Cosmote Mobile Telecommunications S.A. – €6,000,000 Fine (Greece, 2022)

€6,000,000Hellenic Data Protection Authority27 January 2022Greece
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Hellenic Data Protection Authority fined Cosmote Mobile Telecommunications S.A. EUR 6 million for a data breach that exposed sensitive customer information. The breach affected nearly 10 million people and was due to inadequate security measures and poor data handling practices. This case highlights the importance of strong data protection measures to prevent breaches and protect customer information.

What happened

Cosmote experienced a data breach where hackers accessed and leaked sensitive customer data due to inadequate security measures.

Who was affected

Nearly 10 million Cosmote customers whose sensitive information, such as age, gender, and contract details, was exposed.

What the authority found

The authority found Cosmote failed to implement adequate technical and organizational measures, violating GDPR's requirements for data protection and transparency.

Why this matters

This significant fine underscores the necessity for companies to maintain robust data security and clear data processing roles, especially when handling large volumes of personal data. Businesses should ensure they conduct thorough data protection impact assessments and inform customers about data processing practices.

GDPR Articles Cited

AI-verified

Art. 13 GDPR
Art. 14 GDPR
Art. 26 GDPR
Art. 28 GDPR
Art. 5(1)(a) GDPR
Art. 5(2) GDPR
Art. 25(1) GDPR
Art. 35(7) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 5(2) GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 25(1) GDPR
Art. 26 GDPR
Art. 28 GDPR
Art. 35(7) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
national law identified
entity split needed
Greece enforcementHellenic Data Protection Authority actionsAll Cosmote Mobile Telecommunications S.A. actions
Full Legal Summary
Detailed

The Hellenic DPA has imposed a fine of EUR 6 million on Cosmote Mobile Telecommunications S.A.. Cosmote had reported a data breach to the DPA pursuant to Art. 33 GDPR. A hacker had penetrated the controller's systems and obtained and subsequently leaked data from Cosmote customers. The stolen data included sensitive information, from Cosmote subscribers such as age, gender and contract information. Nearly 10 million people were affected by the incident. For this reason, the DPA found that Cosmote had failed to implement adequate technical and organizational measures to ensure the proper execution of the data anonymization process. In addition, Cosmote did not conduct a sufficient data protection impact assessment and did not properly inform data subjects about the processing of their data. Finally, the DPA found that Cosmote did not clearly regulate the allocation of roles in data processing with its subsidiary, OTE Group. In calculating the fine, the DPA aggravatingly took into account the very long duration of the breaches (6 years), the large number of data subjects, as well as the fact that no pseudonymization measures of the data were implemented over a long period of time.

Related Enforcement Actions (0)

No other enforcement actions found for Cosmote Mobile Telecommunications S.A. in GR

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

27 January 2022

Authority

Hellenic Data Protection Authority

Fine Amount

€6,000,000

Enforcement Tracker ID

ETid-1024

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Cosmote Mobile Telecommunications S.A. - Greece (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: