Another extreme penalty for insufficient personal data protection
1&1 Telecom GmbH, a German mobile service operator, was fined EUR 9.6 million for the failure to implement sufficient technical and organisational measures to protect the personal data of its customers. This is one of the highest penalties ever imposed for the breach of GDPR since its effectiveness. The operator declared its intention to appeal the penalty.
1&1 Telecom GmbH is one of the largest providers of telecommunication services in Germany. The penalty was imposed as the operator had provided significant amounts of customer account information by phone, based on authentication requiring only a customer’s first name, last name and date of birth. The German authorities found the authentication procedure entirely insufficient and asserted that in fact anybody could have easily collected personal data on the operator’s customers based on their basic identification data, often commonly available on the internet.
A penalty of up to EUR 20 million or 4% of a company’s total annual turnover can be imposed for the violation of GDPR, whichever is higher. Despite the operator having been very transparent, cooperative, and willing to make amends by immediately adding another authentication detail that resulted in significantly better protection of its customers’ personal data, the penalty imposed was very high, primarily owing to the operator’s high turnover and the severity of the breach, as the personal data of all its customers had been exposed. Similarly, extreme penalties amounting to hundreds of millions of euros for the insufficient protection of personal data may also soon be imposed on the Marriot hotel chain and British Airways.
Both personal data controllers and processors should therefore review to what extent the personal data they process are protected, for example, whether, when providing information to customers, their authentication procedures are sufficient to avoid the provision of personal data to unauthorised persons. To determine the appropriate level of protection may sometimes be quite difficult, as access to services should not be overly complicated and should not require any unreasonable administrative burden. All the more so because GDPR also prescribes that personal data controllers must facilitate the exercise of data subjects’ rights, among which is also the right to information about the data being processed. Taking into account the above decision-making practice of the EU’s personal data protection offices, we recommend paying increased attention to this matter.