LG Bonn - 29 OWi 1/20

From GDPRhub
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
LG Bonn - 29 OWi 1/20
Courts logo1.png
Court: LG Bonn (Germany)
Jurisdiction: Germany
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(4) GDPR
Decided: 11.11.2020
Published:
Parties:
National Case Number/Name: 29 OWi 1/20
European Case Law Identifier:
Appeal from: BfDI (Germany)
Appeal to:
Original Language(s): German
Original Source: openJur (in German)
Initial Contributor: Agnieszka Rapcewicz

The Regional Court Bonn upheld the decision of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) that a telecommunication operator violated Article 32(1) GDPR. The operator was fined EUR 900,000.

English Summary

Facts

The fined company belongs to a group of companies which together form one of the five largest telecommunications service providers in Germany. Since the entry into force of the GDPR on 25.05.2018 and until 08.05.2019, the party concerned operated call centres for the group of companies. The call centre agents worked with a user interface based on the customer database of the company K. This provided the call centre agent with the information (personal data) necessary for processing customer enquiries.

Callers usually reached a first-level support service agent first in the call centre. This agent first had to identify the caller. If the call was made under a telephone number assigned by the company, the respective record of the telephone number was directly displayed to the service agent. If, on the other hand, the call was from a foreign or suppressed telephone number, the customer was identified by the service agent on the basis of his name and date of birth or - alternatively - by stating the customer/contract or order number.

The respective service agent was required to authenticate the caller as an authorised person. For this purpose, the date of birth was requested - insofar as this was not already necessary for calling up the correct data record in the context of identification. After authentication, the call centre agents were authorised to provide the caller with information and to accept change requests.

For certain topics, the call centre agents of the first-level support forwarded the callers to other employees on the basis of an authorisation concept. For example, only the billing office could enter new bank details. A repeated or stricter authentication was not carried out towards these other employees after the authentication by the first-level support.

In case the call centre agent could recognise that someone other than the customer was calling the call centre, the person concerned had not made any comprehensive arrangements. There were only special working instructions for dealing with telephone enquiries from legal guardians. Moreover, it was standard practice at the person concerned that persons who introduced themselves as members of the customer's family or other close persons and were able to provide the customer's name and date of birth for authentication were considered to be authorised to act on behalf of the customer.

The above described practice was not checked for compliance with the General Data Protection Regulation.

The former partner of one of company's customers took advantage of the possibility to call as a (supposed) family member of a customer. Her ex-partner had deliberately changed his previous mobile phone number in order to no longer be contacted by her. Due to an outstanding debt, the mobile phone connection of company's customer had been blocked, which the former partner was apparently aware of. On 23 December 2018, she called the call centre of the person concerned, pretended to be the customer's wife and explained that she had settled the outstanding debt. As she was able to give the name and date of birth of her ex-partner, she was treated as an entitled person by the call centre agent. In the course of the conversation, the caller was given her ex-partner's new telephone number. She subsequently used this to make harassing calls, which is why customer's client filed a complaint with the police for stalking.

The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit - BfDI) became aware of the incident through a notification from the police on 31 January 2019. On 25.03.2019, the BfDI initiated administrative offence proceedings against the person concerned. By administrative fine decision of 27 November 2019, the BfDI imposed a fine of EUR 9,550,000 on the party concerned for a grossly negligent breach of Article 32(1) GDPR . The BfDI justified the fine by stating that the mere request of name and date of birth for the authentication of telephone callers or third parties did not ensure an adequate level of protection in accordance with Article 32 of the GDPR.

The decision has been challenged in court.

Dispute

Has the company provided adequate data protection measures? Is it necessary to specify in the penalty notice which natural persons of a company have specifically committed the data protection breach?

Holding

The Court upheld the DPA's decision that the company, as data controller, has culpably violated Article 32(1) GDPR and is therefore guilty of an administrative offence under Article 83(4)(a) GDPR. However, the Court reduced the fine imposed on the company from EUR 9,55 million to EUR 900,000.

Comment

The Court upheld the DPA's decision that the company violated Article 32(1) GDPR by generally allowing it to suffice in its call centres that the call centre agents asked for the caller's name and date of birth for authentication purposes. This was even sufficient if it was recognisable that not the customer himself but a third party was calling on his behalf. Taking into account the criteria of Article 32(1) GDPR, such authentication did not ensure sufficient protection of the customer data that could be viewed by the call centre agents against disclosure to unauthorised callers.

What is interesting, the Court made extensive reference to the liability of collective entities for infringements of the GDPR. The Court pointed out that German sanctions law does not yet know such direct liability of companies. Pursuant to Section 30 (1) OWiG, authorities can impose fines on legal persons or associations of persons; however, the fines are always linked to culpable misconduct by natural persons, for which the legal person or association of persons is only liable on the legal consequences side - as a so-called "secondary affected party". For a fine, the conduct of any employee of the company is not sufficient, but only the conduct of very specific persons in management or supervisory positions. A fine can - at least in principle (cf. section 31 (1) no. 5 OWiG) - only be imposed on the legal person or association of persons whose organ or management person committed the administrative offence. The liability to pay a fine does not extend to other legal entities of the entire enterprise - for example, other legal entities of a group.

