HDPA (Greece) - 3/2022

From GDPRhub
Revision as of 13:09, 23 November 2022 by Kk (talk | contribs) (→‎English Machine Translation of the Decision: added automated translation! Very important to have this in the initial submission form because it is difficult to add later)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 3/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4(7) GDPR
Article 15 GDPR
Article 18 GDPR
Article 58(2)(f) GDPR
National Law 3917/2011 Article 6
National Law 4624/2019 Article 15
National Law 4624/2019 Article 18
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 3/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA ordered three mobile telephone service providers to suspend the processing of the destruction of data related to telephone numbers until a final decision of the DPA is adopted.

English Summary

Facts

The data subject received two short text messages (SMS) on his mobile telephone number intended to mislead him to follow hyperlinks through which a spy software would be installed. The data subject made a request to exercise the right of access under Article 15 GDPR and the right to restriction of processing under Article 18 GDPR against three mobile telephone service providers (the controllers). The DPA initiated its own investigation against the controllers concerning the installation of software on a user' device without consent and the related processing of personal data.

In response to the request, only one of the controllers provided a copy of the data and stated that the critical personal data had already been extracted and handed over to the DPA and therefore could not be destroyed. The data subject directed a complaint to the Greek DPA with a request for urgent action on the matter.

Holding

The DPA explained that during the sending and use of SMS, traffic and location data are generated and processed. If they refer to a natural person, they constitute personal data within the meaning of Article 4(7) GDPR. Furthermore, the erasure or destruction of personal data is a form of processing based on Article 4(2) GDPR.

The DPA has the power to issue an ex officio interim order for immediate total or partial temporary restriction of processing under Article 15(4)(c) and 15(8) of Law No. 4624/19, the national data protection law, in conjunction with Article 58(2) GDPR.

According to Article 6 of National Law 3917/2011, records, such as the ones in question, are to be kept for a period of 12 months from the date of the communication and should be destroyed at the end of the period of retention by an automated procedure, except those to which access has been lawfully obtained. Considering these facts, the SMS would be destroyed after the end of the above mentioned period. Due to the ongoing investigation, the DPA had to prevent the personal data from being deleted or destroyed.

Therefore, in order to exercise its supervisory powers and to ensure that the rights of the data subject are protected, the Greek DPA ordered the controllers to retain and not delete the above data personal data (traffic and location data), until the DPA releases its final decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.


