BfDI: Fine of EUR 9.5 mil­li­on against a tele­com provider

The Ger­man Fede­ral Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on (BfDI) has fined tele­com­mu­ni­ca­ti­ons ser­vice pro­vi­der 1&1 Tele­com GmbH EUR 9.55 mil­li­on. From the Media release:

the BfDI had beco­me awa­re that Cal­ler to the cus­to­mer ser­vice of the com­pa­ny sim­ply by sta­ting the Name and Date of birth of a cus­to­mer could obtain far-rea­ching infor­ma­ti­on on fur­ther per­so­nal cus­to­mer data. The BfDI con­siders this authen­ti­ca­ti­on pro­ce­du­re to be a vio­la­ti­on of Artic­le 32 DSGVO, which requi­res the com­pa­ny to take appro­pria­te tech­ni­cal and orga­nizatio­nal mea­su­res to syste­ma­ti­cal­ly pro­tect the pro­ce­s­sing of per­so­nal data.

In doing so, the BfDI remain­ed within the lower ran­ge of the fine.