The German data protection authority has imposed one of the largest ever GDPR fines on a telecommunications company – 1 & 1 Telecommunications – for gross compliance failures that placed the privacy of its customers at risk.

The fine was announced by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) on Monday December 9, 2019. 1 & 1 Telecommunications has said it will be appealing the fine.

The $10.6 million (€9.55 million) fine was considerably lower than the maximum possible penalty for noncompliance with GDPR provisions, which is €20 million or 4% of global annual turnover, whichever is greater. When deciding on an appropriate penalty, BfDI took the relatively small size of the company into account and the level of cooperation with the investigation.

While prompt action was taken by the company to correct the GDPR violation when BfDI criticized its authentication procedures, a financial penalty was still determined to be appropriate as GDPR failure placed the confidentiality of personal data of its entire customer base at risk.

The fine was imposed for the failure of the company to implement technical and organizational measures to protect the data of its customers in its call centers. When customers called one of its call centers, they were able to retrieve detailed personal customer information from the company by simply providing a customer name and date of birth. Those authentication measures were considered to be inadequate by BfDI.

GDPR Article 32 requires companies to implement appropriate technical and organizational measures to protect the processing of personal data. The failure to implement those measures warranted a substantial fine.

When BfDI explained the measures were inadequate, prompt action was taken, and an additional step was implemented in the authentication process. The company was transparent and cooperative, but it was not enough to avoid a financial penalty.

“Data protection is fundamental rights protection,” said Federal Commissioner Ulrich Kelber. “The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data.”