On December 9, 2019, the German Federal Data Protection Supervisory Authority (BfDI) imposed a 9.55 million Euro fine on the telecommunications company 1&1 Telecom GmbH.  The BfDI found that the authentication procedures used by 1&1’s customer helpline were insufficient and failed to satisfy the requirements of Art. 32 GDPR.  The company announced that it will challenge the order, arguing that the size of the fine is disproportionate.

The BfDI’s investigation was initiated following a complaint by a customer whose mobile telephone number was provided to his former partner in 2018.  The caller provided only the name and birth date of the customer to the helpline worker.  According to the company, the helpline employee acted in accordance with the company’s guidelines at the time, which required a two-factor authentication and were in line with standard industry practices.  But the BfDI found that this procedure created risks for “far-reaching information” on customers.

The BfDI stated that it is currently investigating other telecommunications providers, thereby relying on its own findings in this case and pursuing tips from third parties and customer complaints.

We reported on a German supervisory authority’s guidance regarding a similar topic – the requirements for authentication of data subjects exercising information rights under the GDPR – in an earlier post in July 2019.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ulrike Elteste Ulrike Elteste

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a…

Ulrike Elteste is an experienced technology, media and intellectual property lawyer in the firm’s Frankfurt office. She also advises on related regulatory aspects, in particular, privacy law, financial services supervisory law, and telecommunications law. She is regularly involved in cross-border transactions with a focus on technology or IP. Ulrike also represents clients in commercial and IP litigation.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.