HDPA (Greece) - 38/2022

From GDPRhub
Revision as of 20:28, 13 December 2022 by Anastasia.tsermenidou (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Greece |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoGR.jpg |DPA_Abbrevation=HDPA |DPA_With_Country=HDPA (Greece) |Case_Number_Name=38/...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
HDPA - 38/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 51 GDPR
Article 55 GDPR
Law 3471/2006 article 12
Law 4624/2019 article 9
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.07.2022
Published: 02.12.2022
Fine: 150.000 EUR
Parties: Individuals
Vodafone
National Case Number/Name: 38/2022
European Case Law Identifier: https://www.dpa.gr/sites/default/files/2022-12/38_2022%20anonym.pdf
Appeal: n/a
Original Language(s): Greek
Greek
Original Source: HDPA (in EL)
HDPA (in EL)
Initial Contributor: Anastasia Tsermenidou

The DPA impose of a fine for not implementing the appropriate technical and organisational measures to protect the security of services to a telecommunications provider.

English Summary

Facts

A number of complaints and notifications were submitted to the DPA. Those incidents concerned personal data breaches which were related to incidents of unauthorised replacement of a subscriber's sim card (sim swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties not holding the connections in question.

Holding

The DPA, following complaints and related notifications, has become aware of incidents of unauthorised access by malicious third parties to mobile subscriber data. The access took place following requests to change the SIM card of subscribers and was due to problems with the identification process of subscribers when submitting such requests, either as a result of inadequate security measures or after defective implementation of existing measures. The DPA assessed the number of incidents, as well as the actions taken by the controller to address them, and imposed a fine of EUR 150,000 for the above violations of the provisions of Article 12 of Law No. 3471/2006.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
The Authority, following complaints and related notifications, became aware of incidents of unauthorized access by malicious third parties to data of mobile phone subscribers. The access took place following requests to change the SIM card of subscribers and was due to problems with the process of identifying subscribers when such requests were made, either as a result of insufficient security measures or following a faulty implementation of existing measures. The Authority assessed the number of incidents, as well as the actions of the controller in order to deal with them, and imposed a fine of 150,000 euros for the above violations of the provisions of Article 12 of Law 3471/2006.