LG München I - 5 O 5853/22: Difference between revisions
(→Facts) |
mNo edit summary |
||
Line 62: | Line 62: | ||
}} | }} | ||
A German court held that a controller shall implement technical and organisational measures to protect data processed in the context of | A German court held that a controller shall implement technical and organisational measures to protect data processed in the context of the controller-processor relationship, even after the termination of contractual arrangements between them. | ||
== English Summary == | == English Summary == |
Revision as of 07:59, 18 October 2023
LG München I - 5 O 5853/22 | |
---|---|
Court: | LG München I (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Decided: | |
Published: | |
Parties: | |
National Case Number/Name: | 5 O 5853/22 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | |
Original Language(s): | German |
Original Source: | Bayern.Recht (in German) |
Initial Contributor: | Julia |
A German court held that a controller shall implement technical and organisational measures to protect data processed in the context of the controller-processor relationship, even after the termination of contractual arrangements between them.
English Summary
Facts
The case concerns a dispute about a claim for damages due to a data breach involving a financial services company - the controller. The data subject was a customer of the controller and they were required to provide several personal data, including sensitive ones, such as addresses, marital status, passport copy and more.
Before 2015 the controller made use of cloud services offered by another company - the processor. In 2015 the controller terminated the contract with the processor but did not erase the data from the cloud. Also, the controller did not instruct the controller to block its access key nor changed the credentials for the access to the database.
In 2020 the cloud was subject to a hacker attack and a total of 389,000 data points from 33,200 customers were copied and stolen by unknown third parties. The hackers made use of the above mentioned credentials, unchanged after 2015.
The data subject claimed damages because the controller did not implement appropriate technical and organizational measures pursuant to Article 32 GDPR.
Holding
The court held that the controller violated Article 32(1) GDPR, which requires appropriate technical and organizational measures to ensure a level of protection of personal data appropriate to the risk to the rights and freedoms of data subjects. In conjunction with the principle of confidentiality in Article 5(1)(f) GDPR, data must be protected against unauthorized and unlawful processing by appropriate technical and organizational measures. The specific protective measures to be taken depend on the importance of the data for the rights and interests of the data subject.
In the present case, contrary to Article 5(1)(f) GDPR, the controller simply did nothing to prevent misuse of data after the end of the contract with the company. The fact that the controller did not change its credentials nor ordered the controller to block the key at the end of the contract was particularly relevant in the court view. The court compared the case to the situation where a landlord no longer cares about their own flat after the end of a tenancy, leaving the key to the tenant. In the case at hand, changing the credentials could have minimized or even eliminate the risk of an unauthorized processing.
Therefore, the court ordered the controller to compensate the data subject for all material damages occurred as a consequence of the data breach.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Title: Scope of protective measures for data processing Chain of standards: GDPR Art. 5 Paragraph 1 Letter f Guiding principle: Article 5 Paragraph 1 Letter f of the GDPR supplements the aspect of confidentiality, namely that the data must be protected from unauthorized and unlawful processing through appropriate technical and organizational measures. The specific protective measures to be taken depend on the importance of the data for the rights and interests of the data subjects. (Rn. 39) (editorial principle) Tags: Data protection, processing, protective measures, Regulation (EU) 2016/679 Appeal authority: LG Munich I, correction decision of March 14, 2023 - 5 O 5853/22 Location: BeckRS 2023, 20930 tenor 1. It is established that the defendant is obliged to compensate the plaintiff for all material future damages caused to the plaintiff as a result of unauthorized access by third parties to the defendant's data archive in the period from April to October 2020. Moreover, the application is dismissed. 2. The plaintiff must bear the costs of the legal dispute. 3. The judgment is provisionally enforceable. The plaintiff can avert the defendant's enforcement by providing security in the amount of 110% of the amount enforceable based on the judgment, unless the defendant provides security in the amount of 110% of the amount to be enforced before enforcement. 4. The amount in dispute is set at €5,400.00. Facts of the case 1 The parties are in dispute over claims for damages due to a data leak at a financial services company. 2 The defendant is a securities institution founded in 2014 that offers digital asset management as a so-called robo-advisor. The plaintiff was a customer of the defendant until November 2020 and had maintained a securities account there since August 9, 2020. As part of the authentication and registration, the plaintiff had to provide the defendant with the following personal data: first and last name, title, address, email address, mobile phone number, date of birth, place of birth, country of birth, nationality, marital status, tax residency, IBAN, copy of ID , and a portrait photo taken using the Post-Ident process (Appendix B7). 3 On April 15/16, 2020, August 5/6, 2020 and October 10/11, 2020, the defendant accessed personal data in the digital document archive; a total of 389,000 data records from 33,200 of the defendant's customers were copied and stolen. Access to the personal data occurred as part of a hacker attack on the company (hereinafter: ) 4 The company is an IT company that offers cloud services. The defendant used services from until the end of 2015, so access information to the defendant's IT system was stored. Using these access data, the attackers gained access to part of the defendant's document archive and the customer data contained therein. The attackers are unknown, the Bamberg Public Prosecutor's Office is conducting an investigation under the ref. 5 The defendant did not change the access data after the contractual relationship ended at the end of 2015 until the incident in dispute. 6 The defendant informed the plaintiff on October 19, 2020 of the incident and that he was affected by the data leak (Appendix K2). 7 In a letter dated April 26, 2022, the plaintiff's legal representatives asked the defendant to state whether it was prepared to compensate the plaintiff for the non-material damage caused by access to his data (Appendix K4), which the defendant did in a letter from its legal representatives dated May 5th .2020 rejected. 8th The plaintiff claims that account data and/or securities portfolio data as well as tax data were also intercepted and that the intercepted customer data, including that of the plaintiff, was circulating on the dark web. The defendant had already become aware of the data incident on October 15, 2020. 9 The plaintiff is of the opinion that he is entitled to non-material damages against the defendant because the defendant has violated several provisions of the GDPR. The defendant failed to take appropriate organizational protective measures to prevent third parties from accessing the plaintiff's data because it did not change the access data to its IT system after the contractual relationship with the company ended at the end of 2015 and was therefore grossly negligent violated Article 32 Paragraph 1 Letter b GDPR. 10 In addition, he was not immediately informed of the violation of his data protection rights within the meaning of Article 34 Paragraph 1 GDPR and the notification dated October 19, 2020 did not meet the minimum content requirements of Article 33 Paragraph 3 Letters b, c, d GDPR . 11 Due to the extent, type and quality of the personal data accessed, the plaintiff's identity was stolen; this identity theft already constitutes non-material damage. Non-material damage also occurred because the plaintiff lost control over what would happen to his data in the future and for what purpose it would be used. 12 It can also be assumed that if the defendant had adhered to the security standards considered adequate, the specific data incident would not have occurred. 13 The defendant has been in default since May 5, 2020, which is why it has to bear the out-of-court legal costs incurred by the plaintiff. 14 There is an interest in making a determination because there is the possibility that further damage would arise from the use of the illegally obtained data. 15 The plaintiff requests 1. The defendant is ordered to pay the plaintiff an amount of at least €5,100.00 plus interest of 5 percentage points above the base interest rate since the litigation was brought. 2. It is established that the defendant is obliged to compensate the plaintiff for all material future damages caused to the plaintiff as a result of the unauthorized access of third parties to the defendant's data archive in the period from April to October 2020. 3. The defendant is ordered to reimburse the plaintiff's pre-trial legal fees in the amount of €859.18. 16 The defendant requests dismiss the lawsuit The defendant claims that it did not become aware of the data incident on October 15, 2020, but only on October 16, 2020. The plaintiff's tax identification number was not affected by the data incident because the plaintiff did not provide his tax identification number when registering. The plaintiff's information collected as part of the suitability test was also not affected by the data incident. Such a suitability test was not carried out when the plaintiff was registered because it could not be carried out for the brokerage service used by the plaintiff. 