In its ruling of December 18, 2024, the Higher Regional Court of Schleswig-Holstein (OLG) made a far-reaching decision on the liability of the controller within the meaning of the General Data Protection Regulation (GDPR). The decision centered on the question of the extent to which a company that sends an invoice by email is liable for the misuse of this invoice by third parties if it has not taken sufficient security measures to protect the personal data.
E-mail with invoice is intercepted and manipulated
The plaintiff, a contractor, carried out work for the defendant, a private customer, in accordance with the agreement and issued a final invoice for the outstanding remuneration after completion of the work. This invoice was sent to the defendant by email.
Unnoticed by the parties, the email was intercepted and manipulated by third parties. The perpetrators changed the bank details in the invoice and forwarded the falsified version to the defendant. In good faith, the defendant transferred the invoice amount of EUR 15,385.78 to the account specified in the invoice, which, however, belonged to an unknown person. The fraud was only discovered later when the plaintiff noticed the missing payment and pointed it out to the defendant.
The plaintiff then demanded that the defendant pay the wages again, as the original payment had not been credited to his account and therefore there was no fulfillment effect pursuant to Section 362 (1) BGB. The defendant, on the other hand, took the view that it had fulfilled its payment obligations as it had paid the invoice as received. It also claimed that the plaintiff had failed to take appropriate security measures to protect the personal data transmitted, in particular its own bank details. This was what led to the fraud in the first place. She invoked a claim for damages under Art. 82 GDPR and argued that the plaintiff had acted negligently by sending the invoice by email without adequate protection. In particular, the transport encryption used was not sufficient to prevent manipulation of the email.
Thus, two central legal questions were confronted: On the one hand, the question of whether the payment to the wrong account extinguished the defendant's debt and, on the other hand, the question of whether the plaintiff was liable for the damage incurred due to inadequate security measures.
Court affirms damages according to Art. 82 GDPR
The OLG confirmed the legal opinion that payment to a manipulated account does not lead to fulfillment within the meaning of Section 362 (2) BGB. The decisive factor is that the amount owed must be finally available to the creditor. The plaintiff could therefore in principle demand payment for the work again.
At the same time, however, the court stated that the customer could be entitled to a claim for damages in the amount of the transfer made to the third-party account, which she could counter the contractor's claim under the dolo agitum defense pursuant to Section 242 BGB.
Such a claim for damages can arise in particular from the GDPR. The court stated that the defendant's personal data (name, address, outstanding claim) were processed within the meaning of Art. 4 No. 1 GDPR and that the transmission of the invoice by email constituted processing within the meaning of Art. 4 No. 2 GDPR. Accordingly, the defendant could assert a claim for damages against the plaintiff under Art. 82 GDPR.
The manipulation of the invoice by third parties does not per se establish liability on the part of the plaintiff. Rather, it must be examined whether the company's technical and organizational measures for securing email communication were sufficient.
Requirements for the security of data transmission in accordance with Art. 32 GDPR
The OLG further stated that companies are obliged under Art. 32 GDPR to take appropriate security precautions to protect personal data from unauthorized access.
According to the OLG, mere transport encryption using TLS (Transport Layer Security) does not meet the requirements of Art. 32 GDPR. Rather, end-to-end encryption is required to ensure an adequate level of protection. The court referred to the guidance of the Data Protection Conference and to rulings of the European Court of Justice (ECJ), which emphasize the high responsibility of the controller for the security of the data (ECJ, C-687/21 and C-340/21).
Although the GDPR does not contain any explicit provisions on the obligation to encrypt emails, it is clear from the overall view of the regulations that companies are obliged to minimize the risk of unauthorized access to personal data by taking appropriate measures. According to the court, transport encryption is not sufficient, as it does not offer adequate protection against man-in-the-middle attacks.
Burden of proof and presumption of fault in the case of manipulated invoices
Art. 82 para. 3 GDPR provides for a presumption of fault in favor of the data subject. The controller must prove that they are not at fault. The plaintiff was unable to provide this proof as he had not taken any further protective measures. The court made it clear that companies must not only comply with minimum legal standards, but must also take current technical developments into account. In view of the known risks involved in the transmission of sensitive data by email, a responsible company must take the best possible protective measures.
The court denied contributory negligence on the part of the defendant pursuant to Section 254 BGB. It was true that the defendant had overlooked bank details that differed from previous invoices. However, it was not reasonable for a private customer to check every invoice received for possible manipulation. Since the fraud was only made possible by the plaintiff's inadequate security measures, the plaintiff alone was responsible for the damage incurred.
Reading tip: ECJ strengthens transparency - credit agencies must disclose decision-making processes
Consequences of the ruling for daily business transactions
The ruling has far-reaching implications for the practice of business email traffic and the IT security requirements of companies. Companies that send invoices or other sensitive documents by email must fundamentally rethink their security standards.
One of the key findings of the ruling is that mere transport encryption is not recognized as a sufficient security measure. Instead, the court recommends the use of end-to-end encryption to prevent manipulation by third parties. Companies are therefore required to review their IT infrastructure and, if necessary, switch to secure communication channels, for example by using digital customer portals on which invoices are provided in a secure environment.
The ruling also shows that companies need to proactively invest in cyber security measures. These include training for employees to make them aware of phishing attacks and other attempts at manipulation, as well as the use of multi-factor authentication and signed emails to secure business transactions. Companies that fail to take these measures risk not only data protection breaches, but also significant financial and liability consequences.
Finally, the ruling makes it clear that the accountability obligation under Art. 5 para. 2 GDPR must be taken seriously. Companies should therefore regularly evaluate and document their data protection and security concepts in order to be able to prove that they have taken appropriate measures to protect personal data in the event of a dispute. The ruling is therefore a clear signal to companies that data protection and IT security must be central components of legally compliant business operations.
Conclusion
With this ruling, the Higher Regional Court of Schleswig-Holstein has significantly raised the standards for the protection of personal data in business email traffic. Companies are obliged to guarantee the highest level of security in order to prevent data protection breaches. The ruling underlines that not only the protection of personal data, but also protection against economic damage to customers plays a central role in the GDPR. Companies should therefore critically scrutinize their data protection measures and, if necessary, upgrade them in order to avoid comparable liability cases.
Source: Judgment of the Schleswig-Holstein Higher Regional Court 12 U 9/24 of 18.12.2024
Do you want to avoid complications and make your company fit for data protection and compliance? We'll tackle it together! Our experts will be happy to advise you. Give us a call or write to us:
Phone: +1 (954) 852-1633
Mail: info@2b-advice.com
English 
German 
Italian 
French