Data protection breach at 1 & 1: Court significantly reduces fine in the millions


The Bonn Regional Court convicted the Internet company 1 & 1 for a data protection violation, but significantly reduced the originally imposed fine of 9.6 million euros. 1 & 1 should now pay 900,000 euros, as the court decided on Wednesday. The fault of the company from Montabaur in Rhineland-Palatinate in releasing customer data is low, the court said.

The data protection breach involved a woman calling the 1 & 1 hotline in 2018. The stalker got her ex-husband’s new cell phone number just by giving his name and date of birth – that shouldn’t have happened. The Federal Data Protection Commissioner Ulrich Kelber (SPD) saw this lax authentication process as a grossly negligent violation of Article 32 and imposed a fine of millions. In contrast, the company went to court.

The General Data Protection Regulation stipulates that companies take appropriate technical and organizational measures to systematically protect the processing of personal data. 1 & 1 admitted the data protection violation, but presented it as an isolated case – and not as a systematic problem. In addition, the fine imposed by Kelber was disproportionately high.

The court ruled that there was a data protection violation in the matter. However, it is only a matter of a minor offense, which could not have led to “the mass disclosure of data to unauthorized persons”. Since the authentication practice practiced at 1 & 1 for years was not objected to until the fine was issued, the necessary awareness of the problem was lacking there.

Despite the reduced sentence, Federal Data Protection Officer Kelber saw himself confirmed by the judgment. The court followed the opinion of the BfDI in essential points, announced the authority on Wednesday. The judgment shows that data protection violations are not without consequences. “I am convinced that this decision will be noticed in the boardrooms of companies,” said Kelber. “I am still waiting for the written justification of the judgment, but it is already clear: No company can afford to neglect data protection any longer.”


To home page