GDPR and authentication of customers by phone: only checking name and date of birth is insufficient German watchdog says
The German Federal Commissioner for Data Protection and Freedom of Information (Deutscher Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)) recently imposed a fine of EUR 9.5 million on the telecommunications service provider 1&1 (1&1). The reason for this decision was the previous authentication procedure, in which 1&1 identified its customers merely by name and date of birth. In the opinion of the BfDI, such a procedure does not constitute an appropriate technical and organisational measure to guarantee data security and therefore violates the General Data Protection Regulation (GDPR).
The majority of companies provide to their customers the possibility to contact the companies by phone in order to get information from the companies. In practice, this raises the question of customer authentication, i.e. how to ensure that personal data is not disclosed to unauthorised third parties. In many cases, the companies simply query the name and date of birth of the customers, as it was the case with 1&1. The BfDI concluded that such an authentication procedure would violate Art. 32 GDPR. According to this article, companies shall implement technical and organisational measures to protect the processing of personal data in a systematically manner.
Find the decision of the BfDI here: