In the digital era, the protection of personal data has become a critical concern. Governments and regulatory bodies worldwide are actively working to ensure that individuals’ privacy rights are upheld and telecommunications providers play a significant role in this landscape. In this context, a brief review of the Hellenic Data Protection Authority’s (HDPA) case law concerning telecommunications providers in Greece over the past 12 months would lead to invaluable insights into the evolving respective legal landscape and the challenges faced by both organizations and individuals in safeguarding personal data.
Case 1: Data Breach Incident and Inadequate Security Measures
Following complaints and related notifications, the HDPA became aware of incidents of unauthorized access to mobile subscriber data by malicious third parties by means of unauthorized SIM swaps, call diversions, or issuance of new phone numbers. Although data controllers had allegedly carried out identity checks, unauthorized third parties managed to gain access to personal data either due to the absence of appropriate security measures on the data controllers’ side or due to poor implementation thereof. The HDPA assessed the number of incidents as well as the actions taken by the respective data controllers (two major telecommunications providers) to address them, and imposed a fine of EUR 150,000 on each provider.
Case 2: Processing in the Context of Marketing Communications
The HDPA investigated a complaint by a data subject who, after requesting one of the largest telecommunications providers for the provision of a new mobile telephony service, received a parcel containing samples of consumer products from an advertising company cooperating with said telephony provider despite the data subject’s objection to the processing of their data for marketing purposes. The HDPA imposed a fine of EUR 10,000 on the provider considering that the data transfer to an advertising company and the related processing of the complainant’s data was carried out for the purpose of marketing promotion and considering that the additional service was not necessary for the purpose of performing the new mobile telephony service contract while the data subject had explicitly objected to the processing of their data for promotional purposes.
Case 3: Data Subject Rights
The HDPA investigated complaints submitted by a customer of another major telecommunications provider, in which the data subject complained about repeatedly receiving e-mails for promotional purposes despite their objection and repeated complaints, as well as about the non-fulfillment of their requests to exercise their right of access. In light of this, the HDPA imposed on the provider fines of a) EUR 60,000 for sending five promotional messages despite the customer’s objection, b) EUR 60,000 for the failure to satisfy the right of access, failure to provide a reply, even a negative one, and obstructing the exercise of the right of access on the pretext that the subscriber cannot be properly identified by any means other than physical presence at the shop or by a certified letter, and c) EUR 30,000 because the provider did not have in place the necessary procedures to ensure the exercise of the right to object and stop the processing of data for promotional purposes.
Case 4: Non-Announcement of Data Breach
The HDPA investigated a complaint submitted by a customer who, following a request to their telecommunications provider to receive a copy of the recordings of the conversations they had with the provider’s call center, received a CD with the recording of the conversations of another person. Although the provider was immediately notified by the complainant, it did not take any action to investigate the incident but sought to pass on responsibility to the data processor and suggested that the data subject contact directly the processor to return the CD. In this respect, the provider was fined EUR 40,000 as the HDPA held that it failed to comply with its obligations arising in relation to the data subject’s right of access and the provider’s own obligation to disclose the incident.
The HDPA’s case law over the past twelve months demonstrates the significance of protecting data in the telecommunications sector. The aforementioned cases reflect its commitment to upholding individuals’ privacy rights and holding telecommunications providers accountable for data breaches, inadequate security measures, non-compliance with consent requirements, and a lack of transparency. Telecommunications providers, on their end, must remain vigilant and ensure the implementation of robust data protection technical and organizational measures in order to successfully navigate the evolving regulatory landscape.
By Alexandros Katsantonis, Partner, and Panagiotis Tampoureas, Senior Associate, Drakopoulos Law Firm
This article was originally published in Issue 10.7 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.