1&1 fined EUR 9.55 mln for GDPR infringement

Update: 10 December 2019 | 09:31 CET

The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 a total of EUR 9.55 million for infringing the General Data Protection Regulation (GDPR). The company failed to protect sufficiently its customer service line, allowing third parties to access customer personal data by providing only a name and date of birth. 

1&1 was very cooperative in the investigation after the initial warning, the regulator said. In a first step, the authentication process was secured through the request of additional information. In a further step, 1&1 is introducing a new authentication procedure that has been improved in terms of technology and data protection, in consultation with the BfDI. Despite these measures, it was necessary to fine the company, the BfDI said, as the infringement represented a risk for the entire customer base. The GDPR requires organisations to take systemic measures to protect the processing of personal data.

1&1 said in a statement that it will appeal the regulator's decision. According to the company, the fine does not relate to the general protection of data stored by 1&1, but to how customers can access their information included in a contract. 

Specifically, the case dates back to 2018 and an inquiry made by a caller about the mobile number of a former partner. 1&1 said that the employee followed the security rules in place at the time. At that time, the two-factor authentication was a common standard to follow in the absence of higher security requirements. Since then, 1&1 said it has continuously developed its security standards.