German Telecoms Company Issued a $10.56 Million GDPR Fine

A data protection authority in Germany issued to 1&1 Telecommunications one of the biggest GDPR penalties. The fine was issued to the telecommunications and hosting company for failing to implement proper technical and administrative controls to certify people in its call centers.

1&1 Telecommunications, a United Internet Group subsidiary, is one of Germany’s biggest telecom and mobile service providers. The Federal Commissioner for Data Protection and Freedom of Information (BfDI) investigated the company after receiving a report that its call centers only required the name and birth date of customers for authentication. That information can be readily obtained on social media websites. If someone provides a correct name and birth date, he or she can get a sizeable collection of sensitive customer data.

BfDI established that 1&1 Telecommunications did not comply with Article 32 of the EU’s General Data Protection Regulation. Under Article 32, covered entities must implement proper technical and administrative controls to secure the processing of personal information. The insufficient authentication controls put the confidentiality of customer information at risk. Because the failure is likely to put all its customer base at stake, it is just right to issue a financial penalty.

On December 9, BfDI issued a €9.55 million ($10,556,000) penalty. The financial penalty considered the following matters: the small size of the firm as well as the degree of transparency and cooperation with the investigation. When BfDI contacted and informed 1&1 Telecommunications about the GDPR violation, an extra authentication control was applied and there was absolute cooperation with the investigation. The company likewise continued to strengthen its authentication procedures and will now require customers to give a PIN prior to disclosing any information.

1&1 Telecommunications feels the penalty is excessive and that it was computed according to wider business revenue. The Telecommunications firm will appeal the penalty and is thinking about filing a lawsuit against BfDI. Although the financial penalty is big, it is a lot lower than the highest possible fine for a GDPR violation, which is equal to €20 million ($22,110,800) or 4% of global yearly revenues, whichever is bigger.

In the last two months, this is the 2nd multi-million Euro GDPR fine that was issued in Germany. The Berlin Data Protection Authority, Berliner Beauftragte für Datenschutz und Informationsfreiheit issued a €14.5 million ($16.26 million) fine to Deutsche Wohnen, a German property firm in October. Deutsche Wohnen was saving information of present and past tenants in a system where data can’t be deleted. Data was stored outside of the intent for which the data was gathered had been contented.

BfDI additionally said on December 9 that it issued a €10,000 ($11,033) financial fine to Rapidata GmbH for violating Article 37 of the GDPR. The firm was unable to designate a data protection officer, in spite of repeated BfDI requests.

additionally issued a GDPR fine in December. A hospital in Rhineland-Palatinate in Germany has to pay the State Commissioner for Data Protection and Freedom of Information in Rhineland-Palatinate €105,000 ($93,525) to resolve its GDPR violations related to patient admissions, {which|that} can very easily bring about patient mix-ups. The investigation revealed several technical and organizational breakdowns associated to patient and privacy administration.