The telecommunications provider 1 & 1 Telecom GmbH from Montabaur is due to pay data protection offenses in the amount of 9.55 million euros. "The company did not take sufficient technical and organizational measures to prevent unauthorized persons receiving customer information information from telephone customer care". informed the Federal Data Protection Commissioner Ulrich Kelber for justification, 1 & 1 announced immediatelynot to accept the fine and to sue.
According to Kelber, callers were able to obtain further customer personal information from the customer's customer care just by stating the name and date of birth of a customer. According to the dpa news agency, in 2018 a woman got the mobile number of her ex-husband whom she had stalked.
New authentication system set up
1 & 1 should follow the instructions of the Federal Data Protection Commissioner "reasonable and expresses cooperative" have shown. In a first step, the authentication process has first been strengthened by requesting additional information. At the second step "a new, technically and data protection law clearly improved authentication procedure is introduced", According to Kelber, an inadequate authentication procedure is a violation of Article 32 of the EU General Data Protection Regulation (GDPR).
The imposition of a fine justified Kelber's claim that the infringement represented a risk to the entire customer base. Because 1 & 1 cooperated well, its height "at the lower end of the possible penalty frame",
Criticism of fine concept of the privacy advocates
But the company sees it differently. "The fine is absolutely disproportionate, and the new fine, after which the amount was calculated and applies to the entire German economy, was published on 14 October 2019 and is based on the annual consolidated turnover"wrote the company. This could already be done "smallest deviations result in huge fines", In the GDPR, however, the turnover is not intended as a criterion for the assessment of the amount of the fine. Moreover, according to 1 & 1, the new penalty logic violates the Basic Law, in particular the principles of equal treatment and proportionality.
The Privacy Conference (DSK) was held in October 2019 a concept for calculation of fines published (PDF), This is based strongly on the company turnover, on the basis of which daily rates are calculated. Already at the publication of the concept Lawyers had expected. "that large companies sometimes have to pay high fines even with minimal violations because the economic base value calculated for them and thus the calculated daily rate are already so high",