17 The data incident occurred in 2020 and the plaintiff's data has not been misused since then. The plaintiff also does not claim that he himself became a victim of any attempted fraud by cybercriminals following the data incident; in particular, according to his own statements, he did not receive any spam calls or extortionate emails. 18 The defendant is of the opinion that the plaintiff suffered neither material nor immaterial damage. The plaintiff's data was neither misused nor was there any identity theft. There is already a lack of a substantiated presentation on this. 19 The defendant has also implemented sufficient technical and organizational measures to ensure adequate data security, in particular the IT infrastructure underlying the document archive is in accordance with IEC 27001:2013, 27017:2015, 27018:2019, ISO/IEC 9001:2015 and CSA STAR CCM v3 .0.1 certified. 20 A claim for damages cannot be based from the outset on an alleged violation of Art. 34 GDPR. Because this standard does not fall within the scope of protection of Art. 82 GDPR. 21 She was also entitled to assume that the company had completely and permanently deleted the access information, since the company was obliged to get rid of the access information that was received to carry out the software services and was no longer needed after the contract had ended. 22 Even if there is damage, there is no evidence of fault on the part of the defendant or causality. 23 The application for a declaratory judgment is inadmissible because there is no interest in declaratory judgment, and the action is also inadmissible because the application for declaratory judgment in paragraph 1 is not sufficiently specific. The plaintiff asserts a uniform payment request, but bases the request on the alleged violation of Art. 34 GDPR and Art. 32 GDPR, which means that the lawsuit is based on two different issues in dispute. 24 Both parties agreed to a decision in the written procedure at the meeting on November 15, 2022. With the decision of November 15, 2022, a decision was made in written procedure. § 128 para. 2 ZPO ordered (BI. 205 d.A.). 25 To supplement the facts of the case, reference is made to the parties' mutual written submissions including appendices as well as the minutes of the oral hearing dated November 15, 2022 (BI. 204/207 d.A.). Reasons for the decision 26 The admissible lawsuit is largely unfounded. 27 I. The lawsuit is admissible. 28 1. The Munich I Regional Court has subject matter jurisdiction in accordance with Sections 1 ZPO, 71 Paragraph 1, 23 No. 1 GVG and local jurisdiction in accordance with Sections 44 Paragraph 1 Sentence 1 BDSG, 12, 17 ZPO. 29 2. The claim number 1 is sufficiently specific within the meaning of Section 253 Paragraph 2 No. 2 ZPO. 30 Contrary to the defendant's opinion, the application for benefits is not too vague, since the alleged two GDPR violations represent different life situations and therefore different subjects of dispute and the plaintiff should therefore have specified in what proportion the violations should bear the minimum amount of €5,100. The alleged violations, the failure to take appropriate protective measures and inadequate notification of the data incident, fall under the same circumstances, since the same data is affected. 31 3. With regard to the claim number 2, the plaintiff also has an interest in declaratory judgment in accordance with Section 256 Paragraph 1 ZPO. 32 An action to establish the tortious obligation of a tortfeasor to compensate future damage is permissible if there is a possibility of damage occurring (OLG Munich 10 U 707/15, Rn. 4; Bacher, BeckOK ZPO, 47th Edition, as of December 1, 2022, § 256 paragraph 24). 33 This possibility exists in the present case because the attackers still have access to the plaintiff's data. The fact that the plaintiff has not suffered any material damage since the data incident in 2020 cannot change this, since a sufficient probability of damage is not required, but the possibility that still exists is sufficient. This would only not be the case if, from the plaintiff's point of view, there was no reasonable reason to at least expect damage to occur (BeckOK ZPO a.a.O.). 34 II. However, the lawsuit is only partially justified. 35 1. The plaintiff is not entitled to the benefit claim asserted as claim 1. The plaintiff has no claim against the defendant to payment of at least € 5,100.00 plus interest of 5 percentage points above the base interest rate since the litigation was brought. This does not arise from Art. 82 Para. 1 GDPR, and no further basis for the claim is apparent in the present case. 36 A claim for non-material damages in accordance with Art. 82 Para. 1 GDPR is excluded. Although the defendant violated the GDPR, the plaintiff did not suffer any damage as a result. 