Following a personal data breach notification (subscriber call data leakage between 1/9/2020 and 5/9/2020) by COSMOTE [MOBILE TELECOMMUNICATIONS SINGLE MEMBER S.A.], the Hellenic DPA investigated the circumstances under which the breach took place and, in this regard, examined the lawfulness of record-keeping in relation to leaked data, as well as the security measures applied. This is about a file containing subscribers' traffic data which, on the one hand, is retained in order to handle any problems and malfunctions for a period of 90 days from the date of making the calls and, on the other hand, it becomes "anonymised" (pseudonymised) and is kept for 12 months aiming to reach statistical conclusions about the optimal design of the mobile telephony network, once it has been enriched with additional simple personal data.
The investigation of the case revealed that COSMOTE had infringed the principles of legality (Articles 5 and 6 of Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector) and transparency due to the provision of unclear and insufficient information to subscribers (Article 5(1)(a) and Articles 13-14 of the General Data Protection Regulation - GDPR), as well as: (i) Article 35(7) of the GDPR due to poor data protection impact assessment; Article 25(1) due to poor anonymisation; Article 12(1) of Law 3471/2006 due to inadequate security measures taken, and Article 5(2), in conjunction with Articles 26 and 28, due to failure to allocate the roles of the two companies in relation to the processing in question. In addition, ΟΤΕ [HELLENIC TELECOMMUNICATIONS ORGANIZATION S.A.] was found to have infringed Article 32 of the GDPR due to inadequate security measures taken in relation to the infrastructure used in the context of the breach.
For the infringements found, and taking into account the criteria set forth in Article 83(2) of the GDPR, the Authority, on the one hand, fined COSMOTE a total of € 6,000,000, and imposed the sanction of stopping the processing and destroying the data, and, on the other, fined OTE a total of € 3,250,000.
Decision 4/2022 is available in Greek here.