On December 9, 2019, the German Federal Data Protection Supervisory Authority (BfDI) imposed a 9.55 million Euro fine on the telecommunications company 1&1 Telecom GmbH.  The BfDI found that the authentication procedures used by 1&1’s customer helpline were insufficient and failed to satisfy the requirements of Art. 32 GDPR.  The company announced that it will challenge the order, arguing that the size of the fine is disproportionate.

The BfDI’s investigation was initiated following a complaint by a customer whose mobile telephone number was provided to his former partner in 2018.  The caller provided only the name and birth date of the customer to the helpline worker.  According to the company, the helpline employee acted in accordance with the company’s guidelines at the time, which required a two-factor authentication and were in line with standard industry practices.  But the BfDI found that this procedure created risks for “far-reaching information” on customers.

The BfDI stated that it is currently investigating other telecommunications providers, thereby relying on its own findings in this case and pursuing tips from third parties and customer complaints.

We reported on a German supervisory authority’s guidance regarding a similar topic – the requirements for authentication of data subjects exercising information rights under the GDPR – in an earlier post in July 2019.