The Federal Commissioner for Data Protection and Freedom of Information (BfDI) has imposed a fine of EUR 45,000,000 on Vodafone GmbH. The controller failed to properly supervise a third agency, which the controller used as a data processor. This resulted in employees of the third agency defrauding the controller's customers. The controller also failed to implement sufficient technical and organizational measures during an authentication process, which created the risk of third parties gaining ac

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) Jan 1, 2025

Telecoms provider (1&1 Telecom GmbH): Insufficient technical and organisational measures to ensure information security

€900,000 fine - The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Original Fine Summary: The Controller is a company offering telecommunication services. A caller could obtain extensive information on personal customer data from the company's customer service department simply by entering a customer's name and date of birth. In this authentication procedure, the BfDI aws a violation of Article 32 GDPR, according to which a company is obliged to take appropriate technical and organisational measures to systematically protect the processing of personal data. Due

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) Nov 11, 2020

Rapidata GmbH: Insufficient involvement of data protection officer

€10,000 fine - The Federal Commissioner for Data Protection and Freedom of Information (BfDI)

Despite repeated requests of the BfDI the company (an internet provider) did not comply with its legal obligation under Article 37 GDPR to appoint a data protection officer.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) Dec 9, 2019