In what is one of the largest GDPR fines to date the German Federal Data Protection Authority (BfDI) has fined the telecommunications service provider 1&1 Telecom GmbH €9.55m.
What was this about?
Under GDPR organisations are obliged to put in place adequate technical and organisational measures (TOMs) to prevent unauthorised access to personal data. In this case the BfDi felt that 1&1 had not put adequate TOMs in place after callers were able to obtain information on customers simply by giving the name and date of birth of a customer. In addition to the fine, 1&1 has agreed to introduce a new authentication process in consultation with the regulator to make it harder for people to access the personal data of others.
Who is 1&1?
1&1 is an established German business providing (amongst other things) internet services, domain name hosting and cloud hosting. 1&1 is a subsidiary of United Internet which has operations in the UK, USA, Austria, Canada, France, Germany, Italy, Mexico, Poland, Spain, Switzerland and the Czech Republic.
What did the DPA say?
The German data protection authority said that the imposition of a fine was necessary because, whilst the infringement was limited to a small number of customers, it represented a risk for 1&1’s entire customer base. The BfDI took into account 1&1’s cooperation throughout to reduce the penalty.
The BfDI said that it has ongoing investigations into other telecoms operators and also announced a second fine yesterday against a different telco for failure to nominate a DPO.
What has 1&1 said?
1&1 has said that it intends to appeal against the ruling. 1&1 argues that only contractual information could be accessed through this method of authentication. It says that the issues happened in 2018 and it used then-current methods of security and has improved its processes since. It also challenged the way in which the fine had been calculated based on their turnover.
What does this case tell us?
This case tells us that, as we predicted prior to GDPR coming in, the security and integrity of data is important. We have had cases on authentication in the past including from a UK financial services regulator. Organisations need to check that they are dealing with the right people and that they are not giving data away unnecessarily.
When they do spot a possible security vulnerability, organisations need to deal with it quickly and efficiently. You can find some tips on dealing with a data breach in our short film here http://bit.ly/navfilmdraft and details of GDPR Navigator, our system for handling data breaches here http://bit.ly/breachnav
The case also illustrates another of our earlier predictions – cases like this will often be appealed. The way in which fines are calculated in cases like this is not clear and we’ve spoken before about the EU’s competition law regime which is broadly similar in terms of fee calculations and has also seen challenges to fines levied.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and regular conference calls to help you comply. More details are at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1784
30 Farringdon Street
London EC4A 4HHOffice: +44 (0)20 7075 1785