Bonn/Berlin, 09 December 2019
Press release 30/2019
BfDI imposes Fines on Telecommunications Service Providers
The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of EUR 9,550,000 on the telecommunications service provider 1&1 Telecom GmbH. In connection with their telephone customer service, the company had not taken sufficient technical and organisational measures to prevent unauthorised persons from being able to obtain customer information. In another case, the BfDI imposed a fine of EUR 10,000 on Rapidata GmbH.
Concerning this matter, the Federal Commissioner Ulrich Kelber said: “Data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation (GDPR) gives us the opportunity to decisively punish the insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”
In the case of 1&1 Telecom GmbH, the BfDI had become aware that persons calling the company’s customer service could obtain extensive information about further personal customer data merely by providing a customer’s name and date of birth. The BfDI considers this authentication procedure to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.
After the BfDI had criticised the insufficient data protection, 1&1 Telecom GmbH proved to be understanding and highly cooperative. As a first step, the authentication procedure was strengthened by requesting additional information. As a further step, following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.
Notwithstanding those measures, it was necessary to impose a fine. Among other things, the infringement was not limited to a small proportion of customers, but posed a risk for the entire customer base. When fixing the amount of the fine, the BfDI remained in the lower range of possible fines because of the cooperative conduct of 1&1 Telecom GmbH throughout the whole procedure.
On the basis of his own findings, indications and customer complaints, the BfDI is also currently investigating the authentication procedures of other telecommunications service providers.
Further proceedings against the telecommunications provider Rapidata GmbH were required, because despite repeated requests, this company failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer. When imposing the 10,000 Euro fine, the fact was taken into account that this is a company belonging to the category of micro-enterprises.