The 9th Chamber for Fines and Penalties of the Bonn Regional Court ruled today that the fine imposed by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) against a telecommunications service provider due to a violation of the General Data Protection Regulation (GDPR) was justified in principle, but disproportionately high. The Chamber therefore reduced the fine from the original 9.55 million Euros to 900,000 Euros.
Failure to properly verify identity constitutes a data protection violation
The fine proceedings were initiated by a criminal complaint for stalking a customer of the telecommunications service provider. His former partner had obtained her ex-partner's new phone number through the telecommunications service provider's call center by impersonating his wife. For authentication, she only needed to provide the customer's name and date of birth. She then used the new phone number to make harassing contact.
Fine of 9.55 million Euros
Therefore, in november 2019, the BfDI imposed a fine of 9.55 million Euros on the telecommunications service provider for a grossly negligent violation of Art. 32 para. 1 GDPR. The BfDI justified this by stating that merely requesting a name and date of birth for authenticating callers does not provide adequate data protection in the call center.
The telecommunications service provider appealed this decision, leading to the case being heard over five main hearing days before the 9th Chamber for Fine Proceedings.
The Chamber ruled that imposing a fine on a company does not depend on identifying a specific violation by a managing person within the company. According to the Chamber, applicable European law does not impose such a requirement, unlike German administrative offenses law.
How do I protect customer identity?
A data protection violation occurred in this case because the telecommunications service provider failed to protect its customers' data with a sufficiently secure authentication procedure during communication via its call centers. This allowed unauthorized callers, through clever questioning and by falsely claiming authorization, to obtain additional customer data, such as the current phone number, using only the full name and date of birth. However, sensitive data such as itemized billing records, traffic data, or bank account details could not have been accessed this way.
Is a mandatory authentication process required in call centers?
The affected party was under a legal misconception regarding the adequacy of the security level. While this legal error was understandable due to the lack of mandatory guidelines for authentication processes in call centers, it was nevertheless avoidable.
Minor Data Protection Violation = €900,000 Fine
The Chamber reduced the amount of the fine to 900,000 Euros in its decision. The telecommunications service provider's culpability was deemed minor. Given the authentication practice that had been in place for years and had not been challenged until the fine notice, there was a lack of necessary awareness of the problem. Furthermore, it had to be considered that – even in the BfDI's view – this constituted only a minor data protection violation. This could not have led to the mass disclosure of data to unauthorized persons.
Source: Press release of the LG Bonn dated 11.11.2020
