A €9.55m fine for a telecommunications service provider for breaching GDPR has been reduced to just €900,000 by a German appeals court.

1&1 Telecom GmbH was handed the original fine last December by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) after it emerged that people calling the company’s customer service hotline could obtain the personal information of others by merely providing a customer’s name and date of birth.

A criminal complaint of stalking was made from a customer, whose former partner asked for her ex-partner’s new phone number via the telecommunications service provider’s call centre, pretending to be his wife. She was only required to give the name and date of birth of the customer to obtain the number, which she then used to harass him.

At the time BfDI said the breach “posed a risk for the entire customer base.”

However a district court in Bonn has now decided that although the decision to fine 1&1 was justified, it was “unreasonably high”.

The court said that although it was possible for unauthorised callers to access data such as phone numbers only by using the full name and date of birth, sensitive data such as “individual connection certificates, traffic data or account connections” could not be accessed in this way.

“It is only a minor data breach. This could not lead to the mass handing over of data to non-authorised persons” the court said.

Ruth Maria Bousonville, a data protect law expert at Pinsent Masons, in a blog described the appeals court’s decision as a “milestone” in the application of GDPR in Germany.

Bousonville said: “It frames the dissuasiveness of fines with the various other circumstances which the GDPR also requires to be taken into account, namely the gravity of the infringement.

“The German data protection authorities are currently working on a revised scheme for fines. It will be interesting to see how they factor in the arguments which were decisive in this ruling.”

The reduction of the fine was welcomed by 1&1.

Julia Zirfas, data protection officer, said: “This is a clear signal that the original fine of €9.55 million euros was in no way related to the present, individual case. Nevertheless, the amended fine is also a significant amount. We therefore reserve the right to take further legal steps after a detailed examination of the ruling.”