Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Greece: HDPA fines OTE Group €3.2M for insufficient security measures resulting in data breach

The Hellenic Data Protection Authority ('HDPA') published, on 31 January 2022, its decision No. 4/2022, in which it fined the Hellenic Telecommunications Organisation S.A., OTE Group, €3,250,000, for a violation of Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach concerning leakage of subscriber call data.

Background to the decision

In particular, the HDPA outlined that Cosmote Mobile Telecommunications S.A reported of a data breach to the HDPA and submitted various documents as requested, from which it arose that the OTE Group should have been involved in the investigation of the incident, specifically with regards to the security measures implemented. Moreover, the HDPA noted that the data breach concerned leakage of subscriber call data between 1 September 2020 and 5 September 2020 and that this data was saved in Cosmote's server and was moved from the server to an IP address which belonged to a hosting provider in Lithuania. Additionally, the HDPA detailed that from Comoste's investigation, it was found that, from the same IP address, a website that was hosted in the OTE Group's infrastructure was hacked. Specifically, the HDPA highlighted that the hacker managed to gain administrative access using the password of an administrator of OTE Group, and then executed queries on Cosmote's Big Data system, from which it exported the file with the subscriber call data.

Findings of the HDPA

The HDPA found that, since both Cosmote and the OTE Group are responsible for the determination of the technical and organisational security measures, the OTE Group violated Article 32(1) of the GDPR.


As a result of the above violation, the HDPA issued a fine of €3,250,000 to OTE.

You can read the press release here and the decision here, both only available in Greek.