HDPA (Greece) - 4/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(27 intermediate revisions by 2 users not shown)
Line 17: Line 17:
|Type=Other
|Type=Other
|Outcome=
|Outcome=
|Date_Started=
|Date_Started=09.10.2020
|Date_Decided=30.11.2021
|Date_Decided=30.11.2021
|Date_Published=27.01.2022
|Date_Published=27.01.2022
Line 24: Line 24:
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 4 GDPR
|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_Link_1=Article 4 GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1a
|GDPR_Article_2=Article 5(1)(b) GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1b
|GDPR_Article_3=Article 5(1)(f) GDPR
|GDPR_Article_3=Article 5(1)(f) GDPR
|GDPR_Article_Link_3=Article 5 GDPR#1f
|GDPR_Article_Link_3=Article 5 GDPR#1f
Line 36: Line 34:
|GDPR_Article_6=Article 14 GDPR
|GDPR_Article_6=Article 14 GDPR
|GDPR_Article_Link_6=Article 14 GDPR
|GDPR_Article_Link_6=Article 14 GDPR
|GDPR_Article_7=Article 24 GDPR
|GDPR_Article_Link_7=Article 24 GDPR
|GDPR_Article_8=Article 25(1) GDPR
|GDPR_Article_8=Article 25(1) GDPR
|GDPR_Article_Link_8=Article 25 GDPR#1
|GDPR_Article_Link_8=Article 25 GDPR#1
Line 81: Line 77:
}}
}}


The Greek DPA fined the mobile telecommunications company COSMOTE €6,000,000 and OTE €3,250,000. The first for failing to carry out the data protection impact assessment properly under [[Article 35 GDPR#7|Article 35(7) GDPR]], for not complying with the principle of transparency under [[Article 5 GDPR#1|Article 5(1) GDPR]] and for not properly anonymising the data under [[Article 25 GDPR#1|Article 25(1) GDPR]], among others. The second for failing to implement the appropriate technical and organisational measures under [[Article 32 GDPR|Article 32 GDPR]].
The Greek DPA fined two mobile telecommunications company COSMOTE and its parent company OTE, €6,000,000 and €3,250,000 respectively. The first for failing to carry out the data protection impact assessment under [[Article 35 GDPR#7|Article 35(7) GDPR]], for not complying with the principle of transparency under [[Article 5 GDPR#1|Article 5(1) GDPR]] and for not anonymising the data under [[Article 25 GDPR#1|Article 25(1) GDPR]], among others. The second for failing to implement the appropriate technical and organisational measures under [[Article 32 GDPR|Article 32 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to the HDPA (Greece) that a breach of personal data had occurred with them.  
In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) reported a personal data breach to the Helenic DPA (HDPA) caused by an external cyber attack.  


The starting point of the breach was a server of the OTE group. The OTE group has an annual turnover of €3,258 billion.  
The starting point of the breach was a server of the OTE group, which has an annual turnover of €3,258 billion.  


The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020. The file contained subscriber data of millions of people. It consisted of numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.
The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020 from one of COSMOTE's servers. The file contained subscriber data of millions of people, and consisted of the following data: phone numbers, base station coordinates, IMEI, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.


COSMOTE stored call data of subscribers for 3 months. It used this data for its fault management service. As a telecommunications provider it is legally obligated to have an effective fault management procedure to provide uninterrupted services.
The general company policy of COSMOTE regarding this kind of data was the following:


After that period, COSMOTE supplemented the call data with further data like the subscription plan of the person, age, gender and the average revenue per person. It “anonymised” this data set, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.
First, COSMOTE collected the following information: phone numbers, base station coordinates, IMEIs, IMSIs, timestamps, durations of calls, provider indicators.


