Greece
Cosmote Mobile Telecommunications S.A.
GDPR enforcement action by Hellenic Data Protection Authority (HDPA) on 2022-01-27.
Case details
- Authority
- Hellenic Data Protection Authority (HDPA)
- Date
- 2022-01-27
- Controller / Processor
- Cosmote Mobile Telecommunications S.A.
- Sector
- Media, Telecoms and Broadcasting
- Quoted Articles
- Art. 5 (1) a) GDPR, Art. 5 (2) GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 25 (1) GDPR, Art. 26 GDPR, Art. 28 GDPR, Art. 35 (7) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Hellenic DPA has imposed a fine of EUR 6 million on Cosmote Mobile Telecommunications S.A.. Cosmote had reported a data breach to the DPA pursuant to Art. 33 GDPR. A hacker had penetrated the controller's systems and obtained and subsequently leaked data from Cosmote customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident.
For this reason, the DPA found that Cosmote had failed to implement adequate technical and organizational measures to ensure the proper execution of the data anonymization process. In addition, Cosmote did not conduct a sufficient data protection impact assessment and did not properly inform data subjects about the processing of their data.
Finally, the DPA found that Cosmote did not clearly regulate the allocation of roles in data processing with its subsidiary, OTE Group.
In calculating the fine, the DPA aggravatingly took into account the very long duration of the breaches (6 years), the large number of data subjects, as well as the fact that no pseudonymization measures of the data were implemented over a long period of time.
Related fines