Data Privacy: Germany's 1&1 Telecom Fined $10.6 Million for a GDPR Violation
One of the biggest fines for GDPR non-compliance has been issued by Germany’s federal privacy authority.
One of the biggest fines for GDPR non-compliance has been issued by Germany’s federal privacy authority.
On 9th December 2019, 1&1 Telecommunications was subject to a $10.6 million penalty from Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI).
The penalty was handed out as a result of the company failing to establish adequate technical and organizational measures to safeguard consumer information in its call center environments.
1&1 Telecommunication and Article 32 of the GDPR
Located in the city of Montabaur, 1&1 Telecommunications is one of the largest DSL and mobile service providers in Germany.
Additionally, the company is a subsidiary of 1&1 Drillisch AG, which is one of Germany’s biggest network-independent telecommunications providers with a customer base of 14 million people.
According to the BfDI, the fine was enforced after it was discovered that callers to the firm’s call center could retrieve consumer data by simply providing their name and date of birth.
The oversight body deemed these requirements insufficient for authentication and protection of consumer information as required by article 32 of the GDPR. Essentially, this article states, “taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller, and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”.
Read about Germany's Federal Act on Privacy in Telecommunications and Telemedia (TTSDG).
Key Data Safety and Integrity Takeaways for Businesses
This case reveals that data privacy oversight agencies attach significant importance to the safety and integrity of consumer data.
Primarily, companies need to verify that they are working with the appropriate people and that they are not disclosing consumer information needlessly. In case a potential safety weakness is detected, businesses need to act swiftly and efficiently.
Another crucial takeaway from this case is connected to 1&1 Telecommunication’s cooperation with the authorities. According to BfDI, the company was transparent and cooperative after it was accused of having insufficient measures to protect consumer data.
The regulator stated that if 1&1 Telecommunication had exhibited a lack of transparency and non-cooperation, the fine would have been significantly higher.
Primarily, businesses need to ensure that they cooperate with authorities and act expeditiously to rectify the problem in question to minimize the severity of implied GDPR fines. Here are more of the highest GDPR fines enforced by regulators so far.
If you need help with your GDPR compliance efforts, book a call with us today.
Additional Resources:
Learn more about how to make your company GDPR compliant today, and download your free GDPR e-book.
French CNIL fines Google 150 million EUR.
Who are the Biggest GDPR Fines Culprits.
![How to Use Google Consent Mode v2 Outside the EEA and the UK](https://images.prismic.io/secure-privacy/Zp5NZh5LeNNTxWk3_HowtoUseGoogleConsentModev2byRegion.png?ixlib=gatsbyFP&auto=format%2Ccompress&fit=max&q=45)
How to Use Google Consent Mode v2 Outside the EEA and the UK
Discover why using Google Consent Mode v2 outside the EEA and the UK might be unnecessary. Learn about compliance requirements, the impact on data collection, and how to optimize your approach based on regional privacy laws.
- Europe GDPR
![The Impact of Special Purpose 3: Latest Amendments to the IAB Transparency and Consent Framework (TCF) V2.2 Policies by IAB Europe](https://images.prismic.io/secure-privacy/ZpUC_R5LeNNTxJ7o_TheImpactofSpecialPurpose3_LatestAmendmentstotheIABTransparencyandConsentFramework-TCF-V2.2PoliciesbyIABEurope.png?ixlib=gatsbyFP&auto=format%2Ccompress&fit=max&q=45)
The Impact of Special Purpose 3: Latest Amendments to the IAB Transparency and Consent Framework (TCF) V2.2 Policies by IAB Europe
Discover how the latest amendments to the IAB Transparency and Consent Framework (TCF) V2.2, particularly the introduction of Special Purpose 3 (SP3), are transforming user consent and transparency in the digital advertising ecosystem. Learn about the new requirements for protecting children's privacy, preventing dark patterns, and ensuring explicit consumer consent.
- Europe GDPR
![Understanding the Difference Between a PIA and DPIA in GDPR Privacy Risk Assessments](https://images.prismic.io/secure-privacy/ZonRuR5LeNNTw2___UnderstandingtheDifferenceBetweenaPIAandDPIAinGDPRPrivacyRiskAssessments.png?ixlib=gatsbyFP&auto=format%2Ccompress&fit=max&q=45)
Understanding the Difference Between a PIA and DPIA in GDPR Privacy Risk Assessments
Learn the key differences between Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs). Understand their importance in ensuring compliance with privacy laws and best practices for mitigating privacy risks.
- Europe GDPR
- Data Protection