Cosmote – €9,100,000 Fine (Greece, 2021)

In 2020 the mobile telecommunications company COSMOTE (part of the OTE group of companies) reported a personal data breach to the Helenic DPA (HDPA) caused by an external cyber attack. The starting point of the breach was a server of the OTE group, which has an annual turnover of €3,258 billion. The breach included a 30 GB file of personal data for the period of 01.09.2020 - 05.09.2020 from one of COSMOTE's servers. The file contained subscriber data of millions of people, and consisted of the following data: phone numbers, base station coordinates, IMEI, IMSI, timestamp, duration of the call, provider indicator, subscription plan, age, gender, average revenue per user. The general company policy of COSMOTE regarding this kind of data was the following: First, COSMOTE collected the following information: phone numbers, base station coordinates, IMEIs, IMSIs, timestamps, durations of calls, provider indicators. Second, COSMOTE stored this data for three months. It used it for its failure management system, that means detecting technical failures or errors in the transmission of communications. As a telecommunications company it is legally obligated to have an effective failure management system to provide uninterrupted services. Third, after three months it did not delete the data but supplemented the data with subscription plan, age, gender and the average revenue per person data. It “anonymised” this file, stored it up to 12 months and used it for statistical purposes to optimise the design of their mobile network. The breach consisted of this 30 GB supplemented file. The HDPA held that COSMOTE violated Articles 5 and 6 Law 3471/2006 (national law implementing the [https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32002L0058 Directive 2002/58/EC Directive on privacy and electronic communications]). The processing and storage of traffic data can be permitted under Article 6 Directive 2002/58/EC for the purpose of issuing invoices, offering services of