Tag: 1&1

Germany: Telecommunications provider receives a 9.5 Million Euro GDPR fine

16. December 2019

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of 9.55 Million Euro on the major telecommunication services provider 1&1 Telecom GmbH (1&1). This is the second multimillion Euro fine that the Data Protection Authorities in Germany have imposed. The first fine of this magnitude (14.5 Million Euro) was imposed last month on a real estate company.

According to the BfDI, the reason for the fine for 1&1 was an inadequate authentication procedure within the company’s customer service department, because any caller to 1&1’s customer service could obtain extensive information on personal customer data, only by providing a customer’s name and date of birth. The particular case that was brought to the Data Protection Authority’s attention was based on a caller’s request of the new mobile phone number of an ex-partner.

The BfDI found that this authentication procedure stands in violation of Art. 32 GDPR, which sets out a company’s obligation to take appropriate technical and organisational measures to systematically protect the processing of personal data.

After the BfDI had pointed 1&1 to the their deficient procedure, the company cooperated with the authorities. In a first step, the company changed their two-factor authentication procedure to a three step authentication procedure in their customer service department. Furthermore, they are working on a new enhanced authentication system in which each customer will receive a personal service PIN.

In his statement, the BfDI explained that the fine was necessary because the violation posed a risk to the personal data of all customers of 1&1. But because of the company’s cooperation with the authorities, the BfDI set the fine at the lower end of the scale.

1&1 has deemed the fine “absolutely disproportionate” and has announced to file a suit against the penalty notice by the BfDI.