The Court stressed that in contrast, supranational European antitrust law assumes that companies are directly liable for infringements of Articles 101 and 102 TFEU. Whereas according to Section 30 (1) OWiG legal persons or associations of persons are liable for the actions of their management on the legal consequences side, according to supranational cartel sanction law the association is directly liable for the infringement, regardless of which natural person acted on its behalf (direct association liability). Knowledge or even instruction of the management or breach of the duty of supervision is not required. According to the functional entity principle, the company is liable as a functional entity. If an enterprise has several legal entities - for example, if a uniform enterprise is supported by several legal entities - the fine can be imposed on all legal entities. The individual legal entities of the enterprise are only relevant as formal addressees of the sanction decision, as parties affected by the proceedings and as addressees of enforcement. They are jointly and severally liable for the corporate fine.

Whether Section 30 (1) OWiG and the German legal entity principle are to be applied when imposing fines pursuant to Article 83 (4) to (6) DS-GVO or whether the principles of supranational cartel sanction law are to be applied is disputed. The German legislator has not answered this question unambiguously: In Section 41(1) BDSG it has ordered that the substantive provisions of the OWiG apply "mutatis mutandis" to infringements under Article 83(4) to (6) DS-GVO. The legislator has recognised the primacy of application of the GDPR by referring to the provisions of the OWiG only insofar as "this law does not provide otherwise", which covers the GDPR as well as the BDSG. The Federal Administrative Court of the Republic of Austria applied a provision comparable to Section 30 OWiG in Section 30 öDSG in a decision of 19.08.2019, Case No. W211 2208885-1, and thus denied the primacy of Article 83 (4) to (6) DSGVO. It annulled the penalty decision there (corresponds to the German penalty notice) and discontinued the proceedings because the fine was not linked to the conduct of a natural person.

As the Court pointed out, the BfDI, the State Data Protection Commissioners and other representatives of the literature on data protection law, on the other hand, assume that the principles of supranational antitrust law apply mutatis mutandis to the offences in Article 83(4) to (6) of the GDPR. This view, in the Court's opinion, is correct. The Court stressed that when creating Article 83 (4) to (6) GDPR, the European legislator obviously had supranational antitrust law as a model. This is expressed in recital 150 of the GDPR, for example, when it states that in the case of a fine against an undertaking, the term "undertaking" should be understood in the sense of Articles 101 and 102 TFEU, i.e. in the sense of the EU antitrust law concept of undertaking. Accordingly, only controllers and processors (cf. Art. 4 No. 7 and 8 of the GDPR) as well as the certification body in the case of Art. 4(b) and the supervisory authority in the case of Art. 4(c) are mentioned as addressees in the wording of the provisions on fines in Art. 83(4) to (6) of the GDPR. The imposition of a fine is not linked to a culpable act of the organs or management persons of legal persons or associations of persons.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Tenor
The party concerned is guilty of breach of the obligation to ensure an adequate level of protection for personal data by means of appropriate technical and organisational measures.

The party concerned is therefore sentenced to a fine of

900,000 euros

900,000.

The party concerned shall bear the costs of the proceedings.

Applicable provisions:

Art. 32(1), (2); 83(1), (2), (4) DS-GVO.

Reasons
I.

The party concerned K C GmbH belongs to the K X Group (hereinafter: K X). This is one of the five largest telecommunications service providers in Germany. The group's products are primarily offered under the K brand and also under discount brands such as L.de, D or F. The data subject K C GmbH is a listed company.

K X AG, as the listed parent company, concentrates on holding tasks such as management, finance and accounting, cash management, human resources and risk management. The operative business is mainly carried out by K G SE and in particular by the affected party, K C GmbH, as well as by X GmbH. The party concerned is a 100% subsidiary of K B GmbH, which in turn is a 100% subsidiary of K G SE. The parent company K X AG holds 100% of the shares of K G SE. Comprehensive profit and loss transfer and control agreements exist between all companies of the group.

K X had revenue of approximately €3.63 billion in the 2018 financial year, which increased to €3.76 billion in 2019. The Group's profit amounted to approximately 406 million euros in 2018 and approximately 373 million euros in 2019.

II.

1. in the offence period since the entry into force of the GDPR on 25.05.2018 until 08.05.2019, the party concerned operated call centres with #...# call centre service agents in the group of companies for the K brand. These agents served around #.# million customers.
a) The call centre agents of the party concerned worked with the so-called Z (hereinafter Z), a user interface based on the customer database of the company K. This provided the call centre agent with the information necessary for processing customer enquiries. In detail, this was:

- Name and customer number

- Address of the customer

- Date of birth of the customer

- Contract data (type, conditions, term and contract status)

- Customer's telephone number

- Customer's e-mail address

- Advertising preferences

- Invoice data or status (i.e. open or paid)

- bank account details, which, however, according to the "needtoknow" rule, were only displayed in full to employees who worked with them (e.g. W, S, Receivables Management), while only the last four digits of the IBAN were displayed to first-level support call centre agents

- Invoices where the account number was technically unrecognisable except for the last four digits ("fixed").

- past correspondence with the customer

Itemised bills or other traffic data were not displayed in the Z and were therefore not visible to the call centre agents. They were only made available to customers in the Control Centre, a web application for self-administration of the customer account.

b) Callers usually reached a first-level support service agent first in the call centre. This agent first had to identify the caller. If the call was made under a telephone number assigned by K, the respective record of the telephone number was directly displayed to the service agent. If, on the other hand, the call was from a foreign or suppressed telephone number, the customer was identified by the service agent on the basis of his name and date of birth or - alternatively - by stating the customer/contract or order number.

The respective service agent was required to authenticate the caller as an authorised person. For this purpose, the date of birth was requested - insofar as this was not already necessary for calling up the correct data record in the context of identification.

