HDPA (Greece) - 38/2022: Difference between revisions
(changed short summary to include the amount of fine; elaborated on the facts to include arguments of the controller and provide more details as to what happened before the complaint was filed with the DPA; re-wrote the Holding and included relevant GDPR Articles, and violated provisions of the national electronic communications; please consult Style & Structure Guide) |
(→English Machine Translation of the Decision: added automated translation) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 77: | Line 77: | ||
}} | }} | ||
The Greek DPA imposed a €150,000 fine on Vodafone for lack of appropriate technical and organisational measures to protect the security of its electronic communication services. | The Greek DPA imposed a €150,000 fine on Vodafone PANAFON S.A. for the lack of appropriate technical and organisational measures to protect the security of its electronic communication services. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an | Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone PANAFON S.A. (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identity check to rule out fraudulent behaviour. | ||
The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff. | The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff. | ||
Line 89: | Line 89: | ||
First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of [[Article 4 GDPR|Article 4(1) GDPR]]. In accordance with [[Article 5 GDPR|Article 5(3) GDPR]], the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality. | First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of [[Article 4 GDPR|Article 4(1) GDPR]]. In accordance with [[Article 5 GDPR|Article 5(3) GDPR]], the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality. | ||
Second, the DPA recalled that [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12(1) of Law 3471/06] | Second, the DPA recalled that [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12(1) of Law 3471/06], implementing the [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32002L0058 e-Privacy Directive], obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that the controller failed to implement sufficient policies and security measures in the SIM card replacement process in order to prevent fraud. Even the additional measures implemented after the first incidents, were not effective in preventing further exploitation of weaknesses in the controller's policy. | ||
Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with Article 12(5) of Law 3471/06. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred. | Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12(5) of Law 3471/06]. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred. | ||
In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12 of Law 3471/06]. | In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12 of Law 3471/06]. | ||
Line 105: | Line 105: | ||
<pre> | <pre> | ||
The Authority, | Athens, 02-12-2022 | ||
Original No: 3092 | |||
DECISION 38/2022 | |||
The Personal Data Protection Authority met in plenary session, by | |||
teleconference, on Tuesday 21-07-2022, at the invitation of its Chairman, in order to | |||
examine the case mentioned in the background of this document. The Chairman of | |||
the Authority, Konstantinos Menoudakos and the regular members of the Authority, | |||
Konstantinos Lambrinoudakis, as rapporteur, Spyridon Vlahopoulos, Charalambos | |||
Anthopoulos Christos Kalloniatis, Ekaterini Iliadou and the alternate member Maria | |||
Psalla, in place of the regular member Gregory Tsolias, who, although legally | |||
summoned in writing, did not attend due to his inability to attend. Spyridon | |||
Papastergiou and Leonidas Roussos, Specialists, Computer Scientists, attended the | |||
meeting as Rapporteur's assistants and Irini Papageorgopoulou, an official of the | |||
Authority's Administrative Affairs Department, attended the meeting as Secretary, | |||
by order of the Chairperson. | |||
The Authority has taken note of the following: | |||
The Authority received a number of complaints and notifications of personal data | |||
breaches related to unauthorised replacement of a subscriber's sim card (sim swap) | |||
and other procedures (e.g. call diversion, issuance of new telephone numbers) by | |||
third parties not holding the connections in question. | |||
Initially, the following were submitted: a) Complaint no. Γ/ΕΙΣ/7103/16-10-2020, | |||
Γ/ΕΙΣ/7255/22-10-2020, Γ/ΕΙΣ/7299/23-10- | |||
2020, G/EIS/7300/23-10-2020 and G/EIS/7301/23-10-2020 notifications of breaches. | |||
In the context of the examination of these cases, the Authority sent a letter to | |||
the mobile telephony service provider Vodafone - PANAFON S.A. (hereinafter | |||
referred to as 'the responsible party processing', in the case | |||
of the ή 'Vodafone') . the no. C/EΞ/7771/11-11- | |||
2020, in which it was asked for its views regarding the relevant complaints, the | |||
notified incidents of infringement and the general way of dealing with the issues in | |||
question. In particular, it requested: a) A description of the policies in place regarding | |||
the procedure for cancellation and replacement of SIM cards by a subscriber, prior to | |||
the discovery of | |||
the relevant incidents of infringement. | |||
(b) A description of the changes/modifications made to these policies and | |||
procedures following the discovery of the above-mentioned incidents of non- | |||
compliance. | |||
(c) A description of the policies and relevant guidelines currently applied by | |||
subscriber service points for the SIM card cancellation and replacement process. | |||
(d) Notification if they have identified any other similar incidents after the | |||
implementation of the new policies and beyond those submitted to the Authority. | |||
The company responded to the above issues with the document C/EIS/8392/07- | |||
12-2020, according to which the measures applied by the company for the effective | |||
identification of subscribers in cases of issuing a new SIM card or replacing a SIM | |||
card are distinguished in 4 time periods. | |||
1η period: policies applied by the company until April | |||
2020. | |||
During this period the procedures followed by the company are as follows: | |||
(a) In case the request is submitted in person by the subscriber, in the company's | |||
premises, the following shall be carried out by the competent persons | |||
</pre> | </pre> |
Latest revision as of 15:54, 20 December 2022
HDPA - 38/2022 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 4 GDPR Article 5 GDPR Article 51 GDPR Article 55 GDPR Law 3471/2006 article 12 Law 4624/2019 article 9 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 21.07.2022 |
Published: | 02.12.2022 |
Fine: | 150.000 EUR |
Parties: | Individuals Vodafone |
National Case Number/Name: | 38/2022 |
European Case Law Identifier: | https://www.dpa.gr/sites/default/files/2022-12/38_2022%20anonym.pdf |
Appeal: | n/a |
Original Language(s): | Greek Greek |
Original Source: | HDPA (in EL) HDPA (in EL) |
Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA imposed a €150,000 fine on Vodafone PANAFON S.A. for the lack of appropriate technical and organisational measures to protect the security of its electronic communication services.
