HDPA (Greece) - 38/2022

From GDPRhub
HDPA - 38/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 51 GDPR
Article 55 GDPR
Law 3471/2006 article 12
Law 4624/2019 article 9
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.07.2022
Published: 02.12.2022
Fine: 150.000 EUR
Parties: Individuals
Vodafone
National Case Number/Name: 38/2022
European Case Law Identifier: https://www.dpa.gr/sites/default/files/2022-12/38_2022%20anonym.pdf
Appeal: n/a
Original Language(s): Greek
Greek
Original Source: HDPA (in EL)
HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The Greek DPA imposed a €150,000 fine on Vodafone PANAFON S.A. for the lack of appropriate technical and organisational measures to protect the security of its electronic communication services.

English Summary

Facts

Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone PANAFON S.A. (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identity check to rule out fraudulent behaviour.

The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff.

Holding

First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality.

Second, the DPA recalled that Article 12(1) of Law 3471/06, implementing the e-Privacy Directive, obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that the controller failed to implement sufficient policies and security measures in the SIM card replacement process in order to prevent fraud. Even the additional measures implemented after the first incidents, were not effective in preventing further exploitation of weaknesses in the controller's policy.

Third, the DPA noted that in case of the occurrence of a data breach, the controller was obliged to inform the data subjects and the DPA about it without delay, in accordance with Article 12(5) of Law 3471/06. The DPA found a violation of this provision because in at least five incidents, the DPA only became aware of a data breach 2-3 months after it had occurred.

In conclusion, the DPA imposed a €150,000 fine on the controller for the violation of Article 12 of Law 3471/06.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.


Athens, 02-12-2022
Original No: 3092
DECISION 38/2022
The Personal Data Protection Authority met in plenary session, by
teleconference, on Tuesday 21-07-2022, at the invitation of its Chairman, in order to
examine the case mentioned in the background of this document. The Chairman of
the Authority, Konstantinos Menoudakos and the regular members of the Authority,
Konstantinos Lambrinoudakis, as rapporteur, Spyridon Vlahopoulos, Charalambos
Anthopoulos Christos Kalloniatis, Ekaterini Iliadou and the alternate member Maria
Psalla, in place of the regular member Gregory Tsolias, who, although legally
summoned in writing, did not attend due to his inability to attend. Spyridon
Papastergiou and Leonidas Roussos, Specialists, Computer Scientists, attended the
meeting as Rapporteur's assistants and Irini Papageorgopoulou, an official of the
Authority's Administrative Affairs Department, attended the meeting as Secretary,
by order of the Chairperson.
The Authority has taken note of the following:
The Authority received a number of complaints and notifications of personal data
breaches related to unauthorised replacement of a subscriber's sim card (sim swap)
and other procedures (e.g. call diversion, issuance of new telephone numbers) by
third parties not holding the connections in question.
Initially, the following were submitted: a) Complaint no. Γ/ΕΙΣ/7103/16-10-2020,
Γ/ΕΙΣ/7255/22-10-2020, Γ/ΕΙΣ/7299/23-10-
2020, G/EIS/7300/23-10-2020 and G/EIS/7301/23-10-2020 notifications of breaches.
In the context of the examination of these cases, the Authority sent a letter to
the mobile telephony service provider Vodafone - PANAFON S.A. (hereinafter
referred to as 'the responsible party processing', in the case
of the ή 'Vodafone') . the no. C/EΞ/7771/11-11-
2020, in which it was asked for its views regarding the relevant complaints, the
notified incidents of infringement and the general way of dealing with the issues in
question. In particular, it requested: a) A description of the policies in place regarding
the procedure for cancellation and replacement of SIM cards by a subscriber, prior to
the discovery of
the relevant incidents of infringement.
(b) A description of the changes/modifications made to these policies and
procedures following the discovery of the above-mentioned incidents of non-
compliance.
(c) A description of the policies and relevant guidelines currently applied by
subscriber service points for the SIM card cancellation and replacement process.
(d) Notification if they have identified any other similar incidents after the
implementation of the new policies and beyond those submitted to the Authority.
The company responded to the above issues with the document C/EIS/8392/07-
12-2020, according to which the measures applied by the company for the effective
identification of subscribers in cases of issuing a new SIM card or replacing a SIM
card are distinguished in 4 time periods.
1η period: policies applied by the company until April
2020.
During this period the procedures followed by the company are as follows:
(a) In case the request is submitted in person by the subscriber, in the company's
premises, the following shall be carried out by the competent persons