Bonn Regional Court confirms fine for inadequate customer verification

The Ninth Chamber for Administrative Fines of the Bonn Regional Court today ruled that the fine imposed by the Federal Commissioner for Data Protection and Freedom of Information on a telecommunications service provider for a violation of the General Data Protection Regulation was justified on the merits but unreasonably high. The Board therefore reduced the fine from the original €9.55 million to €900,000.

The reason for the fine proceedings was a criminal complaint of stalking by a customer of the telecommunications service provider. His former partner had requested the new telephone number of her ex-partner via the call center of the telecommunications service provider by posing as his wife.

For legitimation, it only had to provide the customer’s name and date of birth. She had then used the new phone number to make harassing contacts.

In November 2019, the BfDI therefore imposed a fine of EUR 9.55 million on the telecommunications service provider for grossly negligent violation of Art. 32 para. 1 GDPR.

The BfDI explained that simply requesting the name and date of birth to authenticate telephone callers did not provide sufficient protection for the data in the call center.

Auch interessant: Website operators are liable for data processing of like buttons

The telecommunications service provider appealed against this decision, which is why the case was heard on five main days before the 9th Board of Administrative Appeals for Fines.

The Board ruled that the imposition of a fine on a company does not depend on a finding of a specific violation by a management person of the company. In the Board’s view, the applicable European law, unlike the German law on administrative offenses, does not impose a corresponding requirement.

In the case in point, there was a data protection violation because the telecommunications service provider had not protected the data of its customers in the course of communication via the so-called call centers by means of a sufficiently secure authentication procedure. In this way, it was possible for unauthorized callers to obtain further customer data, such as the current telephone number, only with the help of the full name and date of birth, by cleverly asking and pretending to be authorized. However, sensitive data such as itemized bills, traffic data or account details could not have been retrieved in this way.

Auch interessant: Attention: Insufficient cookie banners soon in the sights of data protectionists

The person concerned had been in a legal error with regard to the adequacy of the level of protection. In the absence of binding specifications for the authentication process in call centers, this legal error was understandable but avoidable.

In its decision, the Board reduced the amount of the fine to 900,000 euros. The fault of the telecommunications service provider was minor. With regard to the authentication practice practiced over many years, which had not been objected to until the fine was imposed, there had been a lack of the necessary awareness of the problem. In addition, it should be taken into account that – even in the opinion of the BfDI – this is only a minor data protection violation. This could not have led to the mass release of data to unauthorized persons.

Marian Härtel

Marian Härtel is a lawyer and entrepreneur specializing in copyright law, competition law and IT/IP law, with a focus on games, esports, media and blockchain.

0 0 votes

Artikelbewertung

0 Kommentare

Inline Feedbacks

View all comments

Information regarding Translations This Blog has more than 750 Blogposts that were posted in German. Thus I decided to provide an automated translation by Deepl.com for all the content. If you find anything awkward, pleas report it through the tool on the left hand side. As a lawyer, I do provide legal consultation in Europe and Germany in English and due to my time in the USA and my job history, I am able to provide contract drafting and contract consultation in business English.