Athens, 14-11-2022
Original No: 2857
Decision of the President of the Authority No
3/2022
(Single Person - Provisional Order)
The President of the Authority as a unilateral body in accordance with Articles 17 par. 1
of Law No. 4624/2019 (Government Gazette A' 137), within the framework of the
powers provided for in Articles,
4 para. 3(a) and 10(3)(a) and (10)(a) 4 of the Authority's Rules of Procedure
(Government Gazette B 879/25.02.2022) and the powers provided for in Article 15 par.
4(c) and 8 of Law No. 4624/2019 in conjunction with Article 58 par. 2 f' of Regulation
(EU) 2016/679 (GDPR), examined the case referred to below in the background to this
decision.
The Authority has taken note of the following:
1. As by letter C/EIS/11635/09-11-2022, A (hereinafter referred to as 'the applicant')
submitted to the Authority a request for the urgent exercise of its powers. The
applicant had already informed the Authority by letter C/EIS/11097/18-10-2022
following its request for an urgent procedure by letter C/EIS/11097/18-10-2022.
C/EXE/2361/26-09-2022, of the content of the complaint lodged on ... with ..., which
shows that he received on his mobile phone number "..." (Cosmote provider) two
short text messages (SMS) intended to mislead him to follow hyperlinks through
which spyware is installed. Those messages were sent (a) on ... and at ..., with the
apparent sender's number "..." and (b) on ... at ..., with
1
Ave. 1-3 Kifissia Street, 11523 Athens, Greece
T: 210 6475 600 - E: contact@dpa.gr - www.dpa.gr
2
the displayed sender is the number "...". The Authority is examining both this request
and, on its own initiative, the installation of software on a user's terminal device
without consent and the related processing of personal data.
2. Because the applicant, on ..., filed a request to exercise the right of access under
Article 15 GDPR and the right of restriction under Article 18 GDPR to the mobile
telephony service providers COSMOTE - MOBILE TELECOMMUNICATIONS S.A.
(Cosmote), WIND HELLAS TELECOMMUNICATIONS
MONOPROSOPI S.A. (Wind) and VODAFONE PANAFON Hellenic Telecommunications
Company Limited (Vodafone).
3. Because Cosmote, the applicant's ISP, replied by informing that the critical data had
already been extracted and handed over to the competent authorities and therefore
there was no question of their destruction, and provided a copy of the data relating
to the messages in question. The applicant states that Cosmote included in its reply
only data included in Article 5 of Law No. 3917/2011 and not all of its data and,
further, that no information was provided in relation to the sender's number.
4. Because Wind, the provider of the number shown as the sender in the first message,
replied informing that no communication was found from and to this number.
5. Because Vodafone, the provider of the number that appears as the sender in the
second message, replied by informing that this number has never been activated to
date, and therefore no personal data of the applicant that originate from
communication with this number have been processed by the company.
6. Because during the sending and use of SMS, traffic and location data are generated
and processed which, if they refer to a natural person, constitute personal data
within the meaning of article 4 par. 7 of the GDPR and which are processed for
various purposes, including
3
including keeping for the purposes described in Chap. A' of Law no. 3917/2011.
7. Because SMS can be sent in a way that allows the information of the sender of a
message to be altered (spoofing), in particular through gateways, and SMS messages
can enter the network of a mobile telephony service provider via interconnected
international networks. When SMS messages are introduced into a mobile service
provider's network, personal data relating to the network or application from which
the message originates are also generated, such as, but not limited to, those
necessary for the payment of interconnections or the billing of services. In the
present case, based on the responses of the providers to the applicant's requests, it is
evident that a spoofing technique has been used, therefore, in order to identify the
sender of the messages, the information on the origin of the messages (e.g., sending
network, sending gateway) should be considered, if respected, which also constitute
personal data as they are related to the applicant's number.
8. Because, according to Article 6 of Law no. 3917/2011, the data kept for the purposes
of this law are retained for a period of 12 months from the date of communication
and are destroyed at the end of the retention period by the provider through an
automated procedure, except for those to which access has been lawfully obtained.
Accordingly, the data generated during the sending and receiving of the above-
mentioned short text messages on ... and ... and retained for the purposes of this law
must be destroyed after one year, after ... and ... respectively.
9. Since the Authority has, on the basis of Article 15(1)(a) of the EEA Agreement, the
power to adopt the following measures. 4(c) and 8 of Law No. 4624/19 in conjunction
with Art. 2 f GDPR, the power to issue
4
an ex officio interim order for immediate total or partial temporary restriction of
processing.
10. Since the erasure or destruction of personal data is a form of processing based
on Article 4 para. 2 of the GDPR.
11. Because in order for the Authority to exercise its supervisory powers and to
ensure the protection of the rights of the data subject, it is necessary to maintain and
not delete the above personal data (traffic and location data).
FOR THESE REASONS THE
AUTHORITY
Orders the electronic communication service providers WIND HELLAS TELEPOINONICS
MONOPROΣOPIESS S.A., VODAFONE PANAFONE HELLENIC ANONYMOUS HELLENIC
Telecommunications Company and COSMOTE - MOBILE TELECOMMUNICATIONS S.A., to
suspend the processing of the destruction of the personal data related to the telephone
numbers mentioned above which have been generated or processed during the sending
or receiving of the above-mentioned short text messages, until the Authority issues a
new decision.
The President
Konstantinos Menoudakos