Court case 29 OWi 1/20 – Court Ruling (Germany, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A German court case involved a telecommunications company that didn't have strong enough security measures for its call centers. The court found that the company failed to properly authenticate callers, risking unauthorized access to personal data. This case underscores the need for robust security practices in customer service operations.
What happened
A telecommunications company was found to have inadequate caller authentication processes in its call centers.
Who was affected
Customers of the telecommunications company whose personal data could be accessed through call center interactions.
What the authority found
The court found that the company lacked sufficient security measures to protect personal data during call center operations.
Why this matters
This case highlights the importance of strong security measures in customer service to protect personal data. Companies should review and strengthen their authentication processes to prevent unauthorized access.
GDPR Articles Cited
The fined company belongs to a group of companies which together form one of the five largest telecommunications service providers in Germany. Since the entry into force of the GDPR on 25.05.2018 and until 08.05.2019, the party concerned operated call centres for the group of companies. The call centre agents worked with a user interface based on the customer database of the company K. This provided the call centre agent with the information (personal data) necessary for processing customer enquiries. Callers usually reached a first-level support service agent first in the call centre. This agent first had to identify the caller. If the call was made under a telephone number assigned by the company, the respective record of the telephone number was directly displayed to the service agent. If, on the other hand, the call was from a foreign or suppressed telephone number, the customer was identified by the service agent on the basis of his name and date of birth or - alternatively - by stating the customer/contract or order number. The respective service agent was required to authenticate the caller as an authorised person. For this purpose, the date of birth was requested - insofar as this was not already necessary for calling up the correct data record in the context of identification. After authentication, the call centre agents were authorised to provide the caller with information and to accept change requests. For certain topics, the call centre agents of the first-level support forwarded the callers to other employees on the basis of an authorisation concept. For example, only the billing office could enter new bank details. A repeated or stricter authentication was not carried out towards these other employees after the authentication by the first-level support. In case the call centre agent could recognise that someone other than the customer was calling the call centre, the person concerned had not made any comprehensive arrangements. There were only special
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 29 OWi 1/20 in DE
This is the only recorded case for this entity in this jurisdiction.
Details
Ruling Date
11 November 2020
Authority
Bundesbeauftragter für den Datenschutz
GDPRhub ID
gdprhub-court-3023About this data
Cite as: Cookie Fines. Court case 29 OWi 1/20 - Germany (2020). Retrieved from cookiefines.eu
Last updated: