Data privacy: Germans dish out one of the biggest GDPR fines yet over lax call centers

GDPR: Here’s why firms are still struggling to comply
GDPR came into force over a year ago but many organisations are still struggling to comply with data privacy legislation – despite the prospect of fines.

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has hit mobile services provider 1&1 Telecommunications with a major fine for violating the EU’s General Data Protection Regulation (GDPR).

The €9.55m ($10.65m) fine is one of the largest relating to GDPR to date and comes after the BfDI found that the company had failed to enforce Article 32 of the European legislation, which requires businesses to take appropriate technical and organizational measures to protect the processing of personal data.

According to the BfDI’s findings, callers to 1&1’s call centers could discover customers’ personal information simply by providing a name and date of birth, which means that personal data was not properly safeguarded.

Federal commissioner Ulrich Kelber hailed the fine as a “clear sign” that GDPR will be effectively enforced in the country.

“The European General Data Protection Regulation gives us the opportunity to strongly sanction the inadequate security of personal data,” he said. “We apply these powers in light of due consideration.”

1&1 Telecommunications is one of Germany’s biggest DSL and mobile services providers. It is a subsidiary of network provider 1&1 Drillisch, which boasts 14 million customers. 

BfDI praised 1&1 for being transparent and cooperating. Since being investigated for failing to safeguard data, the provider has added an extra step to authenticate a caller before obtaining customer information. BfDI nevertheless said “despite these measures, the imposition of a fine was necessary”.

On the same day that BfDI issued a fine against 1&1, the German Commissioner also announced it was fining internet service provider Rapidata €10,000 ($11,110) in a separate case for its failure to provide a data-protection officer, as required by GDPR. 

In the UK, the Information Commissioner’s Office (ICO) has already issued a record fine of £183m ($240m) to British Airways for what it concluded to be “poor security arrangements” that led to personal data of half a million customers being stolen by hackers in a cyberattack disclosed in September 2018. 

Earlier this year, a Capgemini survey across businesses in Europe found that less than one in three organisations is fully compliant with GDPR, with businesses citing legacy IT as the main obstacle to safe data protection. 

1&1 Telecommunications will be appealing the fine, which it argues is disproportionate. 

More on data privacy and GDPR