GDPR fines. What can we learn from mistakes? March 2020

18/03/2020

1&1 TELECOM

Imposed fine. German supervisory authority (The Federal Commissioner for Data Protection and Freedom of Information (BfDI)) has imposed a fine of 9,550,000 euros on the telecommunications service provider 1&1 Telecom GmbH.

The company did not provide sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information via the customer hotline service. It turned out that callers to the company’s customer service could obtain extensive information on other personal customer data simply by providing the name and date of birth of a customer.  

According to the BfDI, such authentication procedure was a direct violation of a GDPR Article 32, which obliges the company to take appropriate technical and organizational measures to systematically protect the processing of personal data.

What can we learn?

1. The authentication procedure shall be secure and proper. It is recommended to use at least two-level authentications, to provide each customer with a personal service PIN, etc.
2. Raising awareness and properly training employees is key to ensure compliance.
3. Monitor and audit privacy program performance.
4. Collaborate with supervisory authority in case of data breach or investigation.

Deutsche Wohnen

Imposed fine. Berlin Commissioner for Data Protection and Freedom of Information (Berliner Beauftragte für Datenschutz und Informationsfreiheit – Berlin DPA) has imposed a fine of 14,500,000 euros on a German real estate company, die Deutsche Wohnen SE.

The company used an archiving system for the storage of personal data of tenants that did not provide for the possibility of removing data that was no longer required. Personal data of tenants were stored without checking whether storage was permissible or even necessary. It was therefore possible to access personal data of affected tenants which had been stored for years without this data still serving the purpose of its original collection. This involved data on the personal and financial circumstances of tenants, such as salary statements, self-disclosure forms, extracts from employment and training contracts, tax, social security and health insurance data as well as bank statements.

According to Berlin DPA, there was the violation of GDPR in three respects: first, the company did not have a legal ground to store personal data longer than was necessary; second, this was considered an infringement of the data protection by design requirements under Article 25 (1) GDPR; and, finally, it was an infringement of the general processing principles set out in Article 5 GDPR.

What can we learn?

1. Personal information should be retained only for as long as necessary to perform its stated purpose.
2. Data retention and destruction policies shall be implemented and be a living document. i.e. to be reviews and updated on a regular basis.
3. The records management and the data deletion lifecycle shall be ensured.
4. The data controllers shall consider the implementing an archiving system which separates data with different retention periods thereby allowing differentiated deletion periods as such solutions are commercially available.

Deutsche Wohnen TIM SpA (Telecom Italia)

Imposed fine. On January 15, 2020, Italian Data Protection Authority (Garante per la protezione dei dati personali) has imposed a fine of 27,802,496 euros on a telecommunications operator TIM SpA.

TIM made promotional calls without proper consent or despite registration of the contacted individuals in the public do not call registry, and even after they exercised the right to object. As well, inaccurate, unclear data processing information was provided in connection with certain apps targeted to customers and the arrangements for obtaining the required consent were inadequate. In a few cases paper forms were to be filled in where a single consent statement was available in respect of different purposes including marketing.

The fine was issued for violation of the GDPR, with emphasis on unlawful data processing, non-compliant aggressive marketing strategy, invalid collection of consents and excessive data retention period.

What can we learn?

1. A consent of an individual shall be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing of personal data relating to him or her.
2. Individuals who provide consent must be able to revoke the consent at any time as easily as it was to give it without penalty. The process for withdrawing consent should be publicized to inform individuals on the steps they should take.
3. An individual should consent to each activity or various methods for direct marketing separately.
4. Technical and organisational measures should be implemented in order to ensure quality, accuracy and timely updates of the personal data that are processed in the individual systems.