- The BfDI imposed a fine of EUR 9.55 million on 1&1 Telecom GmbH for inadequate authentication procedures in customer service.
- Name and date of birth alone were sufficient to disclose further personal data; this violates Art. 32 GDPR.
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined telecommunications service provider 1&1 Telecom GmbH EUR 9.55 million. From the Media release:
the BfDI had become aware that Caller to the customer service of the company simply by stating the Name and Date of birth of a customer could obtain far-reaching information on further personal customer data. The BfDI considers this authentication procedure to be a violation of Article 32 DSGVO, which requires the company to take appropriate technical and organizational measures to systematically protect the processing of personal data.
In doing so, the BfDI remained within the lower range of the fine.