Total fine in the amount of EUR 9 250 000 applied by Hellenic Data Protection Authority to telecommunications companies COSMOTE and OTE S.A. due to personal data breach and illegal data processing

The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the total fine in the amount of EUR 9 250 000 applied by Hellenic Data Protection Authority (DPA) to telecommunications companies COSMOTE and OTE S.A. due to personal data breach and illegal data processing.

Following a personal data breach notification (subscriber call data leakage between 01/09/2020 and 05/09/2020) by COSMOTE S.A., the Hellenic DPA investigated the circumstances under which the breach took place and, in this regard, examined the lawfulness of record-keeping in relation to leaked data, as well as the security measures applied. The investigation of the case revealed that COSMOTE had infringed the principles of legality and transparency due to the provision of unclear and insufficient information to subscribers. The company was also found responsible for poor data protection impact assessment, poor anonymisation, inadequate security measures taken, and failure to allocate the roles of the two companies (COSMOTE / OTE) in relation to the processing in question. In addition, ΟΤΕ S.A. was found to have infringed Article 32 of the GDPR due to inadequate security measures taken in relation to the infrastructure used in the context of the breach.

The Hellenic DPA, on the one hand, fined COSMOTE a total of EUR 6 000 000, and imposed the sanction of stopping the processing and destroying the data, and, on the other, fined OTE S.A. a total of EUR 3 250 000.

The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.