1&1 hit with million-euro GDPR fine

(Image credit: Wright Studio / Shutterstock)

Germany's federal privacy watchdog has handed out one of the largest fines to date to 1&1 Telecommunications for violating the EU's General Data Protection Regulation (GDPR).

The firm was fined €9.55m by Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) for failing to put “sufficient technical and organizational measures” in place to protect customer data in its call centers.

In a press release announcing the fine, Federal Commissioner Ulrich Kelber explained why the privacy watchdog decided to issue such a heavy fine, saying:

"Data protection is fundamental rights protection. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data. We apply these powers in the light of due consideration."

Article 32

1&1 Telecommunications SE is one of Germany's largest internet and mobile service providers and the company is part of the United Internet Group which also includes the popular web hosting firm 1&1 IONOS.

According to BfDI, the privacy watchdog fined 1&1 Telecom after it discovered that callers to its call center could obtain customer information by simply providing their name and date of birth which meant that its customer's personal information was not properly safeguarded. In its announcement of the fine, BfDI explained that the company had violated Article 32 of GDPR, saying:

"The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 of GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data."

Since BfDI criticized 1&1 Telecommunications' inadequate data protection, it has added an extra step to require additional information before obtaining customer data. The company also plans to provide each customer with a personal service PIN to access their account soon.

1&1 Telecommunications will be appealing the fine on the grounds that it is disproportionate but the BfDI did succeed in sending the message that under GDPR customer data must be protected.

Via Bank Info Security

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.