On 9 December 2019, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) issued a €9.55 million GDPR fine to a German telecom provider 1&1 Telecom GmbH for the insufficient authentication procedure.
The BfDI found 1&1’s Telecom did not have sufficient technical and organizational measures to prevent unauthorized access to customer information.
1&1 Telecom GDPR Fine Explained
To be more precise, a caller could get extensive personal information of telecom users by giving the name and date of birth of a customer. According to the BfDI, this was a direct violation of GDPR Article 32. Their official statement said:
“In the case of 1 & 1 Telecom GmbH , the BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data. “
1&1 Telecom Announces Legal Appeal
As a response to the decision, 1&1 announced plans to put a legal appeal in motion stating that the fine is disproportionate.
The 1 & 1 Telecom GmbH explained that the case in question occurred in 2018. Specifically, it was a telephone inquiry for the mobile number of a former partner.
The employee fulfilled all the requirements of the valid security guidelines. As they stated the authentication they used was common and there was no single market standard for higher security requirements.
However, the 1&1 Telecom was very cooperative and transparent and took steps for improving the procedure, as the BfDI stated:
“In the first step, the authentication process was first secured by requesting additional information. In a further step, 1 & 1 Telecom GmbH is currently introducing a new authentication procedure which has been significantly improved in terms of technology and data protection, in consultation with the BfDI .”
Needless to say, the 1&1 Telecom GmbH website is now decorated with privacy certificates and statements about how they use your personal information.
This is not the highest GDPR fine so far issued by Germany’s federal privacy authority. Read about it in our blog:
Update:
On 11 November 2020, the Regional Court of Bonn reduced the fine to just €900,000, on the basis that it was disproportionate.
1&1 also demonstrated good cooperation with the data protection authority and improved measures to keep data secure and increased the standard of authentication, with no prior history of violations. Court also considered the reputational damages the 1&1 suffered.