A German telecommunications firm is sanctioned with a fine of 9.5 million euros by the Federal Commissioner for Data Protection of its country for openly offering information from its customers. A fact that violates European regulations on data protection, in force since 2018.
New millionaire fine for a company for failing to comply with European data protection regulations, in force since 2018. The Federal Data Protection Commissioner of Germany has imposed a fine of 9.5 million euros on the telecommunications company 1 & 1 Telecom GmbH. According to the agency, the company's customer service line provided the people who called personal information about them, after being identified using only their name and date of birth.
A fact that allegedly violates Article 32 of the General Data Protection Regulation (GDPR). "The standard tells us that the implementation of appropriate security measures is necessary to ensure the security of personal data and, in particular, the confidentiality of the same. The German authority considered that, having to provide only the name and date of birth -information that, in many occasions, is published in our profiles in social networks-, it was quite easy for anyone to impersonate another and thus access personal information about it, "explains Ester Vidal, senior associate of the area of data protection in Bird & Bird.
The amount of the penalty imposed has been calculated in relation to the GDPR fines model and taking into account the criteria followed by the German data authorities. In this way, a "daily rate" is established that varies according to the company's annual worldwide turnover.
"The main consequence of using the global annual turnover of a large company as a basis for calculating fines is that the amount of them tends to be quite high in the case of large corporations, as is the case of 1 & 1. Even when we are facing breaches that are not especially serious for the people affected, "says the lawyer.
Greater control for 'telecos'
The Federal Commissioner for Data Protection supervises all companies in the telecommunications and postal sectors in Germany, including messaging applications. With this case, the agency has assured that it is also investigating whether other telecommunications companies committed similar infractions, so, if they still identify the customers just by asking the name and the date of birth, they should quickly change that procedure.
"In Spain it is common for companies such as 1 & 1 to verify with this type of questions the identity of the callers before allowing them to operate by telephone, so it does not hurt to take into account the opinion of the German body in this regard," Vidal explains.
As explained by the lawyer, the decision has been questioned, since it is a common practice by telecommunications companies in the market. "The fact that it is usual does not mean that it is correct, much less. However, given that the GDPR is very open in terms of security measures, perhaps before imposing a sanction, it would have been better option to carry out a warning and impose a penalty on companies that did not take it into account, "he says.
1 & 1 has announced that it plans to appeal this decision, since identification by name and date of birth is common in the market and will argue that the amount of the fine is disproportionate.