Updated: Apr 14
The Federal Commissioner for data protection and Freedom of information (BfDI) imposed a fine of EUR 9.550.000 at the telecommunications service provider 1&1 Telecom GmbH. The corporation did not provide enough technical and organisational measures to prevent unauthorised persons from being able to attain PII via the customer hotline service. In another case, the BfDI imposed a fine of EUR 10000 on Rapidata GmbH.
The source of this article can be found here
Concerning this matter, the Federal Commissioner Ulrich Kelber said: “data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European general data protection regulation (GDPR) gives us the opportunity to decisively punish insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”
in the case of 1&1 Telecom GmbH, the BfDI had become conscious that persons calling the organisation’s customer service hotline could obtain extensive information about further PII merely by way of providing a customer’s name and date of birth. The BfDI considers this authentication method to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.
After the BfDI had criticised the insufficient data protection, 1&1 Telecom GmbH proved to be understanding and notably cooperative. As a first step, the authentication method was strengthened by requesting additional information. As a further step, following consultation with the BfDI,1&1 Telecom GmbH is currently in the process of introducing a brand new authentication procedure which is considerably improved in terms of technology and data protection.
Notwithstanding those measures, it was necessary to impose a fine. Among other things, the infringement was not limited to a small number of customers but posed a risk for the entire customer base. However, the BfDI remained in the lower range of viable fines as 1&1 Telecom GmbH proved to be very cooperative throughout the entire process.
The BfDI is also currently investigating the authentication procedures of other telecommunications service providers.
In another context proceedings against the telecommunications provider Rapidata GmbH was required because, despite repeated requests, the organisation failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer. When imposing the 10.000 Euro fine, the fact was taken into consideration that the company is belonging to the category of micro-enterprises.