Harris Kyriakides
Harris Kyriakides

Decision of the Hellenic Data Protection Authority imposing a total of €9.250.000 in fines for personal data breach and illegal processing of such data

Posted on 2 June 2022 | 2 mins read

The Hellenic Data Protection Authority (the Authority) supervises the application of the General Data Protection Regulation (GDPR) as well as other relevant laws and regulations concerning the protection of individuals from the processing of personal data in Greece.

In its recent decision dated 27/01/2022 concerning electronic communication services, the Authority imposed two separate fines for an incident of personal data breach and illegal processing of data.

In particular, following a notification of an incident of personal data breach by COSMOTE (leakage of subscriber call data in September of 2020), the Authority investigated the circumstances in which the incident took place and, in doing so, examined the legality of keeping the leaked records as well as the security measures in place. It involves a file that contains subscriber traffic data and which, on the one hand, is kept for the purpose of managing problems and failures for 90 days from the making of the calls, and on the other hand, the file is ‘anonymous’ (pseudonymized) and is kept for 12 months in order to draw statistical conclusions towards the optimal design of the mobile network, after being enriched with additional simple personal data.

The investigation of the case revealed a violation by COSMOTE of the principle of legality (articles 5 and 6 of law 3471/2006) and the principle of transparency due to unclear and insufficient information provided to the subscribers ((article 5 paragraph 1a and articles 13 and 14 of the GDPR), violation of articles 35(7) of the GDPR due to incorrect conduct of the impact assessment, violation of articles 25(1) due to incorrect implementation of the anonymization process, violation of article 12(1) 3471/2006 due to lack of security measures and violation of article 5(2) in combination with articles 26 and 28 due to non-division of roles of the two companies in relation to the processing in question. The Authority also found a breach of Article 32 of the GDPR by OTE due to lack of security measures in relation to the infrastructure used in the context of the incident.

For the identified violations and considering the provisions of article 83(2) GDPR, the Authority imposed a €3.250.000 fine on OTE and a €6.000.000 fine on COSMOTE, ordering that the processing be terminated and the data be destructed.

For more information please visit our website microsite Data Protection & Cyberlaw  or contact [email protected].