On Jan. 31, Greece’s data protection authority, the Hellenic Data Protection Authority, fined (here in Greek) Cosmote and OTE 9.25 million euros for multiple violations of the EU General Data Protection Regulation. OTE Group, which belongs to Deutsche Telekom, is the largest telecommunications conglomerate in Greece. In sum, these fines are the highest ever imposed by the DPA.
The fines were the outcome of an investigation by the HDPA on a major data breach that occurred in 2020 after a successful cyberattack on the group's information systems. The breach, which was notified to the DPA in time, affected more than 10 million OTE Group and non-OTE Group subscribers and concerned large sets of personal data per subscriber, including financial and telecommunications traffic data. The leaked databases were processed by Cosmote for network fault management and general data analytic purposes.
The HDPA examined both the data breach and the lawfulness of the data processing in question. Regarding the affected telecommunication data, the HDPA ruled that the processing for network fault management purposes was lawfully based on Cosmote fulfilling for its subscriber contracts, since the management of network faults is necessary to provide quality services by the company. Yet, such processing would only be permissible on the condition that a limited subset of traffic data be processed to the extent and for the time required to identify specific technical faults or specific errors, whereas the retention of all traffic data for three months could not be justified. The HDPA decided the traffic data used for this purpose was not proportionate to the degree of the fault and time needed for its removal. Thus, it ruled that the relevant data processing violated the data minimization and storage limitation principles of the GDPR and the provisions of Article 6 of the Greek E-Privacy Law 3471/2006.
Furthermore, the HDPA investigated Cosmote’s data protection impact assessment and decided it was not sufficiently substantiated, on the grounds that not all risks were appropriately examined and conclusions were not adequately justified. In corollary, the HDPA ruled that Cosmote failed to give adequate notice to data subjects regarding the network fault management purpose and duration of the processing.
Regarding the data processing by Cosmote for data analytic purposes, the DPA ruled such purpose could have also been pursued using anonymized data. Following the claim by Cosmote that it was indeed anonymized, the HDPA found the data in question constituted enriched datasets that were pseudonymized rather than anonymized. In addition, the extraction of statistics from the pseudonymized database was considered a further purpose of processing, which may be compatible with the original purposes but subject to the conditions of Article 89 of the GDPR. However, no notice was given to data subjects about such processing. Therefore, the HDPA ruled that data subjects were not adequately informed about the relevant processing and were also inaccurately given notice that their data had been processed in anonymized form.
Next, the DPA reviewed the data security measures implemented by OTE and Cosmote on the affected databases and identified six significant vulnerabilities in their level of security. It also found that OTE and Cosmote did not have procedures to regularly test, assess and evaluate the effectiveness of their measures in order to ensure the security of the processing.
Finally, the HDPA concluded the security measures were taken jointly by Cosmote and OTE without any specific data processing agreement between them. In view of the above, the DPA considered this practice of the two companies violates the principle of accountability and in particular the principles of integrity and confidentiality.
Taking its findings into account, the HDPA issued Decision no. 4/2022, ruling that the following violations of the GDPR and the Greek E-Privacy Law 3471/2006 have taken place by Cosmote and OTE:
- Violation by Cosmote of the data minimization and storage limitation principles of the GDPR and the provisions of Articles 5 through 6 of the Greek E-Privacy Law 3471/2006 due to unlawful processing of telecommunication traffic data for network fault management purposes.
- Violation by Cosmote of the principle of transparency (Articles 5(1)(a) and 13-14 of the GDPR) due to inaccurate and incomplete information to subscribers about the processing of their data for network fault management and data analytic purposes.
- Infringement by Cosmote of Article 35(7) of the GDPR due to the inadequacy of the content data protection impact assessment.
- Infringement by Cosmote of Article 25(1) of the GDPR due to the inadequate implementation of the anonymization procedure.
- Infringement by OTE of Article 12 § 1 of Greek E-Privacy Law 3471/2006 due to inadequate security measures.
- Infringement by Cosmote and OTE of Article 5 § 2 in conjunction with Articles 26 and 28 of the GDPR due to the failure to allocate the roles of the two companies as joint controllers in relation to the processing in question.
- Infringement by OTE of Article 32 of the GDPR due to inadequate security measures in relation to the infrastructure used in the context of the incident.
Photo by Matt Artz on Unsplash