BfDI fines telecommunications service providers in Germany
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined telecommunications service provider 1 & 1 Telecom GmbH a fine of EUR 9,550,000.
The company had not taken sufficient technical and organizational measures to prevent unauthorised persons from being able to obtain information about customer data from telephone customer care. In another case, the BfDI imposed a fine of EUR 10,000 on Rapidata GmbH .
The Federal Commissioner Ulrich Kelber said: Data protection is protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation ( GDPR ) gives us the opportunity to decisively punish the inadequate protection of personal data. We apply these powers taking into account the appropriateness that is required.
In the case of 1 & 1 Telecom GmbH , the BfDI had become aware that callers could receive extensive information about other personal customer data from the company’s customer service simply by specifying the name and date of birth of a customer. The BfDI sees this authentication procedure as a violation of Article 32 GDPR , according to which the company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data.
After the BfDI had criticised the insufficient data protection, 1 & 1 Telecom GmbH showed itself to be insightful and extremely cooperative. In a first step, the authentication process was first secured by querying additional information. In a further step, 1 & 1 Telecom GmbH is currently introducing a new authentication procedure that has been significantly improved in terms of technology and data protection, in consultation with the BfDI .
Notwithstanding these measures, it was necessary to impose a fine. Among other things, the infringement was limited only to a small proportion of customers, but presented a risk to the entire customer base. In determining the amount of the fine remained BfDI due to the cooperative throughout the process behavior by 1 & 1 Telecom GmbH in the lower Range of possible fines.
The BfDI is also currently investigating the authentication processes of other providers of telecommunications services based on its own findings, information and customer complaints.
A further procedure against the telecommunications provider Rapidata GmbH was necessary because the company did not comply with its legal requirement under Article 37 GDPR to name the company data protection officer despite repeated requests. The amount of the fine of 10,000 euros was taken into account that this is a company from the category of micro-enterprises.