Cosmote Mobile Telecommunications (OTE Group)
Issued by Hellenic Data Protection Authority (HDPA) on 2022-07-01
What happened
Greece's HDPA fined Cosmote Mobile Telecommunications, a subsidiary of OTE Group (Deutsche Telekom), €6 million for a data breach that exposed the call data records of millions of customers. In September 2020, an attacker accessed a Cosmote server and extracted detailed call records including phone numbers, timestamps, duration, and cell tower location data of approximately 5 million subscribers. The HDPA found that Cosmote had failed to implement adequate data protection by design and by default, did not adequately anonymize or pseudonymize call data records, and lacked sufficient access controls. OTE Group, the parent company, was separately fined €3.25 million for its role in the shared IT infrastructure.
Articles violated
Lessons learned
Telecommunications companies must implement pseudonymization and encryption for call data records, which can reveal highly sensitive information about individuals' movements and contacts. Data protection by design under Art. 25 requires proactive technical measures, not just reactive security. Parent companies can be held separately liable for shared infrastructure failures. Telecom data requires particularly strong protection given its sensitivity for profiling and surveillance.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Telecommunications
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.