After authentication, the call centre agents were authorised to provide the caller with information and to accept change requests. For certain topics, the call centre agents of the first-level support forwarded the callers to other employees on the basis of an authorisation concept. For example, only the billing office could enter new bank details. A repeated or stricter authentication was not carried out towards these other employees after the authentication by the first-level support.

In case the call centre agent could recognise that someone other than the customer was calling the call centre, the person concerned had not made any comprehensive arrangements. There were only special working instructions for dealing with telephone enquiries from legal guardians. Moreover, it was standard practice at the person concerned that persons who introduced themselves as members of the customer's family or other close persons and were able to provide the customer's name and date of birth for authentication were considered to be authorised to act on behalf of the customer. This was independent of whether this person had been deposited in the system by the client as a so-called additional contact person or not. It was also not explicitly regulated how the call centre agents should react if a calling third party was unable to provide the customer's date of birth during the authentication process.

The authentication of callers in the call centre had been practised by the party concerned for several years as described above. This practice was not checked for compliance with the General Data Protection Regulation. 2.

2 The former partner of one of K's customers took advantage of the possibility to call as a (supposed) family member of a customer. Her ex-partner had deliberately changed his previous mobile phone number in order to no longer be contacted by her. Due to an outstanding debt, the mobile phone connection of K's customer had been blocked, which the former partner was apparently aware of. On 23 December 2018, she called the call centre of the person concerned, pretended to be the customer's wife and explained that she had settled the outstanding debt. As she was able to give the name and date of birth of her ex-partner, she was treated as an entitled person by the call centre agent. In the course of the conversation, the caller was given her ex-partner's new telephone number. She subsequently used this to make harassing calls, which is why K's client filed a complaint with the M police for stalking. 3.

The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit - BfDI) became aware of the incident through a notification from the M police on 31 January 2019. On 25.03.2019, the BfDI initiated administrative offence proceedings against the person concerned. By letter of 08.04.2019, delivered on 11.04.2019, he heard the person concerned. By administrative fine decision of 27 November 2019, the BfDI imposed a fine of EUR 9,550,000 on the data subject for a grossly negligent breach of Article 32(1) of the GDPR. The BfDI justified the fine by stating that the mere request of name and date of birth for the authentication of telephone callers or third parties did not ensure an adequate level of protection in accordance with Article 32 of the GDPR. With a fine of up to 73,260,000 euros, the fine imposed was in the lower range.

4 Clear requirements for the authentication process in call centres were not established at the time. The BfDI did not publish any guidelines or instructions in this regard. Even in the semi-annual meetings of the leading telecommunications companies with the BfDI ("N"), the question of how customer identification and authentication should take place in call centres was not a subject. In connection with a consultation and inspection visit by the BfDI to the data subject in November 2015, caller authentication was not criticised. However, the subject of the audit was the recording of calls in the call centre in connection with the conclusion of contracts and the need for consent. The requirements for authentication in call centres were also not addressed in specialist journals and other literature, not even in connection with the introduction of the GDPR. Only one dissertation from 2012 (Hoss, Callcenter aus der Perspektive des Datenschutzes - Rechtlicher Rahmen und Gestaltungsvorschläge für ein automatisiertes Gesprächsmanagement-System, 2012) dealt with the use of secret knowledge, especially PINs, in connection with "suitable methods for secure authentication of customers" in call centres. Strong authentication was called for there in the case of particularly sensitive personal data, for example in the health sector. Otherwise, the required level of security was to be determined on a case-by-case basis.

5. In November 2019, i.e. before the BfDI imposed the fine with high publicity, the party concerned investigated how callers are authenticated in the call centre at other large companies before they are provided with personal data. This investigation yielded the following result:

- P: Daughter calls expressly for her mother and gives her customer number, name and date of birth. No power of attorney is requested.

- J: The caller authenticates himself via the mobile number stored in the contract, giving date of birth and address.

- Q: The caller authenticates himself with customer number, name, date of birth.

- O: Caller must provide OCard number.

- E: Caller is asked for his 4-digit PIN. If this is not at hand, an authentication TAN is sent to the terminal.

- R: If caller does not have their contract account number to hand, it is sufficient to provide surname, postcode and date of birth.

- X2: It is sufficient to enter the vehicle registration number, name and date of birth.

- W2: If a caller does not have his contract number or customer number to hand, it is sufficient to state the name and date of birth of the contract holder.

- A2 GmbH: The customer number, name, address and date of birth are requested.

- M2: The customer number is sufficient; if it is not available, the name and date of birth are also sufficient.

In response to the BfDI investigations, the party concerned changed the authentication in the call centre. As a temporary measure, authentication via the customer/contract or order number, date of birth or email address and the last four digits of the IBAN was introduced on 08.05.2019.

Since 09.12.2019, callers to K's call centres have had to authenticate themselves using a five-digit service PIN, which was sent to customers by email or post and can be changed to a desired PIN in the Online Control Centre if required. The IT structure of those concerned had to be adapted and the call centre staff trained accordingly. The implementation costs amounted to around # million euros (#.# million euros for development, implementation and quality assurance, 2 million euros for mailing and ...#...# euros each for training and other expenses, such as legal advice).

III.

The findings are based on the statement of the person concerned, the information provided by the data protection officer of the person concerned, the witness Dr. A, as well as the expert Prof. Dr. Y, who was commissioned by K and instructed by it on the facts. The statements are consistent with the documents introduced in the main hearing, which supplemented the details of the statements. The parties to the proceedings agree on the facts of the case. The only dispute is about the legal consequences.

IV.

There is no impediment to proceedings. The penalty notice issued by the BfDI forms a viable basis for the court proceedings, so that the defence's motion to discontinue the proceedings did not have to be granted. 1.