=== Holding ===
Second, COSMOTE stored this data for three months. It used it for its failure management system, that means detecting technical failures or errors in the transmission of communications. As a telecommunications company it is legally obligated to have an effective failure management system to provide uninterrupted services.
The HDPA held that COSMOTE violated:


1) Articles 5 and 6 Law 3471/2006 (national norms implementing a part of the Directive 2002/58/EC). The processing and storage of traffic data can be permitted under article 6 of Directive 2002/58/EC (Directive on privacy and electronic communications) for purposes of issuing invoices, marketing, offering services of extra value and fault management. However, recital 30 of said Directive establishes that the networks and services should be designed to limit the amount of personal data necessary to a strict minimum (data minimisation). For the purpose of fault management, storing a limited subset of traffic data and not all traffic data would have sufficed. Furthermore, storing the data for a whole quarter was also not necessary for this purpose. So, COSMOTE had no legal bases for the processing carried out.
Third, after three months it did not delete the data but supplemented the data with subscription plan, age, gender and the average revenue per person data. It “anonymised” this file, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.


2) [[Article 35 GDPR#7|Article 35(7) GDPR]]. COSMOTE based their data protection impact assessment on a procedure by the ICO (UK) consisting in answering specific questions.  The impact assessment, however, was not well documented by COSMOTE and did not demonstrate that all risks have been properly considered.
The breach consisted of this 30 GB supplemented file.


3) the principle of transparency according to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] and [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR| 14 GDPR]]. Even though COSMOTE informed the subscribers of the processing, the notification was not accurate enough since it only spoke of “servicing the contract” and “solving network problems and improving the service”. It also did not mention the three mentions retention period.
=== Holding ===
 
The HDPA held that COSMOTE violated Articles 5 and 6 Law 3471/2006 (national law implementing the [https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32002L0058 Directive 2002/58/EC Directive on privacy and electronic communications]). The processing and storage of traffic data can be permitted under Article 6 Directive 2002/58/EC for the purpose of issuing invoices, offering services of extra value, marketing and failure management. However, Recital 30 of this directive establishes that the amount of personal data processed should be limited to a strict minimum (data minimisation). The HDPA concluded that storing a limited subset of traffic data and not all traffic data would have sufficed for the purpose of failure management. Furthermore, it held that storing the data for such a long period (three months) was also not necessary for this purpose.
4) [[Article 25 GDPR#1|Article 25(1) GDPR]]. The processing for statistical purposes ([[Article 89 GDPR#1|Article 89(1) GDPR]]) should have been with anonymised data. The mechanism provided by COSMOTE, however, did only pseudonymise the data which was not sufficient with regard to [[Article 25 GDPR#1|Article 25(1) GDPR]]. COSMOTE had still access to the personal key and therefore could decrypt the data.
 
5) Article 12(1) Law 3471/2006. Article 12(1) Law 3471/2006 provides that the provider of publicly available electronic communications services must take the appropriate technical and organisational measures in order to protect the security of its services as well as the security of the public electronic communications network. The investigation of the HDPA showed six vulnerabilities detailed in a confidential Annex to the decision.
 
6) [[Article 5 GDPR#2|Article 5(2) GDPR]] in conjunction with [[Article 26 GDPR|Articles 269]] and [[Article 29 GDPR|28 GDPR]]. COSMOTE and OTE did not document how their cooperation is structured making it impossible to prove the compliance with the principle of integrity and confidentiality of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The HDPA was of the opinion that it did not need to establish whether OTE acted as a controller or processor. Although the law does not explicitly provide a legal requirement for an agreement between joint controllers under [[Article 26 GDPR]], without an agreement it will be difficult for the joint controllers to prove compliance with the principle of accountability (cmp. Guidelines 7/2020 of the EDPS, § 173).
 
OTE violated [[Article 32 GDPR]]. OTE acted either as a (joint) controller or as a processor (see above 6), and appropriate technical and organizational measures were missing (see above 5).
 
When determining the amount of the fine, the HDPA took the following circumstances into account:
 
- Data subject to special confidentiality was processed (location data etc.)
 
