GDPR Violation costs German Telecommunications Company 9.5 Million Euros

The German Federal Data Protection Supervisory Authority (BfDI) – Germany’s federal privacy watchdog has imposed one of the largest fines – a whopping 9.55 million Euros on the telecommunications company 1&1 Telecom GmbH stating that it failed to satisfy the requirements of Art. 32 of the GDPR.

The BfDI found that the authentication procedures used by 1&1’s customer helpline were insufficient and failed to satisfy the requirements of Art. 32 of GDPR. The company has vowed to challenge the order, arguing that the size of the fine is disproportionate.

According to the BfDI, it had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise even by giving the name and date of birth of a customer. In this authentication procedure, the BfDI found a violation of Article 32 of GDPR, according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.

Since BfDI criticized 1&1 Telecommunications’ inadequate data protection, it has added an extra step to require additional information before obtaining customer data. The company also plans to provide each customer with a personal service PIN to access their account soon.

1&1 Telecommunications will be appealing the fine on the grounds that the fine is disproportionate. However, the BfDI succeeded in sending the message that under GDPR customer data must be protected.