HDPA (Greece) - 4/2022
|HDPA (Greece) - 4/2022|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 13 GDPR
Article 14 GDPR
Article 25(1) GDPR
Article 26 GDPR
Article 28 GDPR
Article 32 GDPR
Article 35(7) GDPR
Article 83 GDPR
Article 2(3) and (4) Law 3471/2006
Article 5 Law 3471/2006
Article 6 Law 3471/2006
Article 12(1) and (5) and (6) Law 3471/2006
|National Case Number/Name:||4/2022|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
The Greek DPA fined two mobile telecommunications company COSMOTE and its parent company OTE, €6,000,000 and €3,250,000 respectively. The first for failing to carry out the data protection impact assessment under Article 35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not anonymising the data under Article 25(1) GDPR, among others. The second for failing to implement the appropriate technical and organisational measures under Article 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) reported a personal data breach to the Helenic DPA (HDPA) caused by an external cyber attack.
The starting point of the breach was a server of the OTE group, which has an annual turnover of €3,258 billion.
The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020 from one of COSMOTE's servers. The file contained subscriber data of millions of people, and consisted of the following data: phone numbers, base station coordinates, IMEI, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.
The general company policy of COSMOTE regarding this kind of data was the following:
First, COSMOTE collected the following information: phone numbers, base station coordinates, IMEIs, IMSIs, timestamps, durations of calls, provider indicators.
Second, COSMOTE stored this data for three months. It used it for its failure management system, that means detecting technical failures or errors in the transmission of communications. As a telecommunications company it is legally obligated to have an effective failure management system to provide uninterrupted services.
Third, after three months it did not delete the data but supplemented the data with subscription plan, age, gender and the average revenue per person data. It “anonymised” this file, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.
The breach consisted of this 30 GB supplemented file.
Holding[edit | edit source]
The HDPA held that COSMOTE violated Articles 5 and 6 Law 3471/2006 (national law implementing the Directive 2002/58/EC Directive on privacy and electronic communications). The processing and storage of traffic data can be permitted under Article 6 Directive 2002/58/EC for the purpose of issuing invoices, offering services of extra value, marketing and failure management. However, Recital 30 of this directive establishes that the amount of personal data processed should be limited to a strict minimum (data minimisation). The HDPA concluded that storing a limited subset of traffic data and not all traffic data would have sufficed for the purpose of failure management. Furthermore, it held that storing the data for such a long period (three months) was also not necessary for this purpose.
The DPA also held that COSMOTE violated Article 35(7) GDPR because it did not properly document its Data Protection Impact Assessment (DPIA), and it did not demonstrate that all the risks had been considered. Additionally, the HDPA established that COSMOTE breached the principle of transparency according to Article 5(1)(a) GDPR, as well as Articles 13 and 14 GDPR. Even though COSMOTE informed the subscribers of the processing, the notification was not accurate enough with regard to the purpose of failure management because it only spoke of “servicing the contract” and “solving network problems and improving the service”. The notification didn't mention the three months storage period either.
Furthermore, the HDPA held that COSMOTE violated Article 25(1) GDPR, because the processing for statistical purposes under Article 89(1) GDPR should have been done with anonymised data. The mechanism provided by COSMOTE, however, only pseudonymised the data, which was not sufficient, since COSMOTE still had access to the personal key, and therefore could decrypt the data. The HDPA's investigation also showed six vulnerabilities detailed in a confidential Annex to the decision, in breach of Article 12(1) Law 3471/2006, which establishes that the provider of publicly available electronic communications services must take the appropriate technical and organisational measures in order to protect the security of its services as well as the security of the public electronic communications network.
The HDPA also found that COSMOTE and OTE did not document how their cooperation was structured, making it impossible to prove whether they complied with the principle of integrity and confidentiality of Article 5(1)(f) GDPR. The two bodies should have based their cooperation and division of responsibilities either on an agreement under Article 26 GDPR in the case of joint liability, or a contract under Article 28 GDPR in the case of an outsourcing of processing. Since they did neither, the HDPA held that COSMOTE violated the principle of accountability pursuant to Article 5(2) GDPR in conjunction with Articles 26 and 28 GDPR.
Lastly, the HDPA noted that OTE (despite not having an proper agreement specifying their role) had to implement appropriate technical and organisational measures, regardlesss of the fact that they were acting as a joint controller or as a processor, and therefore violated Article 32 GDPR.
The HDPA fined COSMOTE €6,000,000 and OTE €3,250,000. When determining the amount of the fine, the HDPA took into consideration the special confidentiality required by the data processed, the duration of the infringements (6 years), the amount of people affected, OTE's past administrative sanctions, both companies' cooperation and reaction to the incident, the absence of malice, and a certain degree of ambiguity in Articles 5 and 6 Law 3471/2006.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data. The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident. For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .