BfDI imposes fine on 1&1 Telecom GmbH

Date: 09.12.2019

Responsible body: 1&1 Telecom GmbH

Nature of the data protection breach: Insufficient technical and organisational measures

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposes a fine of 9,550,000 euros on the telecommunications service provider 1&1 Telecom GmbH. The BfDI justified the fine with insufficient technical-organisational measures (TOMs).

Callers to 1&1 were able to obtain further personal customer information about a customer simply by providing their name and date of birth. The authentication was not sufficient and violated Article 32 GDPR.

1&1 Telecom GmbH shows insightful and improved authentication process by requesting additional data. A fine is nevertheless necessary, but due to the willing cooperation, the BfDI remained in the lower possible fine range.

Ulrich Kelber on the enforced data protection fine
Data protection is protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European data protection basic regulation gives us the opportunity to punish decisively the inadequate protection of personal data. We apply these powers with due regard for the necessary proportionality.

Article of the GDPR: Article 32 GDPR

Fines: 9,550,000 Euro

Country: Germany

Source: BfDI

Back to the overview of the data breaches