Germany's federal privacy watchdog has handed out one of the largest fines to date to 1&1 Telecommunications for violating the EU's General Data Protection Regulation (GDPR).
The firm was fined €9.55m by Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) for failing to put “sufficient technical and organizational measures” in place to protect customer data in its call centers.
In a press release (opens in new tab) announcing the fine, Federal Commissioner Ulrich Kelber explained why the privacy watchdog decided to issue such a heavy fine, saying:
- Marriott owner facing huge GDPR breach fine
- Over 59,000 data breaches reported in EU since GDPR
- Microsoft calls for US version of GDPR
"Data protection is fundamental rights protection. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data. We apply these powers in the light of due consideration."
1&1 Telecommunications SE is one of Germany's largest internet and mobile service providers and the company is part of the United Internet Group which also includes the popular web hosting firm 1&1 IONOS (opens in new tab).
According to BfDI, the privacy watchdog fined 1&1 Telecom after it discovered that callers to its call center could obtain customer information by simply providing their name and date of birth which meant that its customer's personal information was not properly safeguarded. In its announcement of the fine, BfDI explained that the company had violated Article 32 of GDPR, saying:
"The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 of GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data."
Since BfDI criticized 1&1 Telecommunications' inadequate data protection, it has added an extra step to require additional information before obtaining customer data. The company also plans to provide each customer with a personal service PIN to access their account soon.
1&1 Telecommunications will be appealing the fine on the grounds that it is disproportionate but the BfDI did succeed in sending the message that under GDPR customer data must be protected.
- We've also highlighted the best web hosting services
Via Bank Info Security (opens in new tab)