(1) The BfDI's penalty notice sets out the data protection infringement in more detail and states that the party concerned violated Article 83(4)(a) GDPR in conjunction with [Article 32(1) GDPR. Article 32 (1) GDPRby failing, at least with gross negligence, to ensure processes for sufficient authentication of callers. It is not described in more detail which natural persons in the company of the data subject committed the data protection breach and by which actions. 

(2) The penalty notice thus sufficiently describes and delimits the offence in the procedural sense (section 41(2) sentence 1 BDSG, section 71(1) OWiG, section 264 StPO).

a) The subject matter of the sanction under Article 83 (4) to (6) of the GDPR is the data protection breach as a result and not the actions of certain natural persons that caused it. This data protection breach is the subject matter of the fine proceedings. In order to define the subject matter of the proceedings, it is therefore not necessary to specify in the penalty notice which natural persons of a company have specifically committed the data protection breach. It is sufficient to individualise the data protection violation. This has been done here.

b) German sanctions law does not yet know such direct liability of companies. Pursuant to Section 30 (1) OWiG, authorities can impose fines on legal persons or associations of persons; however, the fines are always linked to culpable misconduct by natural persons, for which the legal person or association of persons is only liable on the legal consequences side - as a so-called "secondary affected party". For a fine, the conduct of any employee of the company is not sufficient, but only the conduct of very specific persons in management or supervisory positions. A fine can - at least in principle (cf. section 31 (1) no. 5 OWiG) - only be imposed on the legal person or association of persons whose organ or management person committed the administrative offence. The liability to pay a fine does not extend to other legal entities of the entire enterprise - for example, other legal entities of a group.

c) In contrast, supranational European antitrust law assumes that companies are directly liable for infringements of Articles 101 and 102 TFEU. Whereas according to Section 30 (1) OWiG legal persons or associations of persons are liable for the actions of their management on the legal consequences side, according to supranational cartel sanction law the association is directly liable for the infringement, regardless of which natural person acted on its behalf (direct association liability). Knowledge or even instruction of the management or breach of the duty of supervision is not required. According to the functional entity principle, the company is liable as a functional entity. If an enterprise has several legal entities - for example, if a uniform enterprise is supported by several legal entities - the fine can be imposed on all legal entities. The individual legal entities of the enterprise are only relevant as formal addressees of the sanction decision, as parties affected by the proceedings and as addressees of enforcement. They are jointly and severally liable for the corporate fine.

d) Whether Section 30 (1) OWiG and the German legal entity principle are to be applied when imposing fines pursuant to Article 83 (4) to (6) DS-GVO or whether the principles of supranational cartel sanction law are to be applied is disputed.

aa) The German legislator has not answered this question unambiguously: In Section 41(1) BDSG it has ordered that the substantive provisions of the OWiG apply "mutatis mutandis" to infringements under Article 83(4) to (6) DS-GVO. The legislator has recognised the primacy of application of the GDPR by referring to the provisions of the OWiG only insofar as "this law does not provide otherwise", which covers the GDPR as well as the BDSG. However, in Section 41 (1) sentence 2 BDSG, the legislator has expressly excluded certain provisions from the reference. § Section 30 OWiG is not excluded there, contrary to the suggestion of the data protection conference and contrary to the first versions of the draft bill. This could lead to the conclusion that the German legislator assumed that Section 30 OWiG would apply. However, there is no justification for this amendment to the draft bill.

bb) The Federal Administrative Court of the Republic of Austria applied a provision comparable to Section 30 OWiG in Section 30 öDSG in a decision of 19.08.2019, Case No. W211 2208885-1, and thus denied the primacy of Article 83 (4) to (6) DSGVO. It annulled the penalty decision there (corresponds to the German penalty notice) and discontinued the proceedings because the fine was not linked to the conduct of a natural person.

cc) Parts of the German literature on data protection law also assume that Article 83 (4) to (6) of the GDPR does not itself conclusively regulate the question of attributing a data protection violation to an association. There is room for application of the law of the respective member states. According to German sanctions law, the concrete determination of an unlawful and culpable act of a management person within the meaning of Section 30 (1) OWiG is therefore required in order to impose a fine on the association (cf. Gola, DS-GVO, 2nd ed. 2018, Art. 83 para. 11; Schantz/Wolff, Das neue Datenschutzrecht, F. Durchsetzung des Datenschutzrechts, marginal no. 1134; Forgó/Helfrich/Schneider, Betrieblicher Datenschutz, Part XIV. Straf- und Ordnungswidrigkeitenvorschriften im Bereich des betrieblichen Datenschutzes, marginal no. 148; raising the question of applicability: Sydow, Europäische Datenschutzgrundverordnung, 2nd edition 2018, Art. 83 marginal no. 5).

dd) The BfDI, the State Data Protection Commissioners and other representatives of the literature on data protection law, on the other hand, assume that the principles of supranational antitrust law apply mutatis mutandis to the offences in Article 83(4) to (6) of the GDPR (cf. BeckOK, DatenschutzR/Holländer, 33rd ed. 01.08.2020 GDPR Art. 83 Rn. 11, 21; Gola/Heckmann/Ehmann, 13th ed. 2019, BDSG § 41 Rn. 20; Thiel (interview) ZD 2020, 3 (3 f.); Bergt, DuD 2017, 555, 556; Kühling/Buchner/Bergt, 3rd ed. 2020 Rn. 20, DS-GVO Art. 83 Rn. 20; Ebner/Schmidt, CCZ 2020, 84; see also resolution of 03. 04.2019 of the 97th DSK "Companies are liable for data protection breaches of their employees" and Working Paper 253 of the Article - 29 - Working Party of 3 October 2017, page 6).

