Last year, 1&1 was fined 9.55 million euros for violations of the GDPR. Now the fine has been reduced to 900,000 euros.
Judgement is legally binding
Back in December 2020, the Bonn Regional Court and the telecommunications provider 1&1 came to an agreement. The regional court had reduced the fine of 9.55 million euros set by the supervisory authorities to 900,000 euros. According to information provided by Federal Data Protection Commissioner Ulrich Kelber, the fine was accepted by all sides. “After consultation between the public prosecutor’s office at the Bonn Regional Court, the head of the legal department of 1&1, the defense and the BfDI, it was agreed that both sides would withdraw their legal complaints.” In this regard, the Bonn Regional Court confirmed that the ruling is legally binding.
Fine “unreasonably high”
In November 2020, the Bonn Regional Court had confirmed the violation of the GDPR in a judgment. However, the court saw an unreasonable amount in the fine imposed. The Federal Data Protection Commissioner (BfDI) Ulrich Kleber had initially set a fine of 9.55 million euros for 1&1. According to the district court, the company had indeed violated the GDPR, but the proportionality was not given here. The reason given was that the telecommunications provider was only slightly at fault. This is also the view of Rolf Schwartmann, professor of law at the Technical University of Cologne and chairman of the Society for Data Protection and Data Security: “Business must no longer live with the fear of irrational fines from the poison kitchen of the administrative authorities, but must expect that data protection violations will result in sensitive but proportionate sanctions.”
Missing awareness of the problem
At 1&1, the breach of the General Data Protection Regulation lay in a lack of authentication procedures in communications between customers and the call center. Thus, information was given out without sufficient identification. However, this had been the practice at 1&1 for years, so there was a lack of awareness of the problem. The data protection authority became aware of the issue when a customer filed a criminal complaint against 1&1. The provider gave a customer’s former partner his new cell phone number. As a result, the customer became a victim of stalking. The lady only obtained the necessary information by giving her name and date of birth. Ulrich Kleber rightly found that the company had not defined and implemented sufficient technical and organizational measures to protect the data. This is how the very high fine came about. 1&1 itself claims to have adapted and further developed its security requirements since the incident.
