The federal commissioner for data protection and freedom of information (BfDI) issued the penalty against 1&1 Telecom after it said the company was responsible for a breach of the General Data Protection Regulation (GDPR).
According to the regulator, 1&1 Telecom had insufficient security measures in place to prevent unauthorised access to its customers' data. It said it was possible for callers to phone 1&1 Telecom's customer services and access extensive information about customers just by providing a customer's name and date of birth.
1&1 Telecom has now taken steps to bolster the authentication process by requiring callers to provide more information before they can access customer data, and it is also in the process of introducing a new and improved authentication procedure, which is consulting with the BfDI on, the regulator said.
While 1&1 Telecom was credited by the BfDI for cooperating with its investigation, which was in part spurred by customer complaints, the regulator said it was still necessary to impose a fine against the company. This is because, among other things, the security failings "represented a risk for the entire customer base", it said.
1&1 Drillisch, the company behind the 1&1 Telecom brand, has said it will appeal against the fine imposed by the BfDI, according to Reuters.
Data protection law expert Ruth Maria Bousonville of Pinsent Masons, the law firm behind Out-Law, said: "The concept of what constitutes an 'effective, proportionate and dissuasive' fine, as characterised in the GDPR, is likely to be bottomed out over time through the courts. This concept is as much subject to interpretation as the security measures the GDPR mandates organisations to apply. Data controllers are right to challenge the watchdogs, particularly as there is a need to ensure that the right balance is struck between appropriate security and authentication processes and slick customer service."
One of the overarching principles of the GDPR requires organisations to ensure that personal data is "processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".
The 'security of processing' rules under Article 32 of the Regulation expand further on the wording of the security principle and provide a non-exhaustive list of the types of measures that organisations can put in place to meet their data security obligations.
The Article 32 rules also explain that organisations should give consideration to the "state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons" before landing on 'appropriate' security solutions.