37 a) The defendant is responsible within the meaning of Article 82 Paragraph 1, 4 No. 7 GDPR, as it requests customer data as part of the registration process and stores it in a data archive. 38 b) The defendant has violated Article 32 (1) GDPR. 39 Art. 32 Para. 1 GDPR obliges those responsible to take appropriate technical and organizational measures to guarantee a level of protection appropriate to the risk to the rights and freedoms of the persons affected by data processing. Art. 5 Para. 1 (f) GDPR supplements the aspect of confidentiality that the data must be protected from unauthorized and unlawful processing through appropriate technical and organizational measures. The specific protective measures to be taken depend on the importance of the data for the rights and interests of the data subjects (Schantz in: BeckOK Data Protection Law, 42nd Edition, November 1st, 2021, Art. 5 Rn. 35). 40 (1) The defendant failed to do this by not changing the access data to its IT system after the contractual relationship with the company ended. 41 The defendant had saved the access key to its data archive at the company. The stored personal data, including the plaintiff's data, were and are in a document archive at the company in Frankfurt a.M.. The defendant ended the contractual relationship with the company at the end of 2015. The plaintiff's data ended in 2020, i.e. over 4 42 Years after the end of the contractual relationship, the data collected by the defendant was stored in the data archive and read there using the access key obtained from the company. After the contractual relationship with the company ended, the defendant did not change the access key or take any other steps to ensure that the access key could no longer be used. 43 (2) In doing so, it maintained the risk that its customers' data could also be accessed through a hacker attack on the company. This risk could have been minimized or even eliminated by changing the access data. 44 (3) Since the defendant is the responsible party within the meaning of Article 32 Paragraph 1, 4 No. 7 GDPR, it was not allowed to rely on the company deleting the access information, regardless of whether it was contractually obliged to do so or not. 45 As a provider of online services - the contract with the plaintiff was concluded exclusively online - the defendant also had to know that backup copies are made regularly, i.e. that data is ultimately not only stored in a single location. She was aware that the access key could also be in backup copies of the company. The defendant therefore did not take the necessary care to ensure that the access key that was with the company was not used for any further use (also LG Cologne, May 18, 2022, 28 I 328/21). The defendant's trust alone that the company will behave in accordance with the law and that misuse of the access key is ruled out is not sufficient to be able to claim an adequate level of protection, especially given the sensitivity of the personal data obtained. Contrary to Article 5 GDPR, which requires measures to be taken, the defendant simply did nothing to prevent data misuse after the end of the contract with the company, almost as if she had given the tenant the key to the apartment after the end of a tenancy and had not taken care of it cared what happened to it. 46 (4) The defendant also did not adequately explain why changing the access data would have been so time-consuming that it would no longer have been appropriate in relation to the risk to the rights and freedoms of its customers. In particular, a short-term unavailability of the services would have been acceptable. 47 (5) In addition, the defendant has, through its behavior, expanded the possibility of misusing data about the company beyond the original scope, as it also has access to the personal data of customers that were only acquired after the relationship ended supplied via the old access key. In this respect, there is also a lack of effective consent to data processing in accordance with Art. 6 GDPR, since the plaintiff was not even informed that his data was being processed by the company as a third party that was not involved in the contractual relationships with him or with the defendant had been, were accessible. The defendant must have been aware that the access key could still be present at the company (see above). 48 (6) Since the defendant has violated its own obligations under Article 32 Para. 1 GDPR, it remains to be seen whether any violation by the company can be attributed to it. 49 c) The defendant, however, did not violate Art. 34 GDPR. 50 aa) The defendant immediately informed the plaintiff about the data incident in accordance with Article 34 (1) GDPR. 51 (1) Unlike Art. 33 GDPR, according to which the report to the supervisory authority must be made immediately and, if possible, within 72 hours of becoming aware of it, Art. 34 Paragraph 1 GDPR does not contain a time frame, but only requires that the person responsible Person immediately informed of the injury. For timely information within the meaning of Article 34 Para. 1 GDPR, it does not generally apply that this must be provided within 72 hours of becoming aware of it. 52 (2) The defendant informed the plaintiff about the data incident on October 19, 2020 without any culpable hesitation and therefore immediately within the meaning of Section 121 Paragraph 1 BGB. This applies regardless of whether the defendant became aware of the data incident on October 15, 2020 or only on October 16, 2020. 