BfDI Fines 1&1 Telecom EUR 9.55M and Rapidata EUR 10k under GDPR

BfDI Press Releases (Germany DPA)

Filed December 9th, 2019

Detected February 11th, 2026

Summary

Germany's Federal Commissioner for Data Protection and Freedom of Information (BfDI) has fined 1&1 Telecom GmbH EUR 9.55 million for insufficient technical and organizational measures to protect customer data and Rapidata GmbH EUR 10,000 for failing to appoint a data protection officer. These actions underscore the enforcement of GDPR provisions.

View original document View source feed page

What changed

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed significant fines under the GDPR on two German companies. 1&1 Telecom GmbH received a EUR 9.55 million penalty for failing to implement adequate technical and organizational measures to prevent unauthorized access to customer information obtained through its telephone customer service. Rapidata GmbH was fined EUR 10,000 for repeatedly failing to appoint an internal data protection officer as required by Article 37 of the GDPR.

These enforcement actions highlight the BfDI's commitment to enforcing fundamental data protection rights. For 1&1 Telecom, the penalty was mitigated due to its cooperation and subsequent improvements to its authentication procedures. However, the scope of the infringement, affecting the entire customer base, necessitated the fine. Regulated entities, particularly in the telecommunications sector, should review their data security and authentication protocols to ensure compliance with GDPR Article 32 and their obligations regarding data protection officers under Article 37.

What to do next

Review technical and organizational measures for customer data protection.
Verify compliance with data protection officer appointment requirements.
Assess authentication procedures for potential vulnerabilities.

Penalties

1&1 Telecom GmbH fined EUR 9,550,000; Rapidata GmbH fined EUR 10,000.

Source document (simplified)

Bonn/Berlin, 09 December 2019

Press release 30/2019

BfDI imposes Fines on Telecommunications Service Providers

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of EUR 9,550,000 on the telecommunications service provider 1&1 Telecom GmbH. In connection with their telephone customer service, the company had not taken sufficient technical and organisational measures to prevent unauthorised persons from being able to obtain customer information. In another case, the BfDI imposed a fine of EUR 10,000 on Rapidata GmbH.

Concerning this matter, the Federal Commissioner Ulrich Kelber said: “Data protection is the protection of fundamental rights. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. The European General Data Protection Regulation (GDPR) gives us the opportunity to decisively punish the insufficient safeguarding of personal data. We apply these powers while taking into account the required proportionality.”

In the case of 1&1 Telecom GmbH, the BfDI had become aware that persons calling the company’s customer service could obtain extensive information about further personal customer data merely by providing a customer’s name and date of birth. The BfDI considers this authentication procedure to be in breach of Article 32 of the GDPR which obliges the company to take appropriate technical and organisational measures to systematically protect the processing of personal data.

After the BfDI had criticised the insufficient data protection, 1&1 Telecom GmbH proved to be understanding and highly cooperative. As a first step, the authentication procedure was strengthened by requesting additional information. As a further step, following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.

Notwithstanding those measures, it was necessary to impose a fine. Among other things, the infringement was not limited to a small proportion of customers, but posed a risk for the entire customer base. When fixing the amount of the fine, the BfDI remained in the lower range of possible fines because of the cooperative conduct of 1&1 Telecom GmbH throughout the whole procedure.

On the basis of his own findings, indications and customer complaints, the BfDI is also currently investigating the authentication procedures of other telecommunications service providers.

Further proceedings against the telecommunications provider Rapidata GmbH were required, because despite repeated requests, this company failed to comply with its legal requirement under Article 37 of the GDPR to appoint an internal data protection officer. When imposing the 10,000 Euro fine, the fact was taken into account that this is a company belonging to the category of micro-enterprises.