GDPR Bites: Germany Fines 1&1 Telecommunications €9.55m
Germany’s data commissioner has issued one of the largest fines for GDPR violation yet to 1&1 Telecommunications for data privacy failings in its call centers.
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has ruled that 1&1 failed to enforce Article 32 of GDPR which relates to having the appropriate technical and organizational measures to protect data privacy whilst processing personal data.
As per ZDNet, the BfDI discovered callers to the telecommunications company were able to discover personal information by providing a name and date of birth, an insufficient and easily bypassed safeguard to personal data protection.
The BfDI’s federal commissioner, Ulrich Kelber, says the action is a “clear sign” that GDPR will be effectively enforced in Germany, adding:
“The European General Data Protection Regulation gives us the opportunity to strongly sanction the inadequate security of personal data, we apply these powers in light of due consideration.”
The data commission did also give praise to 1&1 for being transparent and cooperating during the investigation. The company has now added an extra authentication step for calls received at its centers. Though the BfDI says despite the changes “the imposition of a fine was necessary.”
1&1 Telecommunicatons is Germany’s largest DSL and mobile services company and part of 1&1 Drillisch which has 14 million customers.
On the same day as 1&1’s fine was issued, internet service provider Rapidata also received a €10,000 fine for failing to allocate a data-protection officer, a basic tenet of GDPR.
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
The largest GDPR fines to date
We are 18 months in to GDPR legislation and the issued fines now total in the hundreds of millions. The biggest three fines to date, British Airways, Marriott Hotels, and Google, total €365 million. The top ten fines, as per Precise Security in November, totalled €402.6 million to that point.
British Airways – Fined €204.6 million for a data breach
Magecart Group were able to use card skimming tactics to collect personal and payment information of half a million British Airways customers.
Marriott International – Fined €110.3 million
A cyber incident exposed the data of 339 million of Marriott’s guest records affecting 30 million European country residents and 7 million UK residents.
Google – €50 million
Issued by French regulator CNIL for failing to provide enough information in its data consent policies and for not giving users enough control over the use of their information.
Austrian Post – €18 million
Alleged to have used customer data including ages and addresses to calculate the probability of which political party they might support and then selling the findings.
Deutsche Wohnen – €14.5 million
The Berlin Commissioner for Data Protection and Freedom of Information fined real estate company Deutsche Wohnen for not having a proper data retention schedule in place.
(And now 1&1 Telecommunications – €9.55 million)
Bulgarian National Revenue Agency – €2.6 million
Reports in August indicated the tax agency would appeal the fine after a cyber attack resulted in the country’s largest ever data breach. The owner of a cybersecurity company and two employees have been charged for the attack.
UWV – €900,000
The Dutch employee insurance service provider was fined for inadequately securing its employer’s portal. As the portal contained health data it should use multi-factor authentication.
Morele.net – €645,000
The Polish retailer with nine websites was fined for failing to protect data collected from 2.2 million customers.
DSK Bank – €511,384
Part of Hungary’s OTP Group, the Bulgarian bank was fined for a data breach affecting 33,000 clients. Names, addresses, copies of ID cards, bank account details and property deed data was improperly disclosed and accessed by third parties.
Haga Hospital – €460,000
The hospital was fined for failing to secure medical log files and not having the appropriate controls to safeguard patient data.
In startling statistics shared by Precise Security, European data protection authorities have received more than 90,000 data breach notifications since May 2018. European companies must report any data incidents to their national data protection authority within 72 hours of the breach. Based on the nature and seriousness of the breach, data protection authorities can then investigate and impose fines which can total up to 4% of a company’s annual turnover.
In early November Germany’s data protection authority the German Datenschutzkonferenz (DSK) issued a new model for calculating fines for GDPR violations which meant that higher fines would be issued compared to its previous model of calculation.
Want access to the world’s most interactive security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.
Subscribe to the Proofpoint Blog