HDPA (Greece) - 4/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 90: Line 90:
The starting point of the breach was a server of the OTE group. The OTE group has an annual turnover of €3,258 billion.  
The starting point of the breach was a server of the OTE group. The OTE group has an annual turnover of €3,258 billion.  


The breach included a 30 GB file of personal data for the period of 1/9/2020 - 5/9/2020. The file contained subscriber data of millions of people. It consisted of numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.
The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020. The file contained subscriber data of millions of people. It consisted of numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.


COSMOTE stored call data of subscribers for 3 months. It used this data for its fault management service to which it is legally obligated as telecommunications company.
COSMOTE stored call data of subscribers for 3 months. It used this data for its fault management service to which it is legally obligated as a telecommunications company.


After that period, COSMOTE supplemented the call data with further data like subscription plan, age, gender and average revenue. It “anonymised” this data set, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.
After that period, COSMOTE supplemented the call data with further data like the subscription plan of the person, age, gender and the average revenue per person. It “anonymised” this data set, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.


=== Holding ===
=== Holding ===

Revision as of 17:41, 8 February 2022

HDPA (Greece) - 4/2022
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 4 GDPR
Article 5(1)(b) GDPR
Article 5(1)(f) GDPR
Article 5(2) GDPR
Article 13 GDPR
Article 14 GDPR
Article 24 GDPR
Article 25(1) GDPR
Article 26 GDPR
Article 28 GDPR
Article 32 GDPR
Article 35(7) GDPR
Article 83 GDPR
Article 2(3) and (4) Law 3471/2006
Article 5 Law 3471/2006
Article 6 Law 3471/2006
Article 12(1) and (5) and (6) Law 3471/2006
Type: Other
Outcome: n/a
Started:
Decided: 30.11.2021
Published: 27.01.2022
Fine: 9,100,000 EUR
Parties: Cosmote
OTE
National Case Number/Name: 4/2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: n/a

The Hellenic DPA fined the mobile telecommunications company COSMOTE €6,000,000 and OTE €3,250,000. The first for failing to carry out the data protection impact assessment properly under Article 35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not properly anonymising the data under Article 25(1) GDPR, among others. The second for failing to implement the appropriate technical and organisational measures under Article 32 GDPR.

English Summary

Facts

In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to the HDPA (Greece) that a breach of personal data had occurred with them.

The starting point of the breach was a server of the OTE group. The OTE group has an annual turnover of €3,258 billion.

The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020. The file contained subscriber data of millions of people. It consisted of numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.

COSMOTE stored call data of subscribers for 3 months. It used this data for its fault management service to which it is legally obligated as a telecommunications company.

After that period, COSMOTE supplemented the call data with further data like the subscription plan of the person, age, gender and the average revenue per person. It “anonymised” this data set, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.

Holding

After reviewing the facts of the case the HDPA held that the processing and storage of data of conducted calls is permitted under article 6 of Directive 2002/58/EK only for purposes regarding issuing invoices for the offered services, marketing, offering services of extra value and for impairment fixing purposes. However, for the impairment fixing purposes not all the data processed were necessary, neither was the period during which they were stored. So, COSMOTE had no legal bases for processing. Moreover, the data protection impact assessment carried out by COSMOTE was not well documented, hence a breach under Article 35(7) GDPR occured. What is more, even though COSMOTE informed the subscribers for the impairment fixing purposes, that was not in compliance with the principle of transparency under Articles 5(1)(a), 13 and 14 GDPR since that notification was not transparent as for the period of time the data were about to be used. In addition, even though COSMOTE used the personal data for statistical purposes, the HDPA held that it did so by using pseudonymisation and not anonymous data. Accordingly, COSMOTE was in breach of Article 25(1) GDPR since it did not implement propre technical and organisational measures by design and default in order to assure a propre depersonalization process of data. Lastly, COSMOTE did not inform data subjects explicitly of all their personal data being processed for statistical purposes and net's optimization. For this reason COSMOTE was in breach of Article 5(1)(a), 13 and 14 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Summary
Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data.

The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident.

For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .