Unlawful data processing and a personal data breach has led to a record fine by Hellenic DPA on two telecommunications companies.
An investigation into a personal data breach has resulted in two companies being hit with fines for €6 million and €3.25 million respectively. COSMOTE and OTE were fined for various GDPR violations after the Hellenic DPA investigated data leakage which took place in September of 2020. Subscribers’ traffic data was being retained for the purposes of dealing with any problems or malfunctions for 90 days from the date of the call. The data was then supposed to be anonymised and kept for 12 months for statistical purposes. The supervisory authority examined the lawfulness of recordkeeping with regard to linked data and other security measures applied in these scenarios. The two controllers were subsequently sanctioned to cease the processing of the data and to have it destroyed. In addition they were both hit with record fines from the Hellenic DPA.
COSMOTE infringed on the principles of legality and transparency and violated the GDPR, and as a result was fined €6 million.
The Hellenic DPA concluded that COSMOTE provided unclear and insufficient information to subscribers. In addition there was poor “anonymisation” (rather pseudonymisation) of the data, as well as insufficient security measures taken to protect the data collected from those subscribers. The supervisory authority found that this company had a poor data protection impact assessment done, which further compounded the situation. With regard to the processing in question, there was also confusion regarding the roles of the two companies involved. This company was therefore found to be in violation of Articles 5(1)(a), 12, 13, 14, 25, and 35(7) of the GDPR.
Article 5(1)(a) informs that data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’); which the company was found to have violated. COSMOTE was also found to be in violation of Article 25 of the GDPR due to poor “anonymisation” (pseudonymisation) of subscriber data. Articles 12-14 of the GDPR cover specific rights of data subjects including the right to transparency, and the right to specific information which needs to be provided to data subjects in the event that personal data is collected from them, and also in cases where information was not collected from subscribers. This information was not provided. Article 35(7) of the GDPR outlines the specific information which needs to be included in a data protection impact assessment to ensure that it is effective. This controller’s DPIA was deemed poorly done, which, in combination with the other infringements, landed the company a record fine by Hellenic DPA.
ΟΤΕ S.A. or HELLENIC TELECOMMUNICATIONS ORGANISATION S.A., was found to have infringed Article 32 of the GDPR and was fined €3.25 million.
According to article 32 of the GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. ΟΤΕ was found to have insufficient security measures in place for proper protection of subscriber data, in relation to the infrastructure used in the context of the breach. Due to failure to allocate the roles of the two companies in relation to the processing in question, both companies were found to have violated Article 5(2), in addition to Articles 26 and 28 of the GDPR. Article 26 covers the concept of joint controllership, while Article 28 covers the role of a processor. It is unclear what the roles were of the two companies, whether joint controllership, or an agreement between controller and processor. Article 5(2) of the GDPR states that the controller shall be responsible for, and be able to demonstrate compliance with, 5(1) (the principle of ‘accountability’), which he companies were also found to have violated.