GDPR: nearly 10 million fines for unsecured hotline * Update*
As a matter of slow ness, more and more fine procedures are fluttering in and the data protection officers are becoming more and more serious.
Now the Federal Commissioner for Data Protection and Freedom of Information has fined 1&1 Telecom GmbH €9,550,000.
In the opinion of the BfDI, the company had not taken sufficient technical and organisational measures to prevent unauthorised persons from being able to obtain information on customer data during telephone customer service.
Arufer was able to obtain extensive information about other personal customer data when it was provided with the company’s customer support simply by specifying a customer’s name and date of birth. In this authentication procedure, the BfDI considers that article 32 GDPRis in breach of the LAW, which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.
After the BfDI had complained about the insufficient data protection, 1&1 Telecom GmbH showed its understanding and wants to introduce a new, technically and data protection significantly improved authentication procedure.
Although the amount of the fine is of course due to the size of 1&1 and the potential amount of customer data, the question of how to deal with personal data of potential customers, be it by telephone or e-mail, is relevant for most companies. , which often underestimate the risk of a fine.
*Update*
1&1 Telecom GmbH will not accept and will appeal against the fine notice issued against it by the Federal Commissioner for Data Protection and Freedom of Information (Federal Data Protection Officer). The Federal Data Protection Commissioner has imposed a fine of EUR 9.55 million for an individual case. The Authority accuses 1&1 of failing to comply with telephone authentication, technical and organisational measures to protect personal data by providing non-standard authentication.
This procedure was not concerned with the general protection of the data stored at 1&1, but with the question of how customers can access their contract information. The case in question occurred as early as 2018. Specifically, it was a question of telephone retrieval of the mobile phone number of a former life partner. The responsible employee met all the requirements of the security guidelines that were valid at 1&1 at the time. At that time, two-factor authentication was common, and there was no single market standard for higher security requirements.
Since then, 1&1 has continuously developed its security requirements. For example, three-factor authentication has been introduced in the meantime, and in the next few days 1&1– one of the first companies in its industry – will provide each customer with a personal service PIN.
1&1’s data protection officer, Dr. Julia Zirfas, emphasizes the company’s high security standards: “The security of the data of many millions of customers is our top priority. Therefore, 1&1 strictly adheres to the applicable data protection regulations.
