HDPA (Greece) - 38/2022: Difference between revisions
(changed short summary to include the amount of fine; elaborated on the facts to include arguments of the controller and provide more details as to what happened before the complaint was filed with the DPA; re-wrote the Holding and included relevant GDPR Articles, and violated provisions of the national electronic communications; please consult Style & Structure Guide) |
mNo edit summary |
||
| Line 77: | Line 77: | ||
}} | }} | ||
The Greek DPA imposed a €150,000 fine on Vodafone for lack of appropriate technical and organisational measures to protect the security of its electronic communication services. | The Greek DPA imposed a €150,000 fine on Vodafone PANAFON S.A. for the lack of appropriate technical and organisational measures to protect the security of its electronic communication services. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an | Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone PANAFON S.A. (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identity check to rule out fraudulent behaviour. | ||
The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff. | The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff. | ||
Revision as of 09:53, 20 December 2022
| HDPA - 38/2022 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4 GDPR Article 5 GDPR Article 51 GDPR Article 55 GDPR Law 3471/2006 article 12 Law 4624/2019 article 9 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 21.07.2022 |
| Published: | 02.12.2022 |
| Fine: | 150.000 EUR |
| Parties: | Individuals Vodafone |
| National Case Number/Name: | 38/2022 |
| European Case Law Identifier: | https://www.dpa.gr/sites/default/files/2022-12/38_2022%20anonym.pdf |
| Appeal: | n/a |
| Original Language(s): | Greek Greek |
| Original Source: | HDPA (in EL) HDPA (in EL) |
| Initial Contributor: | Anastasia Tsermenidou |
The Greek DPA imposed a €150,000 fine on Vodafone PANAFON S.A. for the lack of appropriate technical and organisational measures to protect the security of its electronic communication services.
English Summary
Facts
Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone PANAFON S.A. (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identity check to rule out fraudulent behaviour.
The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff.
Holding
First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality.
Second, the DPA recalled that Article 12(1) of Law 3471/06 on electronic communication service obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that the controller failed to implement sufficient policies and security measures in the SIM card replacement process in order to prevent fraud. Even the additional measures implemented after the first incidents, were not effective in preventing further exploitation of weaknesses in the controller's policy.
Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with Article 12(5) of Law 3471/06. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred.
In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of Article 12 of Law 3471/06.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary The Authority, following complaints and related notifications, became aware of incidents of unauthorized access by malicious third parties to data of mobile phone subscribers. The access took place following requests to change the SIM card of subscribers and was due to problems with the process of identifying subscribers when such requests were made, either as a result of insufficient security measures or following a faulty implementation of existing measures. The Authority assessed the number of incidents, as well as the actions of the controller in order to deal with them, and imposed a fine of 150,000 euros for the above violations of the provisions of Article 12 of Law 3471/2006.
