HDPA (Greece) - 4/2022: Difference between revisions
No edit summary |
No edit summary |
||
Line 26: | Line 26: | ||
|GDPR_Article_1=Article 4 GDPR | |GDPR_Article_1=Article 4 GDPR | ||
|GDPR_Article_Link_1=Article 4 GDPR | |GDPR_Article_Link_1=Article 4 GDPR | ||
|GDPR_Article_2=Article 5 GDPR | |GDPR_Article_2=Article 5(1)(b) GDPR | ||
|GDPR_Article_Link_2=Article 5 GDPR | |GDPR_Article_Link_2=Article 5 GDPR#1b | ||
|GDPR_Article_3=Article | |GDPR_Article_3=Article 5(1)(f) GDPR | ||
|GDPR_Article_Link_3=Article | |GDPR_Article_Link_3=Article 5 GDPR#1f | ||
|GDPR_Article_4=Article | |GDPR_Article_4=Article 5(2) GDPR | ||
|GDPR_Article_Link_4=Article | |GDPR_Article_Link_4=Article 5 GDPR#2 | ||
|GDPR_Article_5=Article 13 GDPR | |GDPR_Article_5=Article 13 GDPR | ||
|GDPR_Article_Link_5=Article 13 GDPR | |GDPR_Article_Link_5=Article 13 GDPR | ||
Line 38: | Line 38: | ||
|GDPR_Article_7=Article 24 GDPR | |GDPR_Article_7=Article 24 GDPR | ||
|GDPR_Article_Link_7=Article 24 GDPR | |GDPR_Article_Link_7=Article 24 GDPR | ||
|GDPR_Article_8=Article 25 GDPR | |GDPR_Article_8=Article 25(1) GDPR | ||
|GDPR_Article_Link_8=Article 25 GDPR | |GDPR_Article_Link_8=Article 25 GDPR#1 | ||
|GDPR_Article_9=Article 26 GDPR | |GDPR_Article_9=Article 26 GDPR | ||
|GDPR_Article_Link_9=Article 26 GDPR | |GDPR_Article_Link_9=Article 26 GDPR | ||
Line 46: | Line 46: | ||
|GDPR_Article_11=Article 32 GDPR | |GDPR_Article_11=Article 32 GDPR | ||
|GDPR_Article_Link_11=Article 32 GDPR | |GDPR_Article_Link_11=Article 32 GDPR | ||
|GDPR_Article_12=Article 35 GDPR | |GDPR_Article_12=Article 35(7) GDPR | ||
|GDPR_Article_Link_12=Article 35 GDPR | |GDPR_Article_Link_12=Article 35 GDPR#7 | ||
|GDPR_Article_13=Article 83 GDPR | |GDPR_Article_13=Article 83 GDPR | ||
|GDPR_Article_Link_13=Article 83 GDPR | |GDPR_Article_Link_13=Article 83 GDPR |
Revision as of 16:38, 8 February 2022
HDPA (Greece) - 4/2022 | |
---|---|
Authority: | HDPA (Greece) |
Jurisdiction: | Greece |
Relevant Law: | Article 4 GDPR Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25(1) GDPR Article 26 GDPR Article 28 GDPR Article 32 GDPR Article 35(7) GDPR Article 83 GDPR Article 2(3) and (4) Law 3471/2006 Article 5 Law 3471/2006 Article 6 Law 3471/2006 Article 12(1) and (5) and (6) Law 3471/2006 |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 30.11.2021 |
Published: | 27.01.2022 |
Fine: | 9,100,000 EUR |
Parties: | Cosmote OTE |
National Case Number/Name: | 4/2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Greek |
Original Source: | HDPA (in EL) |
Initial Contributor: | n/a |
The Hellenic DPA fined the mobile telecommunications company COSMOTE €6,000,000 and OTE €3,250,000. The first for failing to carry out properly the data protection impact assessment under Article 35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not implementing properly the depersonalization procedure under Article 25(1) GDPR. The second for failing to implement the appropriate technical and organisational measures to ensure a level of security appropriate to the risk under Article 32 GDPR.
English Summary
Facts
The mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to HDPA (Greece) that an incident of breach of personal data had occured and at the same time it made a public announcement concerning that issue. More specifically, the operating admnistrators of COSMOTE received a notification via an automated message as regards the exceedance of the storage capacity of a company's server where the data of the subscibers' calls was stored for the period of 1/9/2020 - 5/9/2020. Moreover, an online data movement of 30GB was discovered towards that server and an external IP address belonged to a Hosting Provider from Lithuania. After some research, COSMOTE found out that from that IP address an online hacking had also occured against OTE's website. The hacker obtained administrating access by using the password of an OTE's administrator. That password was taken by the hacker because of an incident involving unintentional disclosure of password information for the LinkedIn platform. Afterwards the hacker managed to hack the Big Data system of COSMOTE from which he exported the relevant file. It also occured that four more transfers of important amount of data had taken place with the Lithuanian IP address being again the acceptor. However, the type of data transferred was not detected. The file leaked contained among others also subscribers' information as regards their age, their gender and their gross salary. The first action caused the incident was the installation of malware to one of the OTE's servers. Based on COSMOTE's wording, that server is not supposed to be a system storing clients' data information.
Holding
After reviewing the facts of the case the HDPA held that the processing and storage of data of conducted calls is permitted under article 6 of Directive 2002/58/EK only for purposes regarding issuing invoices for the offered services, marketing, offering services of extra value and for impairment fixing purposes. However, for the impairment fixing purposes not all the data processed were necessary, neither was the period during which they were stored. So, COSMOTE had no legal bases for processing. Moreover, the data protection impact assessment carried out by COSMOTE was not well documented, hence a breach under Article 35(7) GDPR occured. What is more, even though COSMOTE informed the subscribers for the impairment fixing purposes, that was not in compliance with the principle of transparency under Articles 5(1)(a), 13 and 14 GDPR since that notification was not transparent as for the period of time the data were about to be used. In addition, even though COSMOTE used the personal data for statistical purposes, the HDPA held that it did so by using pseudonymisation and not anonymous data. Accordingly, COSMOTE was in breach of Article 25(1) GDPR since it did not implement propre technical and organisational measures by design and default in order to assure a propre depersonalization process of data. Lastly, COSMOTE did not inform data subjects explicitly of all their personal data being processed for statistical purposes and net's optimization. For this reason COSMOTE was in breach of Article 5(1)(a), 13 and 14 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data. The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident. For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .