The BfDI had become aware that callers could obtain extensive information on further personal customer data in the customer care of the enterprise alone by giving the name and date of birth of a customer. In this authentication procedure, the BfDI sees a violation of Article 32 GDPR , according to which the company is obliged to take appropriate technical and organizational measures to systematically protect the processing of personal data.
After BfDI had raised the concerns, 1 & 1 Telecom GmbH was transparent and very cooperative. In a first step, the authentication process was first secured by requesting additional information. In a further step, 1 & 1 Telecom GmbH is currently introducing a new authentication procedure which has been significantly improved in terms of technology and data protection, in consultation with the BfDI .
Despite these measures, the imposition of a fine was necessary. Among other things, the infringement was limited only to a small proportion of customers, but presented a risk to the entire customer base. In determining the amount of the fine remained BfDI due to the cooperative throughout the process behavior by 1 & 1 Telecom GmbH in the lower Range of possible penalty.