The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of EUR 9.550.000 on the telecommunications service provider 1&1 Telecom GmbH. The company did not provide sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information via the customer hotline service. In another case, the BfDI imposed a fine of EUR 10. 000 on Rapidata GmbH.
Concerning this matter, the Federal Commissioner Ulrich Kelber said: “Data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation (GDPR) gives us the opportunity to decisively punish insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”
In the case of 1&1 Telecom GmbH, the BfDI had become aware that persons calling the company’s customer service hotline could obtain extensive information about further personal data merely by providing a customer’s name and date of birth. The BfDI considers this authentication procedure to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.
After the BfDI had criticised the insufficient data protection, 1&1 Telecom GmbH proved to be understanding and highly cooperative. As a first step, the authentication procedure was strengthened by requesting additional information. As a further step, following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.
Notwithstanding those measures, it was necessary to impose a fine. Among other things, the infringement was not limited to a small number of customers, but posed a risk for the entire customer base. However, the BfDI remained in the lower range of possible fines as 1&1 Telecom GmbH proved to be very cooperative throughout the whole procedure.
The BfDI is also currently investigating the authentication procedures of other telecommunications service providers.
In another context proceedings against the telecommunications provider Rapidata GmbH were required, because despite repeated requests, the company failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer. When imposing the 10.000 Euro fine, the fact was taken into account that the company is belonging to the category of micro-enterprises.
For further information, please contact the German SA: firstname.lastname@example.org
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.