e) The latter view is correct.

aa) When creating Article 83 (4) to (6) GDPR, the European legislator obviously had supranational antitrust law as a model. This is expressed in recital 150 of the GDPR, for example, when it states that in the case of a fine against an undertaking, the term "undertaking" should be understood in the sense of Articles 101 and 102 TFEU, i.e. in the sense of the EU antitrust law concept of undertaking. Accordingly, only controllers and processors (cf. Art. 4 No. 7 and 8 of the GDPR) as well as the certification body in the case of Art. 4(b) and the supervisory authority in the case of Art. 4(c) are mentioned as addressees in the wording of the provisions on fines in Art. 83(4) to (6) of the GDPR. The imposition of a fine is not linked to a culpable act of the organs or management persons of legal persons or associations of persons.

bb) The linking of the fine to misconduct on the part of executive bodies or managers pursuant to Section 30 OWiG cannot be meaningfully reconciled with the liability concept based on the EU antitrust model and the function bearer principle (cf. Bergt in Kühling/Buchner, DS-GVO BDSG, 3rd edition 2020, Section 41 BDSG marginal no. 7: "inappropriately for an original corporate sanction law Section 30 OWiG"). Compared to the European liability model, the application of Section 30 OWiG would lead to a considerable restriction of the imposition of fines on companies if the internal responsibilities had to be clarified despite the fact that a data protection violation had been established. If Section 30 OWiG and comparable provisions of other Member States were fully applicable, different regulations would apply in each of the EU Member States or would at least be possible. Since the sanctioning of breaches of order by associations in the EU member states is based on very different legal traditions, the enrichment of Article 83 (4) to (6) of the GDPR by national liability and attribution provisions would have the consequence that the sanctioning of companies under Article 83 (4) to (6) of the GDPR would diverge not inconsiderably from one member state to another. This would not only affect the substantive scope of companies' liability for fines, but also the effectiveness of the procedure, for example in Germany due to the need for very elaborate investigations of internal company structures and responsibilities. There would be the obvious danger of significantly different sanctioning practices across Europe.

The recitals to the GDPR show that this was not the intention of the European legislator. On the contrary, the uniform application of the law and a uniform and, in particular, effective sanctioning of data protection violations by companies were precisely one of the basic concerns when the GDPR was created:

- Recital 9 shows that the GDPR should provide a more solid basis for consistency compared to the Data Protection Directive 95/46/EC, as it is directly applicable in the Member States.

- Recital 10 states that the Regulation should ensure a consistent and high level of data protection for individuals and remove barriers to the flow of personal data in the Union. Therefore, the level of protection should be equivalent in all Member States.

- Recital 11 to the Regulation addresses the fact that an equivalent level of protection for personal data throughout the Union requires, inter alia, "equal powers to monitor and ensure compliance with the rules on the protection of personal data and equal sanctions in the event of a breach thereof".

- Recital 13 to the Regulation considers equivalent sanctions in all Member States and effective cooperation between supervisory authorities of different Member States as necessary to "eliminate disparities which could hinder the free flow of personal data in the internal market".

- Recital 129 to the Regulation reiterates the need to ensure consistent monitoring and enforcement of the Regulation across the Union, for which the supervisory authorities in each Member State should have the same tasks and effective powers.

- According to Recital 148 to the Regulation, in the interest of more consistent enforcement of the provisions of the Regulation, sanctions, including fines, shall be imposed in the event of infringements in addition to, or instead of, the appropriate measures imposed by the supervisory authority pursuant to this Regulation.

Even if the recitals to the GDPR do not have the quality of a legal norm, the courts must take them into account when interpreting Article 83 (4) to (6) of the GDPR. In the present case, this means that there is no room for limiting liability by restricting it to the individual misconduct of management personnel pursuant to Section 30 OWiG. If the member states were able to limit the elements of fines in Article 83 (4) to (6) GDPR by applying their own legal provisions, central objectives - standardisation as well as uniform and effective sanctioning on the basis of uniform provisions throughout Europe - would be jeopardised.

cc) Nothing else results from the fact that the European legislator also refers to the law of the Member States in Article 83 (8) of the GDPR to ensure adequate procedural guarantees "including effective judicial remedies and due process". The content of this provision, in particular as a national regulatory power, is to be interpreted in the light of the European law requirement of effectiveness ("effet utile", settled ECJ case law, cf. Case C-6/90 and 9/90, NJW 1992, 165, para. 32 with further references). In the absence of a European law on the procedure for imposing fines, the national procedure for imposing fines may only be used to the extent that the effective enforcement and practical effectiveness of the GDPR is guaranteed. Moreover, Article 83 (8) of the GDPR only refers to the procedure for imposing fines. Only in this respect do national regulatory competences exist. In borderline areas between procedural law and substantive law, individual substantive provisions from national law can therefore be applied, if at all, insofar as national procedural law requires their application. However, these substantive provisions can only be those that do not stand in the way of effective punishment under the law on fines. A restriction and weakening of the liability model under Union law by provisions such as in Section 30 (1) OWiG is not covered by Article 83 (8) DPA.

V.

The data subject, as data controller, has culpably violated Article 32(1) of the GDPR and is therefore guilty of an administrative offence under Article 83(4)(a) of the GDPR.

