HDPA (Greece) - 4/2022
| HDPA (Greece) - 4/2022 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 4 GDPR Article 5(1)(b) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25(1) GDPR Article 26 GDPR Article 28 GDPR Article 32 GDPR Article 35(7) GDPR Article 83 GDPR Article 2(3) and (4) Law 3471/2006 Article 5 Law 3471/2006 Article 6 Law 3471/2006 Article 12(1) and (5) and (6) Law 3471/2006 |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | 30.11.2021 |
| Published: | 27.01.2022 |
| Fine: | 9,100,000 EUR |
| Parties: | Cosmote OTE |
| National Case Number/Name: | 4/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | n/a |
The Greek DPA fined the mobile telecommunications company COSMOTE €6,000,000 and OTE €3,250,000. The first for failing to carry out the data protection impact assessment properly under Article 35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not properly anonymising the data under Article 25(1) GDPR, among others. The second for failing to implement the appropriate technical and organisational measures under Article 32 GDPR.
English Summary
Facts
In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to the HDPA (Greece) that a breach of personal data had occurred with them.
The starting point of the breach was a server of the OTE group. The OTE group has an annual turnover of €3,258 billion.
The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020. The file contained subscriber data of millions of people. It consisted of numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.
COSMOTE stored call data of subscribers for 3 months. It used this data for its fault management service. As a telecommunications provider it is legally obligated to have an effective fault management procedure to provide uninterrupted services.
After that period, COSMOTE supplemented the call data with further data like the subscription plan of the person, age, gender and the average revenue per person. It “anonymised” this data set, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.
Holding
The HDPA held that COSMOTE violated:
1) Articles 5 and 6 Law 3471/2006 (national norms implementing rules of the Directive 2002/58/EC). The processing and storage of traffic data can be permitted under article 6 of Directive 2002/58/EC (Directive on privacy and electronic communications) for purposes of issuing invoices, marketing, offering services of extra value and fault management. However, recital 30 of said Directive establishes that the networks and services should be designed to limit the amount of personal data necessary to a strict minimum (data minimisation). For the purpose of fault management, storing a limited subset of traffic data and not all traffic data would have sufficed. Furthermore, storing the data for a whole quarter was also not necessary for this purpose. So, COSMOTE had no legal bases for the processing carried out.
2) Article 35(7) GDPR. COSMOTE based their data protection impact assessment on a procedure by the ICO (UK) consisting in answering specific questions. The impact assessment, however, was not well documented by COSMOTE and did not demonstrate that all risks have been properly considered.
3) the principle of transparency according to Article 5(1)(a) GDPR and Articles 13 and 14 GDPR. Even though COSMOTE informed the subscribers of the processing, the notification was not accurate enough since it only spoke of “servicing the contract” and “solving network problems and improving the service”. It also did not mention the three mentions retention period.
4) Article 25(1) GDPR. The processing for statistical purposes (Article 89(1) GDPR) should have been with anonymised data. The mechanism provided by COSMOTE, however, did only pseudonymise the data which was not sufficient with regard to Article 25(1) GDPR. COSMOTE had still access to the personal key and therefore could decrypt the data.
5) Article 12(1) Law 3471/2006. Article 12(1) Law 3471/2006 provides that the provider of publicly available electronic communications services must take the appropriate technical and organisational measures in order to protect the security of its services as well as the security of the public electronic communications network. The investigation of the HDPA showed six vulnerabilities detailed in a confidential Annex to the decision.
6) Article 5(2) GDPR in conjunction with Articles 269 and 28 GDPR. COSMOTE and OTE did not document how their cooperation is structured making it impossible to prove the compliance with the principle of integrity and confidentiality of Article 5(1)(f) GDPR. The HDPA was of the opinion that it did not need to establish whether OTE acted as a controller or processor. Although the law does not explicitly provide a legal requirement for an agreement between joint controllers under Article 26 GDPR, without an agreement it will be difficult for the joint controllers to prove compliance with the principle of accountability (cmp. Guidelines 7/2020 of the EDPS, § 173).
OTE violated Article 32 GDPR. OTE acted either as a (joint) controller or as a processor (see above 6), and appropriate technical and organizational measures were missing (see above 5).
When determining the amount of the fine, the HDPA took the following circumstances into account:
- Data subject to special confidentiality was processed (location data etc.)
- With regard to OTE that passed administrative sanctions have already been imposed
- Full cooperation of both companies
- That both companies took measure to contain and respond to the incident
- Missing malice
- Ambiguousness of Articles 5 and 6 Law 3471/2006
- Very long duration of the infringements (6 years)
- Millions of people affected
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data. The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident. For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .
