In December 2019 we reported on what was Germany’s second highest GDPR fine against 1&1 GmbH of €9.55m. You can read that alert here https://www.corderycompliance.com/german-telecom-provider-1and1-fined-9-55m-for-gdpr-breach/
We said in our alert that 1&1 would appeal and that appeal has just been heard by the District Court in Bonn. The fine was reduced to €900,000. 1&1 has said that it is examining the judgment and reserves the right to take further legal action.
What did the court say?
The court lowered the penalty because “the fault of the telecommunications service provider is minor”. There are more details of the case in our original alert. The court said in its judgment that there was no knowledge of further problems in the authentication practices in the company.
What did the data protection authority say?
The Federal Commissioner for Data Protection and Freedom of Information ( BfDI ), Professor Ulrich Kelber, said that the court had confirmed 1&1’s liability and said that the fine “shows that data protection violations are not without consequences…I am convinced that this decision will be taken into account in the boardrooms of companies. .. No company can afford to neglect data protection any longer.”
What does this case tell us?
The case reminds us that, as we said before, data protection authorities are likely to face challenges to high fines in the courts. In some respects, the fine mechanism in GDPR is based on the system in use in competition law cases where the success rate in appeals has been high. When dealing with a data breach we use a 4-step process:
There is more on that 4-step process here https://www.corderycompliance.com/dealing-with-a-breach/. Any organisation faced with a penalty from a DPA should consider carefully the representations it makes when served with a Notice of Intent and should also consider the prospects of a successful appeal. 1&1’s fine reduction to less than 10% of the original fine underlines that strategy.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1784
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1785