Internet service provider (ISP) and hosting company 1&1 has been fined nearly €10 million ($11m) by Germany’s GDPR watchdog for data protection failures in its call centers.
The United Internet subsidiary, which operates across Europe and the Americas, will be appealing the €9.55 million ($10.6m) penalty from the German Federal Data Protection Authority (BfDI).
“Under GDPR organizations are obliged to put in place adequate technical and organizational measures (TOMs) to prevent unauthorized access to personal data. In this case the BfDi felt that 1&1 had not put adequate TOMs in place after callers were able to obtain information on customers simply by giving the name and date of birth of a customer,” explained compliance specialists Cordery.
“The German data protection authority said that the imposition of a fine was necessary because, whilst the infringement was limited to a small number of customers, it represented a risk for 1&1’s entire customer base. The BfDI took into account 1&1’s cooperation throughout to reduce the penalty.”
For its part, the ISP is arguing in its appeal that: the issue occurred in 2018 and its processes have since improved; only contractual info was exposed; and the method used to calculate the fine was inaccurate.
However, it has apparently agreed to introduce a new authentication process to make it harder for callers to access the personal data of others.
The fine came on the same day that the BfDI announced another financial penalty, this time of €10,000 ($11,100) against ISP Rapidata GmbH, for failing to appoint a data protection officer (DPO).
The latest regulatory moves illustrate that firms can no longer expect to get away with GDPR infractions, as was the case in the first few months of the new data protection regime.
The UK’s Information Commissioner’s Office (ICO), for example, issued even bigger fines earlier this year to BA (£183m) and Marriott International (£99m) in response to serious breaches at both companies.