HDPA (Greece) - 39/2022
| HDPA - 39/2022 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5 GDPR Article 51 GDPR Article 55 GDPR Law 3471/2006 article 12 Law 4624/2019 article 9 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 21.07.2022 |
| Published: | 02.12.2022 |
| Fine: | 150.000 EUR |
| Parties: | Individuals Cosmote |
| National Case Number/Name: | 39/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek Greek |
| Original Source: | HDPA (in EL) HDPA (in EL) |
| Initial Contributor: | Anastasia Tsermenidou |
The DPA imposed a fine for not implementing the appropriate technical and organisational measures to protect the security of services to a telecommunication service provider.
English Summary
Facts
A number of complaints and notifications of incidents were submitted to the Authority of personal data breaches related to incidents of non-compliance with the unauthorised replacement of a subscriber's sim card (sim swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties not holding the connections in question.
Holding
The Authority, following complaints and related notifications, has become aware of incidents of unauthorised access by malicious third parties to mobile subscriber data. The access took place following requests to change the SIM card of subscribers and was due to problems with the identification process of subscribers when submitting such requests, either as a result of inadequate security measures or after defective implementation of existing measures. The Authority assessed the number of incidents, as well as the actions taken by the controller to address them, and imposed a fine of EUR 150,000 for the above violations of the provisions of Article 12 of Law No. 3471/2006.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority, following complaints and related notifications, became aware of incidents of unauthorized access by malicious third parties to data of mobile phone subscribers. The access took place following requests to change the SIM card of subscribers and was due to problems with the process of identifying subscribers when such requests were made, either as a result of insufficient security measures or following a faulty implementation of existing measures. The Authority assessed the number of incidents, as well as the actions of the controller in order to deal with them, and imposed a fine of 150,000 euros for the above violations of the provisions of Article 12 of Law 3471/2006.
