Share this article on:
A data protection authority in Germany has issued one of the largest ever GDPR penalties to the telecommunications and hosting firm 1&1 Telecommunications. The fine was issued for a failure to implement appropriate technical and administrative measures to authenticate individuals in its call centers.
1&1 Telecommunications, a subsidiary of United Internet Group, is one of the largest telecommunications and mobile service providers in Germany. The firm was investigated by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) after a report was received that the only information required to authenticate customers in its call centers was a name and data of birth – Information that can easily be found on social media sites. If a correct name and data of birth was provided, it was possible to obtain an extensive range of sensitive information on customers.
BfDI determined that 1&1 Telecommunications had failed to comply with Article 32 of the EU’s General Data Protection Regulation. Article 32 requires appropriate technical and administrative measures to be put in place to protect the processing of personal data. The inadequate authentication measures meant the confidentiality of customer data was put at risk. Since the failure had potential to place its entire customer base at risk, a financial penalty was deemed appropriate.
On December 9, BfDI announced that a penalty of €9.55 million ($10,556,000) had been issued. The financial penalty took into account the relatively small size of the company and the level of transparency and cooperation in the investigation. When contacted by BfDI and advised about the GDPR violation, 1&1 Telecommunications implemented an additional authentication measure and cooperated fully with the investigation. The company also continued to improve its authentication processes and will now require customers to provide a PIN before any data is disclosed.
1&1 Telecommunications believes the fine is disproportionate and that the fine was calculated based on wider company sales. The Telecommunications company will appeal the fine and is considering suing BfDI. While the financial penalty is significant, it is much lower than the maximum possible penalty for a GDPR violation, which is €20 million ($22,110,800) or 4% of global annual turnover, whichever is greater.
This is the second multi-million Euro GDPR penalty to be issued in Germany the past two months. In October, the Berlin Data Protection Authority, Berliner Beauftragte für Datenschutz und Informationsfreiheit, imposed a €14.5 million ($16.26 million) penalty on the German property company Deutsche Wohnen. The company was storing data on current and former tenants in a system that did not allow data to be deleted. Data was being retained long after the purpose for which the information had been collected had been satisfied.
BfDI also announced on December 9 that a €10,000 ($11,033) financial penalty was imposed on Rapidata GmbH for a violation of Article 37 of GDPR. The company had failed to appoint a data protection officer, despite repeated requests from BfDI.
The State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate also issued a GDPR fine in December. A hospital in the state of Rhineland-Palatinate in Germany must pay €105,000 ($93,525) to resolve violations of several provisions of GDPR related to patient admissions, which could easily lead to patient mix-ups. The investigation uncovered multiple technical and organizational failures related to patient and privacy management.