HDPA (Greece) - 4/2022: Difference between revisions

From GDPRhub
(shortened new summary)
(Changed the Facts to the relevant ones and divided it into different paragraphs.)
Line 86: Line 86:


=== Facts ===
=== Facts ===
The mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to HDPA (Greece) that an incident of breach of personal data had occured and at the same time it made a public announcement concerning that issue. More specifically, the operating admnistrators of COSMOTE received a notification via an automated message as regards the exceedance of the storage capacity of a company's server where the data of the subscibers' calls  was stored for the period of 1/9/2020 - 5/9/2020. Moreover, an online data movement of 30GB was discovered towards that server and an external IP address belonged to a Hosting Provider from Lithuania. After some research, COSMOTE found out that from that IP address an online hacking had also occured against OTE's website. The hacker obtained administrating access by using the password of an OTE's administrator. That password was taken by the hacker because of an incident involving unintentional disclosure of password information for the LinkedIn platform. Afterwards the hacker managed to hack the Big Data system of COSMOTE from which he exported the relevant file. It also occured that four more transfers of important amount of data had taken place with the Lithuanian IP address being again the acceptor. However, the type of  data transferred was not detected. The file leaked contained among others also subscribers' information as regards their age, their gender and their gross salary. The first action caused the incident was the installation of malware to one of the OTE's servers. Based on COSMOTE's wording, that server is not supposed to be a system storing clients' data information.
In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to the HDPA (Greece) that an incident of breach of personal data had occurred.
 
The starting point of the breach was a server of OTE group. The OTE group has an annual turnover of €3,258 billion.
 
The breach included a 30 GB file of personal data for the period of 1/9/2020 - 5/9/2020. The file contained subscriber data of millions of people. It consisted of numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.
 
COSMOTE stored call data of subscribers for 3 months. It used this data for its fault management service to which it is legally obligated as telecommunications company.
 
After that period, COSMOTE supplemented the call data with further data like subscription plan, age, gender and average revenue. It “anonymised” this data set, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.


=== Holding ===
=== Holding ===

Revision as of 17:36, 8 February 2022

HDPA (Greece) - 4/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4 GDPR
Article 5(1)(b) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 13 GDPR
Article 14 GDPR
Article 24 GDPR
Article 25(1) GDPR
Article 26 GDPR
Article 28 GDPR
Article 32 GDPR
Article 35(7) GDPR
Article 83 GDPR
Article 2(3) and (4) Law 3471/2006
Article 5 Law 3471/2006
Article 6 Law 3471/2006
Article 12(1) and (5) and (6) Law 3471/2006
Type: Other
Outcome: n/a
Started:
Decided: 30.11.2021
Published: 27.01.2022
Fine: 9,100,000 EUR
Parties: Cosmote
OTE
National Case Number/Name: 4/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Hellenic DPA fined the mobile telecommunications company COSMOTE €6,000,000 and OTE €3,250,000. The first for failing to carry out the data protection impact assessment properly under Article 35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not properly anonymising the data under Article 25(1) GDPR, among others. The second for failing to implement the appropriate technical and organisational measures under Article 32 GDPR.

English Summary

Facts

In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to the HDPA (Greece) that an incident of breach of personal data had occurred.

The starting point of the breach was a server of OTE group. The OTE group has an annual turnover of €3,258 billion.

The breach included a 30 GB file of personal data for the period of 1/9/2020 - 5/9/2020. The file contained subscriber data of millions of people. It consisted of numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.

COSMOTE stored call data of subscribers for 3 months. It used this data for its fault management service to which it is legally obligated as telecommunications company.

After that period, COSMOTE supplemented the call data with further data like subscription plan, age, gender and average revenue. It “anonymised” this data set, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.

Holding

After reviewing the facts of the case the HDPA held that the processing and storage of data of conducted calls is permitted under article 6 of Directive 2002/58/EK only for purposes regarding issuing invoices for the offered services, marketing, offering services of extra value and for impairment fixing purposes. However, for the impairment fixing purposes not all the data processed were necessary, neither was the period during which they were stored. So, COSMOTE had no legal bases for processing. Moreover, the data protection impact assessment carried out by COSMOTE was not well documented, hence a breach under Article 35(7) GDPR occured. What is more, even though COSMOTE informed the subscribers for the impairment fixing purposes, that was not in compliance with the principle of transparency under Articles 5(1)(a), 13 and 14 GDPR since that notification was not transparent as for the period of time the data were about to be used. In addition, even though COSMOTE used the personal data for statistical purposes, the HDPA held that it did so by using pseudonymisation and not anonymous data. Accordingly, COSMOTE was in breach of Article 25(1) GDPR since it did not implement propre technical and organisational measures by design and default in order to assure a propre depersonalization process of data. Lastly, COSMOTE did not inform data subjects explicitly of all their personal data being processed for statistical purposes and net's optimization. For this reason COSMOTE was in breach of Article 5(1)(a), 13 and 14 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data.

The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident.

For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .