The Ninth Chamber for Administrative Fines of the Bonn Regional Court today ruled that the fine imposed by the Federal Commissioner for Data Protection and Freedom of Information on a telecommunications service provider for a violation of the General Data Protection Regulation was justified on the merits but unreasonably high. The Board therefore reduced the fine from the original €9.55 million to €900,000.
The reason for the fine proceedings was a criminal complaint of stalking by a customer of the telecommunications service provider. His former partner had requested the new telephone number of her ex-partner via the call center of the telecommunications service provider by posing as his wife.
For legitimation, it only had to provide the customer’s name and date of birth. She had then used the new phone number to make harassing contacts.
In November 2019, the BfDI therefore imposed a fine of EUR 9.55 million on the telecommunications service provider for grossly negligent violation of Art. 32 para. 1 GDPR.
The BfDI explained that simply requesting the name and date of birth to authenticate telephone callers did not provide sufficient protection for the data in the call center.
The telecommunications service provider appealed against this decision, which is why the case was heard on five main days before the 9th Board of Administrative Appeals for Fines.
The Board ruled that the imposition of a fine on a company does not depend on a finding of a specific violation by a management person of the company. In the Board’s view, the applicable European law, unlike the German law on administrative offenses, does not impose a corresponding requirement.
In the case in point, there was a data protection violation because the telecommunications service provider had not protected the data of its customers in the course of communication via the so-called call centers by means of a sufficiently secure authentication procedure. In this way, it was possible for unauthorized callers to obtain further customer data, such as the current telephone number, only with the help of the full name and date of birth, by cleverly asking and pretending to be authorized. However, sensitive data such as itemized bills, traffic data or account details could not have been retrieved in this way.
The person concerned had been in a legal error with regard to the adequacy of the level of protection. In the absence of binding specifications for the authentication process in call centers, this legal error was understandable but avoidable.
In its decision, the Board reduced the amount of the fine to 900,000 euros. The fault of the telecommunications service provider was minor. With regard to the authentication practice practiced over many years, which had not been objected to until the fine was imposed, there had been a lack of the necessary awareness of the problem. In addition, it should be taken into account that – even in the opinion of the BfDI – this is only a minor data protection violation. This could not have led to the mass release of data to unauthorized persons.