1 & 1 Telecom GmbH (“1&1”) has been fined €9,550,000 for failing to take sufficient technical and organisational measures to prevent unauthorised persons from obtaining its customers’ data from its customer helpline.

1&1 was found to have in place a customer authentication procedure that only required a caller to provide the name and date of birth of a 1&1 customer in order to obtain considerable personal data in respect of that customer.

The German Federal Commissioner For Data Protection And Freedom Of Information (BfDI) considered these information requirements to be in breach of Article 32 of the General Data Protection Regulation (GDPR) regarding the appropriate technical and organisational measures that should be taken to protect the security of personal data. The BfDI’s Ulrich Kelber released a statement in response to 1&1’s GDPR infringement, emphasising the unforgiving approach that will be taken by the BfDI to data breaches:

“The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation gives us the opportunity to decisively punish the inadequate protection of personal data. We apply these powers taking into account the appropriateness that is required.”

1&1 plans to challenge the BfDI’s fine on the following grounds:

  1. name and date of birth was a typical authentication requirement of customers in the telecommunications market at the time (which has since been improved upon by 1&1); and
  2. the level of the fine imposed by the BfDI was disproportionate in that it does not accord with German constitutional principles of proportionality and equal treatment.

If customer authentication by the means required by 1&1 was market standard at the time, then 1&1 may have a case against the BfDI’s decision to single-out 1&1 as not having taken sufficient steps to comply with Article 32.

Regarding the level of fine imposed by the BfDI, German data protection authorities calculate fines based on worldwide annual turnover of the infringer’s group of companies, leaving companies that are part of a large group open to significant sanctions. This approach, which does not take into account the relevance of the wider group companies to the specific GDPR infringement, could be deemed unequal treatment based on size alone.

The BfDI has announced that it plans to investigate other telecommunications companies who may have committed similar infringements to 1&1 in respect of their technical and organisational measures taken to protect the security of personal data. This decision will be of interest to those companies that operate a customer helpline, and those who fall under the supervision of the BfDI may want to review their customer authentication practices to reduce the risk of potentially significant fines.