Pursuant to Article 32 (1) sentence 1 of the GDPR, data controllers shall take appropriate technical and organisational measures to address the risks to the rights and freedoms of natural persons arising from data processing. The level of protection to be ensured must be adequate. The assessment of what is adequate shall take into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the likelihood and severity of the risk to the rights and freedoms of natural persons. According to Art. 32(2) GDPR, the risks to be addressed by the data controller include the risk of unauthorised disclosure of personal data and unauthorised access to personal data.

2 The company violated these requirements by generally allowing it to suffice in its call centres that the call centre agents asked for the caller's name and date of birth for authentication purposes. This was even sufficient if it was recognisable that not the customer himself but a third party was calling on his behalf. Taking into account the criteria of Article 32(1) of the GDPR, such authentication did not ensure sufficient protection of the customer data that could be viewed by the call centre agents against disclosure to unauthorised callers.

a) Communication via a call centre is largely anonymous. As a rule, the caller and the call centre agent do not know each other personally. As far as contractual matters are concerned and the call centre agent has to resort to customer data to process the call, he must first identify the customer. If personal data is disclosed to the caller during the call, it must also be ensured that the caller is actually the customer or a third party acting on the customer's behalf. A secure method is therefore required to authenticate the caller as the person entitled to the data.

b) Various methods are available for authenticating the caller, which guarantee different levels of security. In order to select the method, an identification and assessment of the specific risks based on the likelihood of occurrence and the severity of adverse consequences for the natural persons concerned shall be carried out. The more sensitive the data, the more serious the possible consequences of unauthorised data disclosure and the more likely such consequences are, the higher the requirements for their protection.

c) The call centre agents of the data subjects did not have access to particularly sensitive data within the meaning of Art. 9(1) of the GDPR, which require special protection because they are of a highly personal or identity-related nature and They are of a highly personal or identity-forming nature and therefore inherently have a high potential for damage and discrimination (cf. BeckOK, DatenschutzR/Albers/Veit, 33rd ed. 1.5.2020, DS-GVO Art. 9 marginal no. 17, Paal/Pauly/Frenzel, 2nd ed. 2018, DS-GVO Art. 9 marginal no. 6). These are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data uniquely identifying a natural person, health data or data concerning a natural person's sex life or sexual orientation. Such data was not directly involved, nor could any inference be drawn from the data available to the call centre agents.

d) The risks to the rights and freedoms of natural persons, which are particularly highlighted in Recital 75 to the GDPR (discrimination, identity theft or fraud, damage to reputation, etc.), were also not in the foreground in the present case. This also applies insofar as data concerning the economic situation and reliability are mentioned there. It is true that it was possible for the call centre agents to see in Z whether connections were blocked due to outstanding debts, which can allow conclusions to be drawn about the economic situation of the customer. Notwithstanding the fact that other reasons than payment difficulties may be behind this, recital 75 has the use case in mind that the mentioned aspects are evaluated, analysed or predicted in order to create or use personal profiles. However, this did not happen in the present case.

e) Only a few sensitive data were affected, general contact data (address, telephone number and e-mail address) as well as bank details. These are data that are usually made available to third parties when concluding contracts, for official procedures or for other reasons. In addition, the contract and invoice data as well as the customer correspondence were stored in the Z and could therefore be viewed by the call centre agent, i.e. data that originate directly from the contractual relationship with the data subject and which third parties usually have no interest in knowing.

f) The likelihood that third parties would attempt to obtain unauthorised access to this data via the call centre of the data subject was accordingly low. Mass access to the data of a large number of customers of the data subject through the use of corresponding software was not to be expected via contacting the call centre. The call centre agent had to be induced to disclose information about a customer in the first place by skilfully conducting the conversation. The focus was therefore on the risk of an attack on the data of individual customers. In particular, there was the risk that third parties would try to obtain information about a person known to them via the call centre for personal motives.

g) However, the risk to the rights and freedoms of certain natural persons is so significant that the data had to be effectively protected.

For example, persons who are generally at risk of unwanted contact, such as public figures, were at risk. In particular, however, it also concerns persons who are at real risk of becoming victims of criminal offences, be it through stalking, threats or deprivation of liberty. Beyond these personal dangers, there is also always the risk of damage through unauthorised use of data. For example, it is conceivable that fraudsters obtain personal information via the call centre, such as the last four digits of a customer's IBAN, in order to use this data at another - more damaging - location for authentication. The dangers threatening in this respect go beyond the realm of the annoying. In individual cases, serious material and especially immaterial damage is conceivable.

The risk of becoming a victim of data misuse by third parties existed only for a small proportion of K X's customers in relative terms. However, due to the #.# million customers, this was a quite relevant absolute number. Since K X is also one of the five largest telecommunications service providers in Germany and almost every adult has a landline and/or mobile phone connection, it was not necessary for a third party to know that the intended victim was a customer of K. The third party did not have to be aware of this. There was a realistic chance of obtaining the desired contact data by "phoning" the major telecommunications companies. This distinguishes the risk situation for the data processed by the data subject from that of smaller regional telecommunications companies or those in other industries.

h) The authentication procedure used by the data subject at the time of the crime by requesting name and date of birth did not sufficiently take into account the risks described.

aa) The name and date of birth of the customer are available to an unmanageably large circle of people. They are often known or available among family, acquaintances and colleagues. For many people, the name and date of birth are also easy to find, for example on the internet, for celebrities via C2 or via social networks such as Y2. Since the name and date of birth are therefore not only in the customer's sphere of knowledge or access, asking for this information is not sufficient to ensure that the caller is the contractual partner recorded in the system.

