One of Germany’s biggest Internet Service Providers (ISPs) has been given a €9.55 million fine for not taking sufficient measures to protect consumer data received through its call centres. 1&1 is part of the larger group 1&1 IONOS which cumulatively has over 8 million customers. As of December 2019 1&1 IONOS is the Web Host with the second largest market share after GoDaddy.
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) issued the fine to the telecommunications company 1&1 on Sunday. As a result of GDPR legislation, companies are required to establish suitable precautions to stop unlawful access to personal data. In this instance, the BfDI concluded that 1&1 had not put adequate measures in place and had violated Article 32 of GDPR.
In a statement following the fine, the BfDI said that this conclusion was met due to the BfDI becoming aware “that callers could obtain extensive information on further personal customer data” simply by giving the name and date of birth of any customer. Meaning that the company had not introduced additional security measures to ensure the protection of their consumers’ data.
Nonetheless, 1&1 is appealing the decision to fine, claiming that the breach transpired in 2018 and its measures have improved since then. Since the fine, 1&1 have brought in an extra security step requiring further information when trying to obtain customer data and are planning to implement personal PINs for each customer to use when accessing their accounts.
Jamal Ahmed Fellow of Information Privacy and Director of Kazient Privacy Experts says “This fine could have easily been avoided if the company had paid more respect to the privacy of their customers. I would encourage all organisations to review their processes to ensure they have appropriate organisational measures in place to safeguard the personal data of their stakeholders.”
Other companies have also fallen foul of GDPR legislation in recent months and have been subjected to large fines. At the same time as issuing the 1&1 fine, the BfDI announced a fine of €10,000 to another ISP provider, Rapidata GmbH for failure to nominate a Data Protection Officer; a requirement under GDPR. Fines of £183million and £99million have also been issued this year by the ICO to British Airways and Marriott International respectively for compromising the security of consumer data. These fines demonstrate that EU companies must take data protection seriously, or risk huge fines and loss of a consumer base that could prove seriously detrimental to business. GDPR shows no signs of being rescinded, in fact, quite the opposite, with companies like Microsoft suggesting that a US version of GDPR could help to bring privacy laws up to date by shifting the responsibility of data protection from the customer to the technology companies.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.