Mishcon de Reya page structure
Site header
Main menu
Main content section
abstract lights on dark background

€9.5m GDPR fine to German telco for insecure customer authentication

Posted on 9 December 2019

The German Federal Commissioner for Data Protection, or BfDI, (the federal data protection authority for telecommunication service providers) has issued a fine of €9.55m [text in German] for infringement of the General Data Protection Regulation (GDPR). The fine, against 1&1 Telecom GmbH, arose after the regulator became aware that callers to the company could, merely by providing someone's name and date of birth, obtain considerable further information about the person. This, said the BfDI, violated Article 32 of GDPR which requires data controllers to implement appropriate technical and organisational measures to ensure an appropriate level of security. The BfDI has since opened investigations into the practices of other telecoms providers.

We understand that 1&1 Telecom intend to challenge the fine. Nonetheless, as GDPR's rules apply across Europe and as regulators are supposed to apply its principles in a consistent way, any company - including those in the UK - which uses telephone customer-authentication measures would be well advised to review its practices to ensure it doesn't risk inadvertent disclosure to wrong persons.

At the same time the BfDI has also issued a much lower fine of €10,000 to telecoms provider Rapidata GmbH for failing to appoint a data protection officer under Article 37 of GDPR.

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

I'm looking for advice

Something else