bb) The data is also unsuitable to establish a presumption of the calling party's authorisation/authorisation if the calling party and the customer are recognisably different persons because a third party is calling on behalf of the customer. The fact that other persons have knowledge of the customer's name and date of birth does not imply that the information was consciously disclosed to them, and even a conscious disclosure of the date of birth does not imply the granting of a power of representation - even among family and friends. The person concerned also did not have any information about the respective family relationships from her contractual relationship with the customer, which is why it was not possible for the agents in the call centre to verify whether the claimed relative even existed according to the customer's family structure. Due to the possibility of calls by third parties, the risk of abuse was also increased because it was particularly easy for them to cause the call centre agent to disclose the deposited information by pretending gaps in knowledge and uncertainties without arousing suspicion of abuse on their part.

i) It would have been possible for the party concerned to increase the security standard without significant effort. Already by additionally requesting special knowledge, such as the customer or invoice number, the assumption that the caller is actually the customer or an authorised person would have been more reliable. This is because only the customer himself or his close environment regularly have access to this data. The circle of those who could authenticate themselves to the call centre without authorisation would thus have been considerably reduced. Since this data was already accessible to the call centre agents at the time, it would only have required informing the call centre agents and revising the corresponding training documents or training courses to increase the level of protection. This would have been possible with a one-time and extremely low financial effort.

2. a) The party concerned was aware of the concrete level of protection in the call centre and was not subject to any misconception in factual terms. In the sense of knowledge of the facts, the company K X acted intentionally. However, the Board does not assume that the responsible employees of the company were aware of the infringement of Article 32 GDPR or the possibility thereof. In the past, there had been no complaints by supervisory authorities or third parties. K X had also not become aware of any abuse of its call centres. In addition, the requirements for authentication in the call centre had not been dealt with in detail in trade journals or books on data protection law.

b) However, the error of prohibition and thus the data protection infringement were avoidable for the company K X.

aa) For a telecommunications company like the data subject, the call centre is the primary contact point for personal contact with the customer. It is therefore necessary to review the level of data protection in the area of the call centre on an ad hoc basis and at regular intervals. This already results from the fact that data protection law is not static, but that the state of the art also and especially develops with regard to new risks. Accordingly, Article 32 (1) (d) of the GDPR now also explicitly requires a regular review, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure the security of processing. The reform of European data protection law through the introduction of the GDPR gave reason to review the data processing procedures for conformity with the new law. An almost two-year transition period was available for this purpose. In the course of this, the data subject should have checked whether the level of data protection in the call centre was sufficient or whether there was a need for adaptation and improvement. The authentication of callers was one of the central issues.

bb) K X did not use the transitional phase for the introduction of the GDPR. In a corresponding review, the company would have had to make the same considerations as the chamber. A similarly conscientious review based on the criteria of Article 32 GDPR would have led to the conclusion that the authentication process needed to be improved. The necessary expertise existed on the part of K X. The company has its own legal department, as a telecommunications company it deals with data protection issues on a daily basis and must have special competences in this area. If doubts had remained, the BfDI would have been available as the competent supervisory authority to reliably clarify the questions of doubt. The infringement would have been avoided in this way.

V.

In determining the fine, the Board was guided by the following considerations:

(1) The range of fines is derived from Article 83(4) of the GDPR. According to its letter a), a fine of up to 10 million euros can be imposed for a violation of Article 32 of the GDPR. In the case of a company, a fine of up to 2% of its total worldwide annual turnover of the previous business year is also possible, if this amount is higher.

a) According to Recital 150 to the GDPR, the functional concept of an undertaking in European antitrust law in Articles 101 and 102 TFEU is to be used as a basis. Therefore, when determining the upper limit of a possible fine, the total turnover of the K X Group as an undertaking in the functional sense and not the turnover of K C GmbH as the formal addressee of the fine is relevant.

In the German language version of the GDPR, Art. 4 No. 18 of the GDPR seems to contradict this interpretation. There, the term "undertaking" is legally defined as a natural or legal person that carries out an economic activity. This definition of the term "undertaking" in the sense of the individual legal entity is not relevant for Art. 83 GDPR. This is shown by a comparison with other language versions. In the English language version, Art. 4 No. 18 legally defines the enterprise as "undertaking" and in Art. 83 (5), a different term is used with "undertaking", which is consistent with the English language Recital 150. Also in Bulgarian, Danish, Gaelic, Croatian and Slovenian, Art. 83 GDPR does not use the legally defined term of enterprise from Art. 4 No. 18 (cf. on this further BeckOK DatenschutzR/Holländer, 32nd ed. 1.11.2019, DS-GVO Art. 83 Rn. 13-13.3; Cornelius, Die "datenschutzrechtliche Einheit" als Grundlage des bußgeldrechtlichen Unternehmensbegriff nach der EU-DSGVO, NZWiSt 2016, 421, 423f). It follows that the legislator understands the term "undertaking" in the sense of recital 150 in this context.

b) The question to which event the preceding business year is linked, the turnover of which determines the upper limit of the possible fine, is not expressly regulated.

According to the case law of the ECJ in antitrust law on the almost identical Article 23 of Regulation No. 1 / 2003, the reference period is the financial year preceding the imposition of the sanction (ECJ, Judgment of 26 January 2017 - C-637/13 P - Badezimmerkartell Laufen Austria, para. 49; ECJ, Judgment of 4 September 2014 - C-408/12 P - YKK and others para. 90).

Since Article 83 of the GDPR is modelled on the antitrust regulation, the amount of the annual turnover in the last completed business year before the fine was imposed is decisive. The time of the court decision is just as irrelevant as the time of the relevant infringement.

