The Bonn Regional Court convicted the Internet company 1 & 1 for a data protection breach, but significantly reduced the originally imposed fine of 9.6 million euros. 1 & 1 should now 900. 000 pay euros, as the court decided on Wednesday. The fault of the company from Montabaur in Rhineland-Palatinate in the release of customer data is low, the court announced.

The data protection violation occurred to call a woman on the 1 & 1 hotline in the year 2018. The stalker got her ex-husband’s new cell phone number just by giving his name and date of birth – that shouldn’t have happened. The Federal Data Protection Commissioner Ulrich Kelber (SPD) saw this lax authentication process as a grossly negligent violation of articles 32 and imposed a fine of millions. The company went to court against this.

Only one individual case The General Data Protection Regulation requires companies to take appropriate technical and organizational measures to systematically protect the processing of personal data. 1 & 1 admitted the data protection violation, but presented it as an isolated case – and not as a systematic problem. In addition, the fine imposed by Kelber was disproportionately high.

In the matter there was a data protection violation, the court decided. However, it is only a matter of a minor offense, which could not have led to “the mass disclosure of data to unauthorized persons”. Since the authentication practice practiced at 1 & 1 for years was not objected to before the fine was issued, the necessary awareness of the problem was lacking. The court announced on Wednesday that the court followed the BfDI’s view on essential points. The judgment shows that data protection violations are not without consequences. “I am convinced that this decision will be noticed in the boardrooms of companies,” said Kelber. “I am still waiting for the written justification of the judgment, but it is already clear: No company can afford to neglect data protection any longer.”

(axk)