English Summary
Facts
Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone PANAFON S.A. (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identity check to rule out fraudulent behaviour.
The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff.
Holding
First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality.
Second, the DPA recalled that Article 12(1) of Law 3471/06, implementing the e-Privacy Directive, obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that the controller failed to implement sufficient policies and security measures in the SIM card replacement process in order to prevent fraud. Even the additional measures implemented after the first incidents, were not effective in preventing further exploitation of weaknesses in the controller's policy.
Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with Article 12(5) of Law 3471/06. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred.
In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of Article 12 of Law 3471/06.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 02-12-2022 Original No: 3092 DECISION 38/2022 The Personal Data Protection Authority met in plenary session, by teleconference, on Tuesday 21-07-2022, at the invitation of its Chairman, in order to examine the case mentioned in the background of this document. The Chairman of the Authority, Konstantinos Menoudakos and the regular members of the Authority, Konstantinos Lambrinoudakis, as rapporteur, Spyridon Vlahopoulos, Charalambos Anthopoulos Christos Kalloniatis, Ekaterini Iliadou and the alternate member Maria Psalla, in place of the regular member Gregory Tsolias, who, although legally summoned in writing, did not attend due to his inability to attend. Spyridon Papastergiou and Leonidas Roussos, Specialists, Computer Scientists, attended the meeting as Rapporteur's assistants and Irini Papageorgopoulou, an official of the Authority's Administrative Affairs Department, attended the meeting as Secretary, by order of the Chairperson. The Authority has taken note of the following: The Authority received a number of complaints and notifications of personal data breaches related to unauthorised replacement of a subscriber's sim card (sim swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties not holding the connections in question. Initially, the following were submitted: a) Complaint no. Γ/ΕΙΣ/7103/16-10-2020, Γ/ΕΙΣ/7255/22-10-2020, Γ/ΕΙΣ/7299/23-10- 2020, G/EIS/7300/23-10-2020 and G/EIS/7301/23-10-2020 notifications of breaches. In the context of the examination of these cases, the Authority sent a letter to the mobile telephony service provider Vodafone - PANAFON S.A. (hereinafter referred to as 'the responsible party processing', in the case of the ή 'Vodafone') . the no. C/EΞ/7771/11-11- 2020, in which it was asked for its views regarding the relevant complaints, the notified incidents of infringement and the general way of dealing with the issues in question. In particular, it requested: a) A description of the policies in place regarding the procedure for cancellation and replacement of SIM cards by a subscriber, prior to the discovery of the relevant incidents of infringement. (b) A description of the changes/modifications made to these policies and procedures following the discovery of the above-mentioned incidents of non- compliance. (c) A description of the policies and relevant guidelines currently applied by subscriber service points for the SIM card cancellation and replacement process. (d) Notification if they have identified any other similar incidents after the implementation of the new policies and beyond those submitted to the Authority. The company responded to the above issues with the document C/EIS/8392/07- 12-2020, according to which the measures applied by the company for the effective identification of subscribers in cases of issuing a new SIM card or replacing a SIM card are distinguished in 4 time periods. 1η period: policies applied by the company until April 2020. During this period the procedures followed by the company are as follows: (a) In case the request is submitted in person by the subscriber, in the company's premises, the following shall be carried out by the competent persons