- With regard to OTE that passed administrative sanctions have already been imposed
 
- Full cooperation of both companies


- That both companies took measure to contain and respond to the incident
The DPA also held that COSMOTE violated [[Article 35 GDPR#7|Article 35(7) GDPR]] because it did not properly document its Data Protection Impact Assessment (DPIA),  and it did not demonstrate that all the risks had been considered. Additionally, the HDPA established that COSMOTE breached the principle of transparency according to [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]], as well as [[Article 13 GDPR|Articles 13]] and [[Article 14 GDPR|14 GDPR]]. Even though COSMOTE informed the subscribers of the processing, the notification was not accurate enough with regard to the purpose of failure management because it only spoke of “servicing the contract” and “solving network problems and improving the service”.  The notification didn't mention the three months storage period either.


- Missing malice
Furthermore, the HDPA held that COSMOTE violated [[Article 25 GDPR#1|Article 25(1) GDPR]], because the processing for statistical purposes under [[Article 89 GDPR#1|Article 89(1) GDPR]] should have been done with anonymised data. The mechanism provided by COSMOTE, however, only pseudonymised the data, which was not sufficient, since COSMOTE still had access to the personal key, and therefore could decrypt the data.  The HDPA's investigation also showed six vulnerabilities detailed in a confidential Annex to the decision, in breach of Article 12(1) Law 3471/2006, which establishes that the provider of publicly available electronic communications services must take the appropriate technical and organisational measures in order to protect the security of its services as well as the security of the public electronic communications network.


- Ambiguousness of Articles 5 and 6 Law 3471/2006
The HDPA also found that COSMOTE and OTE did not document how their cooperation was structured, making it impossible to prove whether they complied with the principle of integrity and confidentiality of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The two bodies should have based their cooperation and division of responsibilities either on an agreement under [[Article 26 GDPR]] in the case of joint liability, or a contract under [[Article 28 GDPR]] in the case of an outsourcing of processing. Since they did neither, the HDPA held that COSMOTE violated the principle of accountability pursuant to [[Article 5 GDPR#2|Article 5(2) GDPR]] in conjunction with [[Article 26 GDPR|Articles 26]] and [[Article 29 GDPR|28 GDPR]].


- Very long duration of the infringements (6 years)
Lastly, the HDPA noted that OTE (despite not having an proper agreement specifying their role) had to implement appropriate technical and organisational measures, regardlesss of the fact that they were acting as a joint controller or as a processor, and therefore violated [[Article 32 GDPR]].


- Millions of people affected
The HDPA fined COSMOTE €6,000,000 and OTE €3,250,000. When determining the amount of the fine, the HDPA took into consideration the special confidentiality required by the data processed, the duration of the infringements (6 years), the amount of people affected, OTE's past administrative sanctions, both companies' cooperation and reaction to the incident, the absence of malice, and a certain degree of ambiguity in Articles 5 and 6 Law 3471/2006.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



Latest revision as of 10:37, 23 February 2022

HDPA (Greece) - 4/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 13 GDPR
Article 14 GDPR
Article 25(1) GDPR
Article 26 GDPR
Article 28 GDPR
Article 32 GDPR
Article 35(7) GDPR
Article 83 GDPR
Article 2(3) and (4) Law 3471/2006
Article 5 Law 3471/2006
Article 6 Law 3471/2006
Article 12(1) and (5) and (6) Law 3471/2006
Type: Other
Outcome: n/a
Started: 09.10.2020
Decided: 30.11.2021
Published: 27.01.2022
Fine: 9,100,000 EUR
Parties: Cosmote
OTE
National Case Number/Name: 4/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Greek DPA fined two mobile telecommunications company COSMOTE and its parent company OTE, €6,000,000 and €3,250,000 respectively. The first for failing to carry out the data protection impact assessment under Article 35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not anonymising the data under Article 25(1) GDPR, among others. The second for failing to implement the appropriate technical and organisational measures under Article 32 GDPR.

English Summary

Facts

In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) reported a personal data breach to the Helenic DPA (HDPA) caused by an external cyber attack.

