We've updated our Privacy and Cookies Policy
We've made some important changes to our Privacy and Cookies Policy and we want you to know what this means for you and your data.
Internet provider faces big GDPR fine for lax call centre checks
Top Stories
- Author, Leo Kelion
- Role, Technology desk editor
A German internet service provider faces a 鈧9.6m ($10.6m; 拢8m) fine after being accused of failing to carry out tough enough customer ID checks.
Germany's data protection watchdog could get extensive personal information about someone else solely by giving their name and date of birth.
Fraudsters can easily collect such details from social networks and elsewhere on the net.
But the firm is challenging the ruling.
Top Stories
It said it did not accept the decision and intended to sue the authority.
The sum represents one of the largest penalties imposed under the EU's GDPR (General Data Protection Regulation).
1&1 Telecom said the fine was "absolutely disproportionate" because the regulator had based its calculations on the wider company's sales.
On that basis "even the smallest discrepancy can result in huge fines", .
The company also noted that it was in the process of rolling out new security protocols that will involve customers having to provide a Pin code when they call in.
Top Stories
'Wake-up call'
GDPR came into force in May 2018 giving data protection authorities the power to impose bigger penalties than before.
In the most serious cases, organisations can be fined up to 鈧20m or 4% of their worldwide annual revenue - whichever is larger.
But regulators are supposed to take into account whether the offending body co-operated with their inquiry, any past offences and whether the infringement was deliberate or a mistake, among other factors, when deciding the amount.
In this case, the BfDI (Federal Commissioner for Data Protection and Freedom of Information) acknowledged that 1&1 Telecom had been "transparent and very co-operative" and had also taken steps to improve its practices.
But the watchdog said the sum was still justified on the basis that its entire customer base had been put at risk.
In October, the same regulator punished a German property company with a bigger 鈧14.5m fine for holding on to people's personal data for longer than was necessary.
And other European counterparts have told Google, British Airways and Marriott Hotels to pay even larger sums for other GDPR-related offences.
But one data privacy expert said the latest ruling was still significant.
"It's only the second time there's been a multi-million euro penalty for a straightforward security issue, following a Bulgarian case," Tim Turner, director of 2040 Training told the 大象传媒.
"Call centres have to balance easy access for customers with sensible verification measures, and this will be a wake-up call for all organisations trying to work out how much security to face callers with."
Top Stories
More to explore
Most read
Content is not available