There are two descriptions of the background to the imposition of a fine of almost ten million euros against 1&1 company. The supervisory authority accuses the company that unauthorized persons on the telephone hotline were able to obtain extensive information on further personal customer data comparatively easily. Providing the names and dates of birth of those affected was sufficient. In this measly authentication procedure, the Federal Data Protection saw a violation, according to which companies must take appropriate technical and organizational measures to systematically protect the processing of personal data.
After the instance had warned of the identified shortcomings,1&1 said that it was insightful and extremely cooperative. In a first step, the group initially secured the authentication process more by asking for additional information. The company introduced a new authentication procedure that has been significantly improved in terms of technology and data protection.
Federal Data Protection Says Structural Violation
The authority describes very generally that 1&1 company did not have sufficient technical and organizational measures to prevent unauthorized persons from receiving information about customer data from customer service over the phone. The authority would have learned that callers in the company’s customer service could receive extensive information about other personal customer data simply by specifying the name and date of birth of a customer.
1&1 Now Wants To Sue Against The Fine
On the one hand, the provider believes that the alleged GDPR violation is not about the general protection of the data stored at the company, but about how customers can access their contract information. On the other hand, the amount of the fine is illegal in several respects. First of all, the GDPR does not provide for a coupling of the amount of fines to company sales. In addition, the principle of proportionality and equal treatment was violated.