The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of EUR 9.550.000 on the telecommunications service provider 1&1 Telecom GmbH. The company did not provide sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information via the customer hotline service. In another case, the BfDI imposed a fine of EUR 10. 000 on Rapidata GmbH.
Concerning this matter, the Federal Commissioner Ulrich Kelber said: “Data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation (GDPR) gives us the opportunity to decisively punish insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”
In the case of 1&1 Telecom GmbH, the BfDI had become aware that persons calling the company’s customer service hotline could obtain extensive information about further personal data merely by providing a customer’s name and date of birth. The BfDI considers this authentication procedure to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.
After the BfDI had criticised the insufficient data protection, 1&1 Telecom GmbH proved to be understanding and highly cooperative. As a first step, the authentication procedure was strengthened by requesting additional information. As a further step, following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.
Notwithstanding those measures, it was necessary to impose a fine. Among other things, the infringement was not limited to a small number of customers, but posed a risk for the entire customer base. However, the BfDI remained in the lower range of possible fines as 1&1 Telecom GmbH proved to be very cooperative throughout the whole procedure.
The BfDI is also currently investigating the authentication procedures of other telecommunications service providers.
In another context proceedings against the telecommunications provider Rapidata GmbH were required, because despite repeated requests, the company failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer. When imposing the 10.000 Euro fine, the fact was taken into account that the company is belonging to the category of micro-enterprises.
For further information, please contact the German SA: pressestelle@bfdi.bund.de