The starting point of the breach was a server of the OTE group, which has an annual turnover of €3,258 billion.

The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020 from one of COSMOTE's servers. The file contained subscriber data of millions of people, and consisted of the following data: phone numbers, base station coordinates, IMEI, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.

The general company policy of COSMOTE regarding this kind of data was the following:

First, COSMOTE collected the following information: phone numbers, base station coordinates, IMEIs, IMSIs, timestamps, durations of calls, provider indicators.

Second, COSMOTE stored this data for three months. It used it for its failure management system, that means detecting technical failures or errors in the transmission of communications. As a telecommunications company it is legally obligated to have an effective failure management system to provide uninterrupted services.

Third, after three months it did not delete the data but supplemented the data with subscription plan, age, gender and the average revenue per person data. It “anonymised” this file, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.

The breach consisted of this 30 GB supplemented file.

Holding

The HDPA held that COSMOTE violated Articles 5 and 6 Law 3471/2006 (national law implementing the Directive 2002/58/EC Directive on privacy and electronic communications). The processing and storage of traffic data can be permitted under Article 6 Directive 2002/58/EC for the purpose of issuing invoices, offering services of extra value, marketing and failure management. However, Recital 30 of this directive establishes that the amount of personal data processed should be limited to a strict minimum (data minimisation). The HDPA concluded that storing a limited subset of traffic data and not all traffic data would have sufficed for the purpose of failure management. Furthermore, it held that storing the data for such a long period (three months) was also not necessary for this purpose.

The DPA also held that COSMOTE violated Article 35(7) GDPR because it did not properly document its Data Protection Impact Assessment (DPIA), and it did not demonstrate that all the risks had been considered. Additionally, the HDPA established that COSMOTE breached the principle of transparency according to Article 5(1)(a) GDPR, as well as Articles 13 and 14 GDPR. Even though COSMOTE informed the subscribers of the processing, the notification was not accurate enough with regard to the purpose of failure management because it only spoke of “servicing the contract” and “solving network problems and improving the service”. The notification didn't mention the three months storage period either.

Furthermore, the HDPA held that COSMOTE violated Article 25(1) GDPR, because the processing for statistical purposes under Article 89(1) GDPR should have been done with anonymised data. The mechanism provided by COSMOTE, however, only pseudonymised the data, which was not sufficient, since COSMOTE still had access to the personal key, and therefore could decrypt the data. The HDPA's investigation also showed six vulnerabilities detailed in a confidential Annex to the decision, in breach of Article 12(1) Law 3471/2006, which establishes that the provider of publicly available electronic communications services must take the appropriate technical and organisational measures in order to protect the security of its services as well as the security of the public electronic communications network.

The HDPA also found that COSMOTE and OTE did not document how their cooperation was structured, making it impossible to prove whether they complied with the principle of integrity and confidentiality of Article 5(1)(f) GDPR. The two bodies should have based their cooperation and division of responsibilities either on an agreement under Article 26 GDPR in the case of joint liability, or a contract under Article 28 GDPR in the case of an outsourcing of processing. Since they did neither, the HDPA held that COSMOTE violated the principle of accountability pursuant to Article 5(2) GDPR in conjunction with Articles 26 and 28 GDPR.

Lastly, the HDPA noted that OTE (despite not having an proper agreement specifying their role) had to implement appropriate technical and organisational measures, regardlesss of the fact that they were acting as a joint controller or as a processor, and therefore violated Article 32 GDPR.

The HDPA fined COSMOTE €6,000,000 and OTE €3,250,000. When determining the amount of the fine, the HDPA took into consideration the special confidentiality required by the data processed, the duration of the infringements (6 years), the amount of people affected, OTE's past administrative sanctions, both companies' cooperation and reaction to the incident, the absence of malice, and a certain degree of ambiguity in Articles 5 and 6 Law 3471/2006.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data.

The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident.

For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .