Date of final decision: 27 January 2022
Cross-border case or national case: National case
Controller: Telecommunications companies (Cosmote / OTE)
Legal Reference: Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12), Information to be provided where personal data are collected from the data subject (Article 13), Information to be provided where personal data have not been obtained from the data subject (Article 14), Data protection by design and by default (Article 25), Security of processing (Article 32), Data protection impact assessment (Article 35), Law 3471/2006 (which incorporates Directive 2002/58/EC as amended by Directive 2009/136/EC into national law), Regulation (EU) 611/2013
Decision: Infringement of the GDPR, Fines imposed
Key words: GDPR, Data breach, Security, Data protection impact assessment, Transparency
Summary of the Decision
Origin of the case
Following a personal data breach notification (subscriber call data leakage between 1/9/2020 and 5/9/2020) by COSMOTE S.A., the Hellenic DPA investigated the circumstances under which the breach took place and, in this regard, examined the lawfulness of record-keeping in relation to leaked data, as well as the security measures applied.
The investigation of the case revealed that COSMOTE had infringed the principles of legality and transparency due to the provision of unclear and insufficient information to subscribers. The company was also found responsible for poor data protection impact assessment, poor anonymisation, inadequate security measures taken, and failure to allocate the roles of the two companies (COSMOTE / OTE) in relation to the processing in question. In addition, ΟΤΕ S.A. was found to have infringed Article 32 of the GDPR due to inadequate security measures taken in relation to the infrastructure used in the context of the breach.
The Authority, on the one hand, fined COSMOTE a total of € 6,000,000, and imposed the sanction of stopping the processing and destroying the data, and, on the other, fined OTE S.A. a total of € 3,250,000.
For further information:
Fines imposed due to personal data breach and illegal data processing by telecommunications companies (press release in English)
Decision 4/2022 (in Greek)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.