HDPA (Greece) - 4/2022
| HDPA (Greece) - 4/2022 | |
|---|---|
 | |
| Authority: | HDPA (Greece) |
| Jurisdiction: | Greece |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 13 GDPR Article 14 GDPR Article 25(1) GDPR Article 26 GDPR Article 28 GDPR Article 32 GDPR Article 35(7) GDPR Article 83 GDPR Article 2(3) and (4) Law 3471/2006 Article 5 Law 3471/2006 Article 6 Law 3471/2006 Article 12(1) and (5) and (6) Law 3471/2006 |
| Type: | Other |
| Outcome: | n/a |
| Started: | 09.10.2020 |
| Decided: | 30.11.2021 |
| Published: | 27.01.2022 |
| Fine: | 9,100,000 EUR |
| Parties: | Cosmote OTE |
| National Case Number/Name: | 4/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Greek |
| Original Source: | HDPA (in EL) |
| Initial Contributor: | n/a |
The Greek DPA fined the mobile telecommunications company COSMOTE €6,000,000 and OTE €3,250,000. The first for failing to carry out the data protection impact assessment under Article 35(7) GDPR, for not complying with the principle of transparency under Article 5(1) GDPR and for not anonymising the data under Article 25(1) GDPR, among others. The second for failing to implement the appropriate technical and organisational measures under Article 32 GDPR.
English Summary
Facts
In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) announced to the HDPA (Greece) that a breach of personal data had occurred with them.
The starting point of the breach was a server of the OTE group. The OTE group has an annual turnover of €3,258 billion.
The intruder eventually obtained a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020 from one of COSMOTE's servers. The file contained subscriber data of millions of people. It consisted of the following data: phone numbers, base station coordinates, IMEU, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user.
The general company policy of COSMOTE regarding kind of data was the following:
First, COSMOTE collected the following information: phone numbers, base station coordinates, IMEUs, IMSIs, timestamps, durations of calls, provider indicators.
Second, COSMOTE stored this data for three months. It used it for its failure management system, that means detecting technical failures or errors in the transmission of communications. As a telecommunications company it is legally obligated to have an effective failure management system to provide uninterrupted services.
Third, after three months it did not delete the data but supplemented the data with subscription plan, age, gender and the average revenue per person data. It “anonymised” this file, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network.
The 30 GB file which was obtained by the intruder was such a supplemented file.
Holding
The HDPA held that COSMOTE violated:
1) Articles 5 and 6 Law 3471/2006 (national norms implementing rules of the Directive 2002/58/EC). The processing and storage of traffic data can be permitted under article 6 of the Directive 2002/58/EC (Directive on privacy and electronic communications) for purposes of issuing invoices, offering services of extra value, marketing and failure management. However, recital 30 of this directive establishes that the amount of personal data processed should be limited to a strict minimum of what is necessary (data minimisation). The HDPA concluded that storing a limited subset of traffic data and not all traffic data would have sufficed for the purpose of failure management. Furthermore, storing the data for such a long period (three months) was also not necessary for this purpose.
2) Article 35(7) GDPR. COSMOTE based their data protection impact assessment on a procedure by the ICO (UK) consisting in answering specific questions. The impact assessment, however, was not well documented by COSMOTE and did not demonstrate that all risks have been considered.
3) the principle of transparency according to Article 5(1)(a) GDPR and Articles 13 and 14 GDPR. Even though COSMOTE informed the subscribers of the processing, the notification was not accurate enough with regard to the purpose of failure management because it only spoke of “servicing the contract” and “solving network problems and improving the service”. The notification did also not mention the three months storing period.
4) Article 25(1) GDPR. The processing for statistical purposes (Article 89(1) GDPR) should have been done with anonymised data. The mechanism provided by COSMOTE, however, did only pseudonymise the data which was not sufficient with regard to Article 25(1) GDPR. COSMOTE had still access to the personal key and therefore could decrypt the data.
5) Article 12(1) Law 3471/2006. Article 12(1) Law 3471/2006 provides that the provider of publicly available electronic communications services must take the appropriate technical and organisational measures in order to protect the security of its services as well as the security of the public electronic communications network. The investigation of the HDPA showed six vulnerabilities detailed in a confidential Annex to the decision.
6) Article 5(2) GDPR in conjunction with Articles 26 and 28 GDPR. COSMOTE and OTE did not document how their cooperation is structured making it impossible to prove whether they complied with the principle of integrity and confidentiality of Article 5(1)(f) GDPR. The two bodies should have based their cooperation and division of responsibilities either on an agreement under Article 26 GDPR in the case of joint liability or a contract or other legal act under Article 28 GDPR in the case of an outsourcing of processing. Since they did neither, COSMOTE violated the principle of accountability pursuant to Article 5(2) GDPR.
OTE violated Article 32 GDPR. OTE acted either as a joint controller or as a processor (see above 6), and did not provide for appropriate technical and organisational measures (see above 5).
When determining the amount of the fines, the HDPA took the following circumstances into account:
- Data which is subject to special confidentiality was processed (location data etc.)
- Very long duration of the infringements (6 years)
- Millions of people affected
- Past administrative sanctions with regard to OTE
- Full cooperation of both companies
- That both companies took measures to contain and respond to the incident
- Missing malice
- Articles 5 and 6 Law 3471/2006 being ambiguous
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
Summary Following the notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data during the period 1/9/2020 - 5/9/2020), the Authority investigated the circumstances in which the incident took place and, in this context, examined the legality of keeping the leaked records as well as the security measures applied. It is a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, on the other hand, the file is "anonymous" (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephony network, after being enriched with additional simple personal data. The investigation of the case revealed a violation, by COSMOTE, of the principle of legality (articles 5 and 6 of Law 3471/2006) and the principle of transparency, due to unclear and lack of information of the subscribers (article 5 par. 1 a) and 13-14 of the General Data Protection Regulation - GCC), violation of article 35 par. 7 GCP due to incorrect conduct of the impact assessment, violation of articles 25 par. 1 due to incorrect implementation of the anonymization process, violation of article 12 par. 1 law 3471 / 2006 due to lack of security measures and violation of article 5 par. 2 in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. OTE also found a breach of Article 32 of the ICCPR due to lack of security measures in relation to the infrastructure used in the context of the incident. For the identified violations and taking into account the criteria of article 83 par. 2 GKPD, the Authority imposed on COSMOTE a fine of a total amount of € 6,000,000, as well as a sanction of interruption of data processing and destruction, while on OTE imposed a fine of € 3,250,000 .
