HDPA (Greece) - 3/2022
| HDPA - 3/2022 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4(7) GDPR Article 15 GDPR Article 18 GDPR Article 58(2)(f) GDPR National Law 3917/2011 Article 6 National Law 4624/2019 Article 15 National Law 4624/2019 Article 18 |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | 3/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA ordered three mobile telephone service providers to suspend the processing of the destruction of data related to telephone numbers until a final decision of the DPA is adopted.
English Summary
Facts
The data subject received two short text messages (SMS) on his mobile telephone number intended to mislead him to follow hyperlinks through which a spy software would be installed. The data subject made a request to exercise the right of access under Article 15 GDPR and the right to restriction of processing under Article 18 GDPR against three mobile telephone service providers (the controllers). The DPA initiated its own investigation against the controllers concerning the installation of software on a user' device without consent and the related processing of personal data.
In response to the request, only one of the controllers provided a copy of the data and stated that the critical personal data had already been extracted and handed over to the DPA and therefore could not be destroyed. The data subject directed a complaint to the Greek DPA with a request for urgent action on the matter.
Holding
The DPA explained that during the sending and use of SMS, traffic and location data are generated and processed. If they refer to a natural person, they constitute personal data within the meaning of Article 4(7) GDPR. Furthermore, the erasure or destruction of personal data is a form of processing based on Article 4(2) GDPR.
The DPA has the power to issue an ex officio interim order for immediate total or partial temporary restriction of processing under Article 15(4)(c) and 15(8) of Law No. 4624/19, the national data protection law, in conjunction with Article 58(2) GDPR.
According to Article 6 of National Law 3917/2011, records, such as the ones in question, are to be kept for a period of 12 months from the date of the communication and should be destroyed at the end of the period of retention by an automated procedure, except those to which access has been lawfully obtained. Considering these facts, the SMS would be destroyed after the end of the above mentioned period. Due to the ongoing investigation, the DPA had to prevent the personal data from being deleted or destroyed.
Therefore, in order to exercise its supervisory powers and to ensure that the rights of the data subject are protected, the Greek DPA ordered the controllers to retain and not delete the above data personal data (traffic and location data), until the DPA releases its final decision.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Athens, 14-11-2022 Original No: 2857 Decision of the President of the Authority No 3/2022 (Single Person - Provisional Order) The President of the Authority as a unilateral body in accordance with Articles 17 par. 1 of Law No. 4624/2019 (Government Gazette A' 137), within the framework of the powers provided for in Articles, 4 para. 3(a) and 10(3)(a) and (10)(a) 4 of the Authority's Rules of Procedure (Government Gazette B 879/25.02.2022) and the powers provided for in Article 15 par. 4(c) and 8 of Law No. 4624/2019 in conjunction with Article 58 par. 2 f' of Regulation (EU) 2016/679 (GDPR), examined the case referred to below in the background to this decision. The Authority has taken note of the following: 1. As by letter C/EIS/11635/09-11-2022, A (hereinafter referred to as 'the applicant') submitted to the Authority a request for the urgent exercise of its powers. The applicant had already informed the Authority by letter C/EIS/11097/18-10-2022 following its request for an urgent procedure by letter C/EIS/11097/18-10-2022. C/EXE/2361/26-09-2022, of the content of the complaint lodged on ... with ..., which shows that he received on his mobile phone number "..." (Cosmote provider) two short text messages (SMS) intended to mislead him to follow hyperlinks through which spyware is installed. Those messages were sent (a) on ... and at ..., with the apparent sender's number "..." and (b) on ... at ..., with 1 Ave. 1-3 Kifissia Street, 11523 Athens, Greece T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr 2 the displayed sender is the number "...". The Authority is examining both this request and, on its own initiative, the installation of software on a user's terminal device without consent and the related processing of personal data. 2. Because the applicant, on ..., filed a request to exercise the right of access under Article 15 GDPR and the right of restriction under Article 18 GDPR to the mobile telephony service providers COSMOTE - MOBILE TELECOMMUNICATIONS S.A. (Cosmote), WIND HELLAS TELECOMMUNICATIONS MONOPROSOPI S.A. (Wind) and VODAFONE PANAFON Hellenic Telecommunications Company Limited (Vodafone). 3. Because Cosmote, the applicant's ISP, replied by informing that the critical data had already been extracted and handed over to the competent authorities and therefore there was no question of their destruction, and provided a copy of the data relating to the messages in question. The applicant states that Cosmote included in its reply only data included in Article 5 of Law No. 3917/2011 and not all of its data and, further, that no information was provided in relation to the sender's number. 4. Because Wind, the provider of the number shown as the sender in the first message, replied informing that no communication was found from and to this number. 5. Because Vodafone, the provider of the number that appears as the sender in the second message, replied by informing that this number has never been activated to date, and therefore no personal data of the applicant that originate from communication with this number have been processed by the company. 6. Because during the sending and use of SMS, traffic and location data are generated and processed which, if they refer to a natural person, constitute personal data within the meaning of article 4 par. 7 of the GDPR and which are processed for various purposes, including 3 including keeping for the purposes described in Chap. A' of Law no. 3917/2011. 7. Because SMS can be sent in a way that allows the information of the sender of a message to be altered (spoofing), in particular through gateways, and SMS messages can enter the network of a mobile telephony service provider via interconnected international networks. When SMS messages are introduced into a mobile service provider's network, personal data relating to the network or application from which the message originates are also generated, such as, but not limited to, those necessary for the payment of interconnections or the billing of services. In the present case, based on the responses of the providers to the applicant's requests, it is evident that a spoofing technique has been used, therefore, in order to identify the sender of the messages, the information on the origin of the messages (e.g., sending network, sending gateway) should be considered, if respected, which also constitute personal data as they are related to the applicant's number. 8. Because, according to Article 6 of Law no. 3917/2011, the data kept for the purposes of this law are retained for a period of 12 months from the date of communication and are destroyed at the end of the retention period by the provider through an automated procedure, except for those to which access has been lawfully obtained. Accordingly, the data generated during the sending and receiving of the above- mentioned short text messages on ... and ... and retained for the purposes of this law must be destroyed after one year, after ... and ... respectively. 9. Since the Authority has, on the basis of Article 15(1)(a) of the EEA Agreement, the power to adopt the following measures. 4(c) and 8 of Law No. 4624/19 in conjunction with Art. 2 f GDPR, the power to issue 4 an ex officio interim order for immediate total or partial temporary restriction of processing. 10. Since the erasure or destruction of personal data is a form of processing based on Article 4 para. 2 of the GDPR. 11. Because in order for the Authority to exercise its supervisory powers and to ensure the protection of the rights of the data subject, it is necessary to maintain and not delete the above personal data (traffic and location data). FOR THESE REASONS THE AUTHORITY Orders the electronic communication service providers WIND HELLAS TELEPOINONICS MONOPROΣOPIESS S.A., VODAFONE PANAFONE HELLENIC ANONYMOUS HELLENIC Telecommunications Company and COSMOTE - MOBILE TELECOMMUNICATIONS S.A., to suspend the processing of the destruction of the personal data related to the telephone numbers mentioned above which have been generated or processed during the sending or receiving of the above-mentioned short text messages, until the Authority issues a new decision. The President Konstantinos Menoudakos
