Germany’s GDPR watchdog has imposed one of the largest ever GDPR fines on a German Telecoms and hosting company. The €9.55 million ($11 million) penalty was issued to 1&1 Telecommunications, a subsidiary of United Internet Group, for having insufficient authentication measures in place in its call centers. The GDPR failures placed customer data at risk.
The financial penalty was announced by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) on December 9, 2019. BfDI had learned that when customers called 1&1 Telecommunications call centers they were able to obtain extensive customer information by providing only the name and date of birth of a customer. That information can easily be found online on social media networks and from various other sources.
BfDI found that the lack of authentication was in breach of GDPR Article 32, which requires “appropriate technical and administrative measures” to be implemented to protect the processing of personal data.
1&1 Telecommunications was criticized over the authentication failures and took immediate steps to increase privacy protections, adding an additional step to its authentication process. Further action has since been taken to improve authentication and protect customer data. Customers will also be required to provide a PIN before data will be disclosed.
1&1 Telecommunications will appeal the fine and has announced its intention to sue BfDi, claiming the financial penalty was disproportionate and the fine was based on the global annual turnover of wider company sales. Under GDPR the maximum penalty that can be issued is €20 million or 4% of global annual turnover, whichever is greater. The fine is therefore considerably lower than the maximum. BfDI said the fine was calculated based on the relatively small size of the company and the level of cooperation during the investigation and its swift response to correct the GDPR violation.
Despite the level of transparency and cooperation a fine was justified, as the lack of authentication measures placed its entire customer base at risk. BfDI is also investigating the authentication measures of other Telecoms companies in Germany.
BfDI also imposed a financial penalty of €10,000 on Rapidata GmbH on December 9. In that case, the company had failed in its legal requirement to appoint a data protection officer under Article 37, despite repeated requests. In October a fine of €14.5 million was imposed on a German real estate company by the Berliner Beauftragte für Datenschutz und Informationsfreiheit for retaining data after the purpose for which it had been collected had been achieved.