A data protection authority in Germany has issued one of the largest ever GDPR penalties to the telecommunications and hosting firm 1&1 Telecommunications. The fine was issued for a failure to implement appropriate technical and administrative measures to authenticate individuals in its call centers.
1&1 Telecommunications, a subsidiary of United Internet Group, is one of the largest telecommunications and mobile service providers in Germany. The firm was investigated by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) after a report was received that the only information required to authenticate customers in its call centers was a name and data of birth – Information that can easily be found on social media sites. If a correct name and data of birth was provided, it was possible to obtain an extensive range of sensitive information on customers.
BfDI determined that 1&1 Telecommunications had failed to comply with Article 32 of the EU’s General Data Protection Regulation. Article 32 requires appropriate technical and administrative measures to be put in place to protect the processing of personal data. The inadequate authentication measures meant the confidentiality of customer data was put at risk. Since the failure had potential to place its entire customer base at risk, a financial penalty was deemed appropriate.