In its ruling of December 18, 2024, the Schleswig-Holstein Higher Regional Court (OLG) issued a far-reaching decision on the Liability of the controller within the meaning of the General Data Protection Regulation (GDPR) was made. The decision centered on the question of the extent to which a company that sends an invoice by email is liable for the misuse of this invoice by a third party. Third is liable if it has not taken sufficient security measures to protect personal data.
E-mail with invoice is intercepted and manipulated
The plaintiff, a contractor, carried out work for the defendant, a private customer, in accordance with the agreement and issued a final invoice for the outstanding remuneration after completion of the work. This invoice was sent to the defendant by email.
Unnoticed by the parties, the e-mail was sent by Third intercepted and manipulated. The perpetrators changed the bank details on the invoice and forwarded the falsified version to the defendant. In good faith, the defendant transferred the invoice amount of EUR 15,385.78 to the account specified in the invoice, which, however, belonged to an unknown person. The fraud was only discovered later when the plaintiff noticed the missing payment and pointed it out to the defendant.
The plaintiff then demanded that the defendant pay the wages again, as the original payment had not been credited to his account and therefore no fulfillment effect had occurred in accordance with Section 362 (1) BGB. The defendant, on the other hand, took the view that it had fulfilled its payment obligations as it had paid the invoice as received. It also claimed that the plaintiff had failed to take appropriate security measures to protect the personal data transmitted, in particular its own bank details. This was what led to the fraud in the first place. She invoked a claim for damages pursuant to Art. 82 GDPR and argued that the plaintiff had acted negligently by sending the invoice by email without sufficient protection. In particular, the transport encryption used was not sufficient to prevent manipulation of the email.
Thus, two central legal questions were confronted: On the one hand, the question of whether the payment to the wrong account extinguished the defendant's debt and, on the other hand, the question of whether the plaintiff was liable for the damage incurred due to inadequate security measures.
Court affirms damages according to Art. 82 GDPR
The OLG confirmed the legal opinion that payment to a manipulated account does not lead to fulfillment within the meaning of Section 362 (2) BGB. The decisive factor is that the amount owed must be finally available to the creditor. The plaintiff could therefore in principle demand payment for the work again.
At the same time, however, the court stated that the customer could be entitled to a claim for damages in the amount of the transfer made to the third-party account, which she could counter the contractor's claim under the dolo agitum defense pursuant to Section 242 BGB.
Such a claim for damages may arise in particular from the GDPR take place. The court stated that the defendant's personal data (name, address, outstanding claim) within the meaning of Art. 4 No. 1 GDPR were processed and the Transmission the invoice by e-mail Processing within the meaning of Art. 4 No. 2 GDPR constitute. Accordingly, the defendant could assert a claim for damages under Art. 82 GDPR against the plaintiff.
The manipulation of the invoice by Third does not per se constitute a Liability of the plaintiff. Rather, it was necessary to examine whether the company's technical and organizational measures for securing email communication were sufficient.
Requirements for the security of data transmission in accordance with Art. 32 GDPR
The OLG further stated that, pursuant to Art. 32 GDPR are obliged to take appropriate safety precautions in order to personal data from unauthorized access.
In the opinion of the OLG, mere transport encryption using TLS (Transport Layer Security) does not satisfy the requirements of Art. 32 GDPR. Rather, end-to-end encryption is required to ensure an appropriate level of protection. The court referred to the guidance provided by the Data protection conference as well as judgments of the European Court of Justice (ECJ), which emphasize the high responsibility of the controller for the security of the data (ECJ, C-687/21 and C-340/21).
Although the GDPR no explicit provisions on the obligation to Encryption of e-mails, however, it follows from the overall view of the regulations that companies are obliged to minimize the risk of unauthorized access to personal data to be minimized through suitable measures. According to the court, transport encryption is not sufficient as it does not offer adequate protection against man-in-the-middle attacks.
Burden of proof and presumption of fault in the case of manipulated invoices
Art. 82 para. 3 GDPR provides for a presumption of fault in favor of the person concerned. The Responsible persons must prove that he is not at fault. The plaintiff was unable to provide this proof as he had not taken any further protective measures. The court made it clear that companies must not only meet minimum legal standards, but also take current technical developments into account. In view of the known risks in the Transmission sensitive data by e-mail, a responsible company must take the best possible protective measures.
The court denied contributory negligence on the part of the defendant pursuant to Section 254 BGB. It was true that the defendant had overlooked bank details that differed from previous invoices. However, it was not reasonable for a private customer to check every invoice received for possible manipulation. Since the fraud was only made possible by the plaintiff's inadequate security measures, the plaintiff alone was responsible for the damage incurred.
Reading tip: ECJ strengthens transparency - credit agencies must disclose decision-making processes
Consequences of the ruling for daily business transactions
The ruling has far-reaching implications for the practice of business e-mail traffic and the requirements for the IT security of companies. Companies that send invoices or other sensitive documents by email need to fundamentally rethink their security standards.
One of the key findings of the ruling is that mere transport encryption is not recognized as a sufficient security measure. Instead, the court recommends the use of end-to-end encryption in order to prevent manipulation by Third to prevent this. Companies are therefore urged to review their IT infrastructure and, if necessary, switch to secure communication channels, for example by using digital customer portals where invoices are provided in a secure environment.
The ruling also shows that companies need to proactively invest in cyber security measures. These include training for employees to make them aware of phishing attacks and other attempts at manipulation, as well as the use of multi-factor authentication and signed emails to secure business transactions. Companies that fail to take these measures risk not only data protection breaches, but also significant financial and liability consequences.
Finally, the ruling makes it clear that the accountability obligation under Art. 5 para. 2 GDPR must be taken seriously. Companies should therefore regularly evaluate and document their data protection and security concepts in order to be able to prove that they have taken appropriate measures to protect personal data in the event of a dispute. The ruling is therefore a clear signal to companies that Data protection and IT security must be central components of legally compliant business operations.
Conclusion
With this ruling, the Higher Regional Court of Schleswig-Holstein has significantly raised the standards for the protection of personal data in business email traffic. Companies are obliged to guarantee the highest level of security in order to prevent data protection breaches. The decision underlines the fact that not only the protection of personal data, but also protection against economic damage to customers plays a central role in data protection. GDPR plays. Companies should therefore critically scrutinize their data protection measures and, if necessary, upgrade them in order to avoid comparable liability cases.
Source: Judgment of the Schleswig-Holstein Higher Regional Court 12 U 9/24 of 18.12.2024
You want to avoid complications and make your company fit for data protection and Compliance do? We'll tackle it together! Our experts will be happy to advise you. Give us a call or write to us:
Phone: +1 (954) 852-1633
E-Mail:info@2b-advice.com
German 
English 
Italian 
French