Since the penalty notice was issued on 27 November 2019, the annual turnover for 2018 is therefore decisive. Based on a turnover for 2018 of 3.63 billion euros, this results in a two percent upper limit for the fine of 72.6 million euros. Since this amount is higher than the 10 million euros mentioned as an alternative in Article 83(4) of the GDPR, this upper limit is to be used as a basis. 2.

2 In assessing the fine within this fine range, the following was decisive for the Board:

(a) Pursuant to Article 83(1) of the GDPR, each supervisory authority shall ensure that the imposition of fines is effective, proportionate and dissuasive in each individual case. Article 83 (2) sentence 2 of the GDPR lists assessment criteria that must be "duly" taken into account when deciding on the imposition of a fine and its amount in each individual case. According to these criteria, the type, severity and duration of the infringement, the number of data subjects affected by the processing, the extent of the damage, the category of personal data affected, the company's efforts to limit the damage, the type and extent of cooperation with the data protection authorities and the degree of responsibility are relevant.

The turnover of the company is not mentioned in Art. 83 (2) sentence 2 of the GDPR as an assessment factor. It does not follow from this that the turnover of the company is of no significance in the assessment of the fine. On the one hand, the turnover determines the upper limit of the fine for companies with a high turnover and thus creates the framework within which the specific data protection violation is to be classified and fitted. The framework of fines provides the necessary orientation for the concrete assessment. On the other hand, fines against companies must be effective and dissuasive pursuant to Article 83 (1) of the GDPR. This also depends on the punishment sensitivity of the respective company. The larger the company, the less sensitive it is to sanctions and the higher the fine must usually be so that it can have its special preventive effect. The amount of the turnover is a suitable indicator for the size of the enterprise and thus for the sensitivity; the balance sheet profit and other key figures of the economic performance of the enterprise can also be taken into account.

b) However, it must not be lost sight of the fact that the GDPR in Art. 83 (2) sentence 2 primarily lists fact-related aspects for the assessment. An assessment of the fine by determining a basic value for the fine based on the turnover, which is multiplied by a factor depending on the severity of the data protection violation, is problematic for this reason and because of the associated focus on the company turnover. The BfDI has followed such an approach in the assessment of fines based on the fine concept of the Data Protection Conference of 19.10.2019. Such an assessment method may lead to appropriate results in the case of data protection violations of medium gravity. However, it fails in the case of serious data protection infringements of companies with low turnover and minor data protection infringements of companies with high turnover, i.e. in those cases in which an assessment based primarily on turnover conflicts with the assessment based on the criteria in Article 83 (2) sentence 2 GDPR. In this case, the fact-based assessment criteria in Article 83 (2) sentence 2 of the GDPR take precedence. The amount of turnover continues to be important. However, in relation to the culpability, the turnover becomes less important, the clearer the assessment of the seriousness of the data protection breach is in one direction or the other based on the circumstances of the offence.

c) For serious data protection infringements of companies with low turnover, this results from Article 83 (4) GDPR itself. This does not contain a general upper limit for fines based on turnover. Rather, an upper limit of 10 million euros is provided for, which is increased for very high-turnover companies. The European legislator therefore makes it possible for supervisory authorities and courts to impose high fines on low-turnover companies in the case of serious data protection violations, which may even threaten their existence.

d) In the case of minor data protection violations by companies with high turnover, a decisive orientation towards turnover in the assessment of the fine is not appropriate in the same way. Pursuant to Article 83 (1) of the GDPR, a fine must be effective and dissuasive. However, both aspects are less important in the case of data protection violations of minor importance. In addition, according to Article 83 (1) of the GDPR, the fine must always be proportionate. In other words, the fine must be appreciable; however, it must not appear as undue hardship in the sense of an excessive reaction to the specific breach.

e) The data subject's violation of Article 32 GDPR is a data protection violation with a clear preponderance of mitigating factors. For it must be taken into account that

- no sensitive data were affected;

- the damage to a customer was only demonstrably caused in the one case, although it must be taken into account that cases of data theft via the call centre are not always known;

- K did not deliberately, consciously or even conditionally intentionally violate data protection law;

- rather, it was assumed that the authentication process complied with the law, even if this misconception was avoidable;

- there were no specifications for authentication in call centres;

- a low level of security also existed so that customers could contact the call centre without major obstacles;

- the data subject cooperated fully with the BfDI and immediately increased the level of protection of the authentication process and, in coordination with the BfDI, ultimately introduced a service PIN;

- K is fined for the first time for a data protection violation.

In the abstract, #.# million customer data of K were affected. However, there was no threat of mass theft of customer data, but the data could only be obtained by attackers in individual cases by cleverly conducting conversations via the call centre. Personal motives were in the foreground. In real terms, only a small number of customers were threatened by the weak authentication, even if this number was relevant in view of the size of K's customer base.

It must also be taken into account that K's reputation was damaged by the high-profile issuing of the penalty notice. Due to the amount of the fine initially imposed, the public was given the impression that this was a serious data protection violation - also and especially with regard to culpability. However, this is not the case.

After a comprehensive consideration of all circumstances relevant to the calculation of the fine, the Board, despite the high fine, imposed a significantly lower fine compared to the fine notice, amounting to

900,000 euros

as appropriate for the offence and the culpability. This is effective, proportionate and, with knowledge of the many mitigating aspects, also sufficiently deterrent.

VI.

The decision on costs is based on § 41 (2) sentence 1 BDSG, § 465 (1) StPO.