The German Federal Commissioner for Data Protection, or BfDI, (the federal data protection authority for telecommunication service providers) has issued a fine of €9.55m [text in German] for infringement of the General Data Protection Regulation (GDPR). The fine, against 1&1 Telecom GmbH, arose after the regulator became aware that callers to the company could, merely by providing someone's name and date of birth, obtain considerable further information about the person. This, said the BfDI, violated Article 32 of GDPR which requires data controllers to implement appropriate technical and organisational measures to ensure an appropriate level of security. The BfDI has since opened investigations into the practices of other telecoms providers.
We understand that 1&1 Telecom intend to challenge the fine. Nonetheless, as GDPR's rules apply across Europe and as regulators are supposed to apply its principles in a consistent way, any company - including those in the UK - which uses telephone customer-authentication measures would be well advised to review its practices to ensure it doesn't risk inadvertent disclosure to wrong persons.
At the same time the BfDI has also issued a much lower fine of €10,000 to telecoms provider Rapidata GmbH for failing to appoint a data protection officer under Article 37 of GDPR.