Internet service provider (ISP) and hosting company 1&1 has been fined nearly €10 million ($11m) by Germany’s GDPR watchdog for data protection failures in its call centers.
The United Internet subsidiary, which operates across Europe and the Americas, will be appealing the €9.55 million ($10.6m) penalty from the German Federal Data Protection Authority (BfDI).
“Under GDPR organizations are obliged to put in place adequate technical and organizational measures (TOMs) to prevent unauthorized access to personal data. In this case the BfDi felt that 1&1 had not put adequate TOMs in place after callers were able to obtain information on customers simply by giving the name and date of birth of a customer,” explained compliance specialists Cordery.
“The German data protection authority said that the imposition of a fine was necessary because, whilst the infringement was limited to a small number of customers, it represented a risk for 1&1’s entire customer base. The BfDI took into account 1&1’s cooperation throughout to reduce the penalty.”
For its part, the ISP is arguing in its appeal that: the issue occurred in 2018 and its processes have since improved; only contractual info was exposed; and the method used to calculate the fine was inaccurate.