1&1 Telecom GmBH fined for insufficient security measures Summary Our remarks The federal DPA of Germany (BfDI) discovered that 1&1 To prevent data breaches, it is important to implement Telecom’s authentication practice allowed any caller appropriate organizational and technical measures. who claimed to be a family member of a customer, and In the case at hand, a personal ‘Service Pin’ was who could provide the customer’s date of birth, to gain introduced to provide an extra layer of security, that access to a range of personal data. Additionally, callers was sufficient for customer authentication. were able to change the customer’s personal data, • The data controller should assess the such as bank details. appropriateness of a safety measure by As a result of this practice, an individual gained access considering the state of the art and the costs of to their previous partners’ new telephone number. implementation, balanced against the risk and The person whose number was compromised had severity of potential impacts on the rights and deliberately changed his phone number to avoid freedoms of the individuals whose data is being contact from their ex-partner. After notifying the police, processed (GDPR, Article 32). the DPA was informed of the breach. • When assessing the risks to the data subject’s The authentication practice was not assessed for rights and freedoms, consider the possible negative compliance with GDPR. consequences of a data breach, including unlawful access, alteration, or deletion of personal data. The decision of The Hamburg Commissioner Special categories of personal data, such as for Data Protection and Freedom of ethnicity or political beliefs, generally imply a higher Information risk than ordinary personal data, such as customer The DPA initially ruled that the authentication procedure number or e-mail address. However, some cases violated the obligation to take appropriate technical might infer high risks even to ordinary personal and organizational measures to systemically protect data, depending on the type and severity of the the processing of personal data (GDPR, Article 32). breach in conjunction with the type and context of the data processed. The District Court of LG Bonn reduced the fine from • Taking effective actions to mitigate the damage of 9,550,000 EUR to 900,000 EUR for the following reasons: a breach will possibly affect the fine size positively. • The District Court of LG Bonn upheld the DPA’s • Notify the appropriate DPA about the nature of the decision that the calculation model, which breach, and if possible, the categories and amount considers turnover as an essential factor in of personal data and number of data subjects determining the appropriate level of penalties, is concerned. This notification should be done without appropriate for medium data protection violations undue delay. under the GDPR. If the data breach is likely to result in a high risk to • However, when it comes to a minor GDPR violation the rights and freedoms of natural persons, the data by companies with large turnovers (at group subjects should be notified about the breach without level or otherwise), the model would lead to undue delay. Effective cooperation with supervisory disproportionately high fines, whilst conversely authorities may also have a positive impact on the size resulting in disproportionately low fines for severe of the fine. GDPR violations by companies with low turnovers. The District Court states that the strong focus on annual turnover is problematic, especially in cases where the data breach was minor. Journal number: 29 OWi 1/20 Published: 11-11-2020 Tags: 05 Data Security 44