Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecommunications for GDPR infringement.
On Monday, 1&1 was fined €9.55 million ($10.6m) for failing to implement “adequate technical and organisational measures (TOMs)” to protect customer data from any unauthorised access.
Due to the insufficient TOMs, callers were able to obtain information on customers just by providing the customer’s name and date of birth.
Compliance specialists Cordery explained that although the infringement was limited to a small number of customers, “it represented a risk for 1&1’s entire customer base.”
After the initial warning, BfDI stated that 1&1 was very cooperative and transparent despite being criticised about its inadequate data protection. The company has agreed to introduce a new authentication process to make it more difficult for callers to access the personal data of others.
1&1 has stated that it intends to appeal the ruling, arguing that the issue happened in 2018 and since then it processes have improved, as well as adding that only contractual information could be accessed through this method.
Julia Zirfas, Data Protection Officer for 1&1 and attorney commented: “The fine is absolutely disproportionate.”
“This case tells us that, as we predicted prior to GDPR coming in, the security and integrity of data is important. We have had cases on authentication in the past including from a UK financial services regulator. Organisations need to check that they are dealing with the right people and that they are not giving data away unnecessarily,” added Cordery.
In addition to 1&1, on Monday the BfDI announced another fine of €10,000 ($11,100) against internet service provider Rapidata GmBH for failing to appoint a data protection officer as required by GDPR.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.