May be of interest:
https://www.mishcon.com/news/95m-gdpr-fine-to-german-telco-for-insecure-customer-authentication
NB also a €10k fine to another telco for failing to appoint a DPO.
Sent from my iPhone