53 (3) The person responsible must be given a period of time in which to determine the scope and significance of the incident; after all, a certain level of knowledge is required so that the notification can meet the content requirements of Article 34 (2) GDPR. If one sets too strict requirements for promptness within the framework of Article 34 Para. 1 GDPR, this would run counter to the goal of providing information to those affected by the data incident. In particular, it should also be taken into account that October 17th and 18th, 2020 fell on a weekend, which may have made it more difficult for the defendant to find out more information about the data incident. 54 bb) The information also met the content requirements of Art. 34 Para. 2, Art. 33 Para. 3 lit. b, c, d GDPR. 55 (1) The notification dated October 19, 2020 was quite brief, but it still contained all the legally required content. 56 (2) The content information resulting from Art. 34 Para. 2 GDPR was corresponded to by a brief description of the process of the data incident and thus a statement of the type of violation of personal data. 57 (3) The content required under Article 34 Paragraph 2, 33 Paragraph 3 Letters b, c and d GDPR was also included. 58 (a) The defendant's customer service team was named as the contact point for further information within the meaning of Art. 33 Para. 3 lit. b GDPR, providing the contact details. 59 (b) The defendant also informed the plaintiff within the meaning of Art. 33 Para. 3 lit and the possibility of identity abuse was raised. 60 (c) The defendant also described a further investigation into the matter and the involvement of external consultants as measures taken by it and advised those affected not to disclose any personal access data by email or telephone and thus comply with the requirements of Article 33 paragraph 3 lit. d GDPR is sufficient. 61 cc) Furthermore, the plaintiff has not substantiated the extent to which the damage he claims would have been eliminated through a notification that complied with Art. 34 GDPR in terms of timing and content. A violation of Article 34 GDPR would not have been the cause of any damage. 62 (d) However, the plaintiff suffered neither material nor immaterial damage as a result of the data incident within the meaning of Article 82 (1) GDPR. 63 The burden of proof for the occurrence of damage is on the plaintiff side, who must present and prove specific damage suffered as part of the claim for damages (OLG Frankfurt a.M., March 2, 2022, 13 U 206/20; Cologne Regional Court, February 16, 2022, 28 I 303/20) . 64 aa) The plaintiff has not substantiatedly stated that he himself suffered impairments that went beyond a vague feeling of loss of control over his data. In particular, he was unable to provide any substantiated evidence that his data had been misused or that his data had been offered on the darknet. 65 bb) The present facts therefore differ from the judgments cited by the plaintiff (e.g. LG Munich I, final judgment of June 23, 2022 -50 3768/22; LG Munich I, final judgment of December 9, 2021 - 31 O 16606/20), the other plaintiffs awarded damages against the same defendant - (significantly) lower than those requested by the plaintiff. The judgments cited were each based on circumstances in which the plaintiff had succeeded in presenting and proving the impairments they had suffered. 66 cc) The fact that other people affected by the data incident suffered damage, for example through receiving spam e-mails, cannot constitute damage to the plaintiff, as there is no personal disadvantage suffered. 67 dd) Contrary to the plaintiff's opinion, damage cannot be assumed simply because of the defendant's violation of Art. 32 GDPR, on the grounds that the violation of the GDPR itself causes damage within the meaning of Art. 82 Paragraph 1 GDPR reasons. 68 (1) This view is not compatible with the wording of Article 82 (1) GDPR. According to the wording, a claim for damages exists if a person has suffered material or immaterial damage due to a violation of the GDPR; The existence of a violation of the GDPR and the resulting damage are therefore two different elements. If every violation of the GDPR would in itself give rise to damage and thus a claim for damages, it would be unnecessary for Article 82 Para. 1 GDPR to cite the existence of damage as a prerequisite for the claim for damages. The damage cannot therefore be equated with the underlying violation of legal interests. The damage must expressly be “suffered”, which means that it must actually have occurred and not just be feared (BeckOK, Data Protection Law, 42nd Edition, 08/