific circumstances, additional licensing procedures are followed vis-à-vis the competent authorities when the business that a regulated entity pursues changes, as this may impact crucial licensing requirements, such as regulatory capital, internal organizational requirements, or the requisite qualified staffing.

FINANCIAL CRIME

Anti-bribery and anti-money laundering procedures

  1. Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?

Greek Law 4734/2020, which transposed Directive (EU) 2018/843 (AML 5) and amended Greek Law 4557/2018 (the AML Law), extended the scope of AML customer due diligence and reporting requirements to the providers of services for the exchange between virtual and fiat currencies and custodian wallets (the virtual currency services providers) and established a register for such service providers, maintained by the Hellenic Capital Market Commission (HCMC). Virtual currencies are defined as digital representations of value that are not issued or guaranteed by a central bank or a public authority, are not necessarily attached to a legally established currency and do not possess the legal status of currency or money but are accepted by natural or legal persons as a means of exchange and can be transferred, stored and traded electronically.

Guidance

  1. Is there regulatory or industry anti-financial crime guidance for fintech companies?

No specific guidance has been issued by any Greek competent authority, apart from HCMC decision 5/898/3.12.2020 specifying the technical aspects of registration of virtual currency services providers in the relevant HCMC register.

DATA PROTECTION AND CYBERSECURITY

Data protection

  1. What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

In Greece, there is no specific law or guidance relating fintech companies use of personal data.

The processing and transfer of personal data are generally governed by the General Data Protection Regulation (GDPR) and the following local laws:

  • Law 4624/2019 on the personal data protection authority, implementing the GDPR and transposing Directive 2016/680/EU on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties;
  • Law 3471/2006 on the protection of personal data and privacy in the Electronic telecommunications sector, which transposed the Directive 2002/58/EU on Privacy and electronic communications; and
  • Law 2472/1997 on the protection of individuals with regard to the processing of personal data, which transposed the Directive 95/56/EU (now defunct except for explicit provisions in article 84 of Law 4624/2019 implementing the GDPR into domestic legal order).

According to the GDPR, in order for any processing of personal data to be lawful must be done in accordance with the following principles:

  • the data subject has given consent to the processing for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data.

Regarding anonymization, according to recital 26 of the GDPR, where the data has been processed in such a way that it is truly anonymous (i.e, information that does not relate to an identified or identifiable natural person or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable), the principles under GDPR do not apply to the processing of this data.

With respect to any transfers of personal data to third countries or international organizations, the general rule under the GDPR is that transfers may only take place to a non-EU country if European Commission has decided that the third country, a territory or one or more specified sectors within that third country ensures an adequate level of protection. In the absence of such decision, the transfer may only take place if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available or if the requirements of article 49 GDPR are met (derogations for specific situations).

In Greece, the Hellenic Data Protection Authority is responsible for compliance with the European and Greek data protection rules.

Cybersecurity

  1. What cybersecurity regulations or standards apply to fintech businesses?

Greek Law 4577/2018, which transposes EU Directive 2016/1148/EU, concerning measures for a high common level of security of network and information systems, sets out general cybersecurity requirements for infrastructures and relevant service providers (e.g, risk identification and management, adoption of technical security measures, incident reporting). However its scope is limited, based on implementing regulatory provisions, to the Greek systemically important banks.

Specific cybersecurity requirements are also provided for in sector-specific legislation, such as the PSD2 framework or the Banking Law. The Bank of Greece (BoG) has adopted, through Executive Committee Act No. 190/2/16.6.2021, the relevant EBA Guidelines on ICT and security risk management, as well as EBA Guidelines on major incident reporting, through BoG Executive Committee Act No. 209/3/19.07.2022, respectively. These apply to the whole range of financial Institutions, save for investment firms.

It is also noteworthy that the Hellenic Cybersecurity Authority has issued a handbook and a self-assessment tool to indicate good practices (not specifically for the financial sector), which are not legally binding.

OUTSOURCING AND CLOUD COMPUTING

Outsourcing

  1. Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?

The outsourcing of critical or important functions (such as those that are necessary for the soundness, continuity and regulatory compliance of core business activities, or those that may impact the effectiveness the internal control functions) by a regulated entity is subject to regulatory constraints, subject to ongoing supervision by the Bank of Greece (BoG) or the Hellenic Capital Market Commission (HCMC), as the case may be. The outsourcing must not result in the delegation by senior management of its responsibility, and the relationship and obligations of the outsourcing firm vis-à-vis its clients must not be altered.

