Data Protection Academy » Data Protection News » BfDI imposes fine on telecommunications service provider

A person holds five euro notes in his hand. A symbolisation for the fine against telecommunications service provider 1&1

BfDI imposes fine on 1&1 Telecom GmbH

Date: 09.12.2019

Responsible body: 1&1 Telecom GmbH

Nature of the data protection breach: Insufficient technical and organisational measures

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposes a fine of 9,550,000 euros on the telecommunications service provider 1&1 Telecom GmbH. The BfDI justified the fine with insufficient technical-organisational measures (TOMs).

Callers to 1&1 were able to obtain further personal customer information about a customer simply by providing their name and date of birth. The authentication was not sufficient and violated Article 32 GDPR.

1&1 Telecom GmbH shows insightful and improved authentication process by requesting additional data. A fine is nevertheless necessary, but due to the willing cooperation, the BfDI remained in the lower possible fine range.

Ulrich Kelber on the enforced data protection fine
Data protection is protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European data protection basic regulation gives us the opportunity to punish decisively the inadequate protection of personal data. We apply these powers with due regard for the necessary proportionality.

Article of the GDPR: Article 32 GDPR

Fines: 9,550,000 Euro

Country: Germany

SourceBfDI

Back to the overview of the data breaches

Caroline Schwabe
Latest posts by Caroline Schwabe (see all)

This might interest you too:

Examples of GDPR fines: what happens in data protection

GDPR infringements are punished with heavy fines. Find out which data protection infringements are suspected and secure yourself.

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.

Data protection fine Swedish company

35,000 euros fine for violation of three Swedish laws at once. Information about creditworthiness published.