Updated: Apr 14, 2020
The Federal Commissioner for data protection and Freedom of information (BfDI) imposed a fine of EUR 9.550.000 on the telecommunications service provider 1&1 Telecom GmbH. The company did not provide sufficient technical and organisational measures to prevent unauthorised people from being capable of obtaining customer information via its customer service. In another case, the BfDI imposed a fine of EUR 10. 000 on Rapidata GmbH.
The source of the article can be found here
The Federal Commissioner Ulrich Kelber stated: “data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation allows us to decisively punish insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”
In the case of 1&1 Telecom GmbH, the BfDI had become aware that individuals calling the organisation’s customer service hotline could obtain big information about further personal data merely by providing a customer’s name and date of birth. The BfDI considers this authentication process to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to protect the processing of PII facts.
After the BfDI had criticised the inadequate data protection, 1&1 Telecom GmbH proved to be understanding and especially cooperative. As a first step, the authentication process was bolstered by asking for additional information. Following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication process that’s significantly improved in terms of technology and data protection.
Notwithstanding those measures, it was still necessary to impose a fine. The breach was not limited to a small number of customers but posed a risk for the whole consumer base.
However, the BfDI remained in the lower range of possible fines as 1&1 Telecom GmbH proved to be very cooperative during the whole investigation.
The BfDI is also currently investigating the authentication procedures of other telecommunications service providers. In another context proceedings against the telecommunications provider Rapidata GmbH were required because, despite repeated requests, the company failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer.
when implementing the 10.000 Euro fine, the fact was taken into account that the organization is belonging to the category of micro-enterprises.