Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Greek DPA issues €6 million GDPR fine to Cosmote for data breach

Greece HDPA issues €6 million GDPR fine to Cosmote for data breach

On January 31, 2022, The Hellenic Data Protection Authority (HDPA) imposed a €6 million fine to Cosmote Mobile Telecommunications for violation of the Law on the Protection of Personal Data and Privacy in the Electronic Telecommunications Sector and the General Data Protection Regulation (GDPR) after a reported data breach.

Details of the case

Greece’s largest mobile operator suffered a cyberattack in 2020, in which the unknown attacker used social engineering techniques to break into Cosmote systems and steal customers’ personal data, including rough positional data of 4.8 million users, as well as age, gender, plan, and average revenue per user for around 4.2 million of these subscribers.

The HDPA investigated the circumstances in which the incident took place and examined the legality of keeping the leaked records as well as the security measures applied.

The HDPA Investigation

The mobile operator reported a data breach to the HDPA along with requested documents. However, the HDPA’s investigation found that the parent company –Hellenic Telecommunications Organisation (OTE Group), should also have been a part of the investigation, which Cosmote failed to include.

Additionally, Cosmote mishandled the situation by failing to explain to the affected individuals the severity of the data breach and failing to implement appropriate data protection measures.

The HDPA investigation uncovered that Cosmote can legally keep call data for quality assurance reasons, for up to 90 days, and 12 additional months if the data has been pseudonymized.

However, in some cases, the pseudonymization process was not completed, and the data was held for longer than legally allowed.

[RELATED TOPIC: Reporting data breach under the GDPR]

The HDPA’s decision

When determining the final value of the fine, the Authority considered the long duration of the infringement, the number of affected individuals, and other factors.

Taking all this into account, The HDPA issued a €6 million fine to Cosmote Mobile Telecommunications for violation of GDPR on multiple accounts and fined OTE Group a €3.2M for insufficient security measures resulting in a data breach.

Read the HDPA press statement available in Greek.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top