Depending on the type of the financial institution and the scope of the envisaged outsourcing, an outsourcing arrangement may be subject to certain minimum content requirements (including, for instance, the agreed service levels, safeguards ensuring that the outsourcing entity effectively monitors the outsourced functions and can terminate the arrangement with immediate effect (where necessary), or having in place an exit plan clarifying the consequences of termination). The BoG and the HCMC have certain information rights in relation to outsourcing arrangements, which may be subject to prior notification to the regulator and to record-keeping requirements. Outsourcing to service providers located in third countries (i.e, other than an EEA member state) is generally subject to even stricter requirements; for instance, the MiFID2 regime (Commission Delegated Regulation (EU) 2017/565) provides that an appropriate cooperation agreement should be in place between the competent authority of the outsourcer and the supervisory authority of the service provider.

Moreover, pursuant to the BoG’s Executive Committee Act 190/2/16.06.2021 transposing the EBA Guidelines on Information and Communications Technology (ICT) and Security Risk Management (EBA/GL/2019/04), regulated entities (such as banks, payment institutions, electronic money institutions, micro-credit institutions and credit companies) entering into an agreement with a third-party provider of information and communications technology (ICT) services and ICT systems, must specify in such agreement certain issues, such as data and network security, data encryption, security monitoring processes or incident handling procedures.

Cloud computing

  1. Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?

Arrangements for outsourcing to cloud service providers are subject to certain regulatory requirements. In particular, the BoG has adopted the EBA Recommendations on outsourcing to cloud service providers (EBA/REC/2017/03) through Executive Committee Act 178/5/2.10.2020, and the HCMC has also endorsed the ESMA Guidelines on outsourcing to cloud service providers (ESMA50-164-4285).

INTELLECTUAL PROPERTY RIGHTS

IP protection for software

  1. Which intellectual property rights are available to protect software, and how do you obtain those rights?

In Greece, software may be protected either as copyright pursuant to the rules of Greek copyright law (Law 2121/1993) or as patent pursuant to the rules of Greek patent Law (Law 1733/1987). In Greece, there are no registration proceedings for copyright protection. To obtain a patent on a software, a patent application shall be submitted before the Greek competent authority (i.e, the Hellenic Industrial Property Organization) and relevant filing fees shall be paid.

IP developed by employees and contractors

  1. Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?

According to the Greek copyright law (Law 2121/1993), all exploitation (economic) powers on all copyrightable works (including software) developed by an employee during the course of employment are automatically transferred to the employer (in the Greek usual practice, employment contracts include in any case an IP transfer clause in favor of the employer). If the IP has been developed by contractors or consultants, there is no automatic transfer of IP rights; however, a separate written agreement should be concluded with the creator (contractor or consultant) for the execution of the IP rights’ transfer.

Joint ownership

  1. Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?

Under the Greek copyright legislation, the creators of a work, which is the product of collaboration, are the original co-beneficiaries of the (economic) powers and moral rights on the copyrighted work. Unless otherwise agreed, the IP rights belong equally to both co-creators or joint owners. Therefore, both joint owners have the right to use and exploit their IP. Unless otherwise agreed, a license, charge or an assignment to the IP may be made if joint owners mutually agree.

Trade secrets

  1. How are trade secrets protected? Are trade secrets kept confidential during court proceedings?

In Greece, trade secrets (including confidential information) are protected according to the provisions of Law 1733/1987 (as applicable following the enactment of Law 4605/2019). Under these rules, the acquisition of a trade secret is considered legal when the trade secret comes from an independent discovery or creation. In the case of infringement of a trade secret, injunctive relief may be sought and if requested by the injured party, the court shall order the infringer, who knew or should have known that he was unlawfully acquiring, using or disclosing a trade secret, to pay the trade secret owner damages equivalent to the actual loss suffered as a result of the unlawful acquisition, use or disclosure.

In relation to court proceedings, according to Greek legislation, any person who participates in legal proceedings concerning the illegal acquisition, use or disclosure of a trade secret, or who has access to documents that are part of said legal proceedings procedures, is prohibited from using or disclosing any trade secret. Also, under the requirements of the legislation, the court may, at the request of a party, take special measures necessary to protect the confidentiality of any trade secret.

Branding

  1. What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?

In Greece, for the interested party to protect branding, it usually applies for a trademark pursuant to the provisions of the Greek trademark Law 4679/2020. To obtain a trademark right, the interested party should file a trademark application before the Greek competent authority (i.e, the Hellenic Industrial Property Organization) requesting the registration of a trademark. The trademark is protected for 10 years from the filing date and may be renewed upon payment of the required renewal fees.

Fintech businesses may ensure that they do not infringe existing brands if, before applying for a trademark registration, they conduct a pre-check on the available information on the existing trademark databases (including the EUIPO’s trademark database).

Remedies for infringement of IP

  1. What remedies are available to individuals or companies whose intellectual property rights have been infringed?

Individuals or companies whose intellectual property rights have been infringed may seek injunctive relief requesting the immediate prohibition of the infringement and compensation. In the case of copyright and trademark infringement, administrative fines (in the case of illegal distribution of computer programs or audio hardware) may be imposed and criminal penalties may also be imposed (for the illegal reproduction of copyrighted material or products illegally bearing third party’s trademarks).

