The 9th Chamber for Fine Matters of the Regional Court of Bonn today ruled that the fine imposed by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) on a telecommunications service provider for a violation of the General Data Protection Regulation (GDPR) was justified on the merits, but unreasonably high. The chamber therefore reduced the fine from the original 9.55 million euros to 900,000 euros.
Failure to properly verify identity is a data protection breach
The reason for the fine proceedings was a criminal complaint of stalking by a customer of the telecommunications service provider. The customer's former partner had asked for the new telephone number of her ex-partner via the call centre of the telecommunications service provider by pretending to be his wife. For legitimisation, she only had to give the customer's name and date of birth. She had then used the new telephone number to make harassing contact.
Fine in the amount of 9.55 million euros
In November 2019, the BfDI therefore imposed a fine of €9.55 million on the telecommunications service provider for a grossly negligent breach of Article 32 (1) of the GDPR. In justification, the BfDI stated that the mere query of name and date of birth for the authentication of telephone callers did not ensure sufficient protection for the data in the call centre.
The telecommunications service provider appealed against this decision, which is why the case was heard by the 9th Chamber for Administrative Offences on five main hearing days.
The chamber ruled that the imposition of a fine on a company does not depend on the fact that the specific infringement of a manager of the company has been established. According to the chamber, the applicable European law, unlike German administrative offences law, does not impose such a requirement.
How do I protect the identity of customers?
In the matter, there was a data protection violation because the telecommunications service provider had not protected the data of its customers in the context of communication via the so-called call centres by means of a sufficiently secure authentication procedure. In this way, it had been possible for unauthorised callers to obtain further customer data, such as the current telephone number, only with the help of the full name and date of birth, by cleverly asking for and pretending to be authorised to do so.
Is a mandatory authentication process required in call centres?
The person concerned had been in a legal error with regard to the adequacy of the level of protection. In the absence of binding requirements for the authentication process in call centres, this legal error was understandable, but avoidable.
Only minor data protection breach = €900,000 fine
In its decision, the chamber reduced the amount of the fine to 900,000 euros. The fault of the telecommunications service provider was minor. With regard to the authentication practice, which had been practised for years and which had not been objected to until the notice of the fine, there had been a lack of the necessary awareness of the problem. In addition, it had to be taken into account that - even in the opinion of the BfDI - it was only a minor data protection violation. This could not have led to the mass release of data to unauthorised persons.
Source: Press release of the Bonn Regional Court dated 11.11.2020
