Telecoms provider (1&1 Telecom GmbH) – €900,000 Fine (Germany, 2020)

Original Fine Summary: The Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company's customer service department simply by entering a customer's name and date of birth. In this authentication procedure, the BfDI aws a violation of Article 32 GDPR, according to which a company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data. Due to the company's cooperation with the data protection authority, the fine imposed was at the lower end of the scale. -- Update: On November 11th, 2020, after an appeal against the fine, the Bonn District Court decided that although the fine is justified in principle, it is unreasonably high. The chamber has therefore reduced the fine from originally EUR 9,55 million to EUR 900,000. One of the reasons for the reduction was that the company's procedure for authenticating customers used for its telephone hotline (requesting only the name and date of birth of the caller) had remained unobjected for a long time and therefore the company lacked a concrete awareness of the problem which leads to the fact that the concrete culpability in this case had to be classified as rather low. Furthermore, according to the court, the violation was also rather minor, as it could not lead to a massive data leakage.