Greece: HDPA fines Cosmote €6M for data breach and unlawful data processing
The Hellenic Data Protection Authority ('HDPA') published, on 31 January 2022, its decision No. 4/2022, in which it fined Cosmote Mobile Telecommunications S.A. €6,000,000 for violations of Articles 5, 6, and 12(1) of Law 3471/2006 on the Protection of Personal Data and Privacy in the Electronic Telecommunications Sector and Amendment of Law 2472/1997 ('the Electronic Communications Law'), and Articles 5(1)(a), 5(2), 13, 14, 25(1), 26, 28, and 35(7) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach concerning leakage of subscriber call data.
Background to the decision
In particular, the HDPA noted that Cosmote reported of a data breach to the HDPA and submitted various documents as requested, from which it arose that the Hellenic Telecommunications Organisation S.A., OTE Group, should have been involved in the investigation of the incident, specifically with regards to the security measures implemented. Moreover, the HDPA outlined that the data breach concerned leakage of subscriber call data between 1 September 2020 and 5 September 2020 and that this data was saved in Cosmote's server and was moved from the server to an IP address which belonged to a hosting provider in Lithuania. Additionally, the HDPA detailed that, from Comoste's investigation, it was found that, from the same IP address, a website that was hosted in the OTE Group's infrastructure was hacked. Specifically, the HDPA highlighted that the hacker managed to gain administrative access using the password of an administrator of the OTE Group, and then executed queries on Cosmote's Big Data system, from which it exported the file with the subscriber call data.
Findings of the HDPA
Furthermore, the HDPA investigated the data breach, and as part of this investigation, examined the lawfulness of processing. Specifically, the HDPA found that the file which got compromised, contains subscriber traffic data which, on the one hand, is kept for 90 days from the making of the calls, for the purpose of managing problems and potential failures, and, on the other hand, the file is anonymised and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile telephone network, after being enriched with additional personal data.
Following its investigation, the HDPA found that Comsote violated:
- Articles 5 and 6 of the Electronic Communications Law, with regards to the legality of the processing of personal data in the context of the provision and use of electronic communications services.
- Article 12(1) of the Electronic Communications Law for its failure to implement appropriate technical and organisational security measures to protect the security of its services, as well as the security of the public electronic communications network.
- Article 35(7) of the GDPR, for the insufficient content of the Data Protection Impact Assessment ('DPIA'), especially with regards to assessing the necessity and proportionality of the processing.
- The principle of transparency under Articles 5(1)(a), 13, and 14 of the GDPR, due to ambiguous and incomplete information provided.
- Article 25(1) of the GDPR for failing to implement appropriate technical and organisational security measures to ensure the proper implementation of the anonymisation process.
- Article 5(2), 26, and 28 of the GDPR because of its failure to clearly distribute the roles of the processing in question, with the OTE Group. In that regard, the HDPA stated that the distribution of roles and collaboration of the two companies should have based on an agreement, according to Article 26 of the GDPR, in the case of joint controllership, or on another agreement or legal act, in accordance with Article 28 of the GDPR, where a processor is engaged.
For the violations of the principles of lawfulness and transparency, the HDPA considered the very long duration of the infringement (i.e. six years), the number of affected subscribers, users, or individuals, which totalled a number of over 10,000,000, as well as the fact that, for a long period of time, there was no implementation of a pseudonymisation measure, after the calls were made.
As a result of the above violations, the HDPA issued a total fine of €6,000,000 to Cosmote.