INSUBCONTINENT EXCLUSIVE:
Image copyrightGetty ImagesImage caption
The fine will serve as a warning to other call centre operators, say experts
A German internet service provider faces a €9.6m ($10.6m; £8m) fine after being accused of failing to carry out tough enough
customer ID checks.Germany's data protection watchdog said anyone who called 1-1 Telecom could get extensive personal information about
someone else solely by giving their name and date of birth.Fraudsters can easily collect such details from social networks and elsewhere on
the net.But the firm is challenging the ruling.It said it did not accept the decision and intended to sue the authority.The sum represents
one of the largest penalties imposed under the EU's GDPR (General Data Protection Regulation).1-1 Telecom said the fine was "absolutely
disproportionate" because the regulator had based its calculations on the wider company's sales.On that basis "even the smallest discrepancy
can result in huge fines", its data security officer Julia Zirfas complained.The company also noted that it was in the process of rolling
out new security protocols that will involve customers having to provide a Pin code when they call in.GDPR came into force in May 2018
giving data protection authorities the power to impose bigger penalties than before.In the most serious cases, organisations can be fined up
to €20m or 4% of their worldwide annual revenue - whichever is larger.But regulators are supposed to take into account whether the
offending body co-operated with their inquiry, any past offences and whether the infringement was deliberate or a mistake, among other
factors, when deciding the amount.In this case, the BfDI (Federal Commissioner for Data Protection and Freedom of Information) acknowledged
that 1-1 Telecom had been "transparent and very co-operative" and had also taken steps to improve its practices
But the watchdog said the sum was still justified on the basis that its entire customer base had been put at risk.In October, the same
regulator punished a German property company with a bigger €14.5m fine for holding on to people's personal data for longer than was
necessary.And other European counterparts have told Google, British Airways and Marriott Hotels to pay even larger sums for other
GDPR-related offences.But one data privacy expert said the latest ruling was still significant."It's only the second time there's been a
multi-million euro penalty for a straightforward security issue, following a Bulgarian case," Tim Turner, director of 2040 Training told the
"Call centres have to balance easy access for customers with sensible verification measures, and this will be a wake-up call for all
organisations trying to work out how much security to face callers with."
