On 9 December 2019, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) issued a €9.55 million GDPR fine to a German telecom provider 1&1 Telecom GmbH for the insufficient authentication procedure.
The BfDI found 1 & 1’s Telecom did not have sufficient technical and organizational measures to prevent unauthorized access to customer information.
1&1 Telecom GDPR Fine Explained
To be more precise, a caller could get extensive personal information of telecom users by giving the name and date of birth of a customer. According to the BfDI, this was a direct violation of a GDPR Article 32. Their official statement said:
“In the case of 1 & 1 Telecom GmbH , the BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data. “
1&1 Telecom Announces Legal Appeal
The 1 & 1 Telecom GmbH explained that the case in question occurred in 2018. Specifically, it was a telephone inquiry for the mobile number of a former partner.
The employee fulfilled all the requirements of then valid security guidelines. As they stated the authentication they used was common and there was no single market standard for higher security requirements.
However, the1 & 1 Telecom was very cooperative and transparent and took steps for improving the procedure, as the BfDI stated:
“In the first step, the authentication process was first secured by requesting additional information. In a further step, 1 & 1 Telecom GmbH is currently introducing a new authentication procedure which has been significantly improved in terms of technology and data protection, in consultation with the BfDI .”
Needless to say, the 1&1 Telecom GmbH website is now decorated with privacy certificates and statements about how they use your personal information.
For always staying up to date on GDPR fines so far issued in the EU we recommend this GDPR tracker!
This is not the highest GDPR fine so far issued by Germany’s federal privacy authority. Read about it in our blog: