In the opinion of the BfDI, the company had not taken sufficient technical and organisational measures to prevent unauthorised persons from being able to obtain information on customer data during telephone customer service.

Arufer was able to obtain extensive information about other personal customer data when it was provided with the company’s customer support simply by specifying a customer’s name and date of birth. In this authentication procedure, the BfDI sees a violation of Article 32 DSGVO, which requires the company to take appropriate technical and organizational measures to systematically protect the processing of personal data.

After the BfDI criticized the inadequate data protection, 1&1 Telecom GmbH showed itself to be reasonable and intends to introduce a new authentication procedure that is significantly improved in terms of technology and data protection.

Although the amount of the fine is of course due to the size of 1&1 and the potential amount of customer data, the question of how to deal with personal data of potential customers, be it by telephone or e-mail, is relevant for most companies. , which often underestimate the risk of a fine.

*Update*

1&1 Telecom GmbH will not accept and will appeal against the fine notice issued against it by the Federal Commissioner for Data Protection and Freedom of Information (Federal Data Protection Officer). The Federal Data Protection Commissioner has imposed a fine of EUR 9.55 million for an individual case. The Authority accuses 1&1 of failing to comply with telephone authentication, technical and organisational measures to protect personal data by providing non-standard authentication.

This procedure was not concerned with the general protection of the data stored at 1&1, but with the question of how customers can access their contract information. The case in question occurred as early as 2018. Specifically, it was a question of telephone retrieval of the mobile phone number of a former life partner. The responsible employee met all the requirements of the security guidelines that were valid at 1&1 at the time. At that time, two-factor authentication was common, and there was no single market standard for higher security requirements.

Since then, 1&1 has continuously developed its security requirements. For example, three-factor authentication has been introduced in the meantime, and in the next few days 1&1– one of the first companies in its industry – will provide each customer with a personal service PIN.

1&1’s data protection officer, Dr. Julia Zirfas, emphasizes the company’s high security standards: “The security of the data of many millions of customers is our top priority. Therefore, 1&1 strictly adheres to the applicable data protection regulations.