HDPA (Greece) - 38/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=38/...")
 
(changed short summary to include the amount of fine; elaborated on the facts to include arguments of the controller and provide more details as to what happened before the complaint was filed with the DPA; re-wrote the Holding and included relevant GDPR Articles, and violated provisions of the national electronic communications; please consult Style & Structure Guide)
Line 77: Line 77:
}}
}}


The DPA impose of a fine for not implementing the appropriate technical and organisational measures to protect the security of services to a telecommunications provider.
The Greek DPA imposed a €150,000 fine on Vodafone for lack of appropriate technical and organisational measures to protect the security of its electronic communication services.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A number of complaints and notifications were submitted to the DPA. Those incidents concerned personal data breaches which were related to incidents of unauthorised replacement of a subscriber's sim card (sim swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties not holding the connections in question.
Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identification process to rule out fraudulent behaviour.
 
The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff.


=== Holding ===
=== Holding ===
The DPA, following complaints and related notifications, has become aware of incidents of unauthorised access by malicious third parties to mobile subscriber data. The access took place following requests to change the SIM card of subscribers and was due to problems with the identification process of subscribers when submitting such requests, either as a result of inadequate security measures or after defective implementation of existing measures. The DPA assessed the number of incidents, as well as the actions taken by the controller to address them, and imposed a fine of EUR 150,000 for the above violations of the provisions of Article 12 of Law No. 3471/2006.
First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of [[Article 4 GDPR|Article 4(1) GDPR]]. In accordance with [[Article 5 GDPR|Article 5(3) GDPR]], the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality.
 
Second, the DPA recalled that [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12(1) of Law 3471/06] on electronic communication service obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that the controller failed to implement sufficient policies and security measures in the SIM card replacement process in order to prevent fraud. Even the additional measures implemented after the first incidents, were not effective in preventing further exploitation of weaknesses in the controller's policy.
 
Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with Article 12(5) of Law 3471/06. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred.
 
In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12 of Law 3471/06].


== Comment ==
== Comment ==

Revision as of 15:40, 19 December 2022

HDPA - 38/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 51 GDPR
Article 55 GDPR
Law 3471/2006 article 12
Law 4624/2019 article 9
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.07.2022
Published: 02.12.2022
Fine: 150.000 EUR
Parties: Individuals
Vodafone
National Case Number/Name: 38/2022
European Case Law Identifier: https://www.dpa.gr/sites/default/files/2022-12/38_2022%20anonym.pdf
Appeal: n/a
Original Language(s): Greek
Greek
Original Source: HDPA (in EL)
HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a €150,000 fine on Vodafone for lack of appropriate technical and organisational measures to protect the security of its electronic communication services.

English Summary

Facts

Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identification process to rule out fraudulent behaviour.

The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff.

Holding

First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality.

Second, the DPA recalled that Article 12(1) of Law 3471/06 on electronic communication service obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that the controller failed to implement sufficient policies and security measures in the SIM card replacement process in order to prevent fraud. Even the additional measures implemented after the first incidents, were not effective in preventing further exploitation of weaknesses in the controller's policy.

Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with Article 12(5) of Law 3471/06. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred.

In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of Article 12 of Law 3471/06.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority, following complaints and related notifications, became aware of incidents of unauthorized access by malicious third parties to data of mobile phone subscribers. The access took place following requests to change the SIM card of subscribers and was due to problems with the process of identifying subscribers when such requests were made, either as a result of insufficient security measures or following a faulty implementation of existing measures. The Authority assessed the number of incidents, as well as the actions of the controller in order to deal with them, and imposed a fine of 150,000 euros for the above violations of the provisions of Article 12 of Law 3471/2006.