COMPETITION 

Sector-specific issues

  1. Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?

There are no such specific competition issues.

In December 2022, the Hellenic Competition Commission published a fintech sectoral study, which points out that the Greek fintech market is new and still under development, and that currently there is no remarkable finding as regards cryptocurrencies or wealth and asset management or personal finance management. That said, the study stresses the need to monitor potential self-preferencing or enveloping practices and identifies certain entrance barriers to the payment infrastructure or systems market, mainly, due to the applicable regulatory constraints. It also states that the lack of interoperability of application programming interfaces, as there are no formalized technical standards, may provoke inequalities in the open banking market between incumbents and new entrants regarding client data processing.

TAX

Incentives

  1. Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?

There are no specific tax incentives available for fintech companies and the investors in Greece.

However, in Greece there are some general tax incentives to which financial technology companies and investors, among others, can be subject. For instance, research and development costs, including the depreciation of equipment used for scientific and technological research, are deducted from the gross revenue of companies at the time of their realization, increased by 100 percent.

Increased tax burden

  1. Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?

There are no specific new or proposed tax laws or guidance that would significantly increase tax or administrative costs for fintech companies in Greece.

However, fintech companies should monitor developments in the tax laws and regulations in Greece, as the tax landscape is constantly evolving and new tax laws and guidance may be introduced in the future.

IMMIGRATION

Sector-specific schemes

  1. What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?

There are no specific immigration schemes for international staff of fintech companies.

Citizens of member states of the EU, the EEA and of the Swiss Confederation (workers, self-employed persons and their family members) have the right to move and reside freely in Greece, subject to a registration requirement, when they intend to reside for a period exceeding three months, in accordance with the Greek Presidential Decree 106/2007.

Nationals of third countries (i.e, other than EU, EEA and Swiss citizens) need a residence permit. Apart from the ordinary process, there are three more procedures that can be followed to recruit skilled staff from a third country. More specifically, a third-country national wishing to be employed in a highly skilled position can apply for the EU Blue Card. The basic requirements are the conclusion of an employment contract of at least one year with a legal entity in Greece for the provision of highly specialized services with a minimum annual wage of about €32,000 and proof of high professional qualifications. According to the newly voted immigration legislation, which will apply from 1 January 2024, the minimum duration of the employment contract will be six months, and the salary should be at least equal to eight-fifths of the average gross annual salary in Greece.

In exceptional cases, when strategic investments are taking place in Greece, a more flexible and faster procedure for the administration of residence permits is available. This route presupposes a prior recommendation by the competent public authority describing the reasons for public interest and quoting the details of employees who are nationals of third countries and need to move in Greece for the purpose of the investment. This kind of residence permit is issued for a period of up to two years and may be renewed for an equal period. With effect from 1 January 2024, its duration is increased to three years.

Finally, in the case of intercorporate transfers of directors and skilled employees, the ordinary process is followed, subject to the following specific features: an intercorporate connection between the companies involved, the employee’s (or director’s) previous experience of at least 12 consecutive months in the company and the experience in and specialist knowledge of relevant entity’s activity, techniques and management. The duration of this residence permit cannot exceed three years. However, after the expiry of such a permit, the employee can apply for an EU Blue Card.

UPDATE AND TRENDS IN FINTECH IN GREECE

Current developments

  1. Are there any other current developments or emerging trends to note?

The 2020 Digital Finance Package is expected to be added to the regulatory framework applicable to the participants in the Greek fintech market. As Regulation (EU) 2022/858 (DLT Pilot Regime Regulation) has already entered into force (in a way complementing the Bank of Greece’s regulatory sandbox and allowing the experimentation with a new, more efficient financial market architecture), the much-anticipated adoption of Markets in Crypto-Assets Regulation will also help ease legal uncertainty for both regulators and market participants, regarding the use and circulation of cryptoassets and stable coins, as both investments and as means for executing payments.

At the same time, the impact of the Digital and Operational Resilience Act (Regulation), published in December 2022 but applicable only in early 2025, regarding the compliance cost to financial institutions is not yet clear. On the upside, however, fintech institutions may always benefit from a proportional to their size application of the requirements set therein, becoming, at the same time, less prone to operational risks deriving from information and communications technology disruptions, while enjoying the associated reputational benefits.

* The authors wish to thank Dimitra Karampela, Anna Pechlivanidi and Sergios Charalambous for their assistance in the preparation of this chapter.

* The information in this chapter was accurate as of April 2023.

If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)

You can also download the .docx version here.

Rate this post

“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”

NT INTERNATIONAL LAW FIRM