DSGVO violation: 1&1 to pay million euro fine

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined telecommunications service provider 1&1 Telecom GmbH EUR 9,550,000.

1&1 Telecom GmbH offers customer support by telephone for its customers. In this process, the customer is first identified in order to then process the request using the available customer information. However, this procedure reveals security risks, as insufficient precautions are taken to uniquely identify the customer.

In the present case, the former life partner had stated that he was acting on behalf of the customer and provided the authentication data known to him. For example, it was sufficient to provide the name and date of birth in order to obtain far-reaching information on further personal data of the customer.

The previous authentication procedure thus made it comparatively easy for unauthorized persons to obtain information about customer data. 1&1 Telecom GmbH therefore violated Article 32 of the GDPR. According to this, companies must take appropriate technical and organizational measures to systematically protect the processing of personal data.

In the meantime, after intensive cooperation with the authority, a new authentication procedure has been introduced that has been significantly improved in terms of technology and data protection. Consequently, it should be noted that the amount of the fine could have been even higher according to the new calculation of a fine.

For queries regarding the implementation of appropriate technical and organizational measures in accordance with Art. 32 DSGVO, please contact Dr. Stefan Drewes at 0228-90248070 or by email at