Individuals – €150,000 Fine (Greece, 2022)

Over the course of over two years, a number of data subjects was affected by personal data breaches in the form of unauthorised replacements of their SIM cards (SIM swap) and other procedures (e.g. call diversion, issuance of new telephone numbers) by third parties. Vodafone PANAFON S.A. (the controller) would comply with the request to change SIM cards by unauthorised third parties despite allegedly having carried out an identity check to rule out fraudulent behaviour. The data subjects filed a complaint with the Greek DPA, claiming that the controller did not have appropriate security measures in place to prevent such data breaches from happening. The DPA carried out an investigation into the controller's technical and organisational measures. After the first incidents, the controller had implemented a series of new policies to its security measures as a result of the data breaches, including electronic authentication of a customer via a governmental website using verification or QR codes, a new e-fraud methodology, audits for customer service and training for the staff. First, the Greek DPA recalled that the controller, as a mobile service provider, was processing personal data, in line with the definition of Article 4(1) GDPR. In accordance with Article 5(3) GDPR, the controller had an obligation to demonstrate compliance with the data processing principles, including lawfulness, transparency, integrity and confidentiality. Second, the DPA recalled that [https://www.informatica-juridica.com/anexos/law-3471-2006-protection-of-personal-data-and-privacy-in-the-electronic-telecommunications-sector-and-amendment-of-law-2472-1997/ Article 12(1) of Law 3471/06], implementing the [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32002L0058 e-Privacy Directive], obliges the controller to take appropriate technical and organisational measures in order to protect the security of its services and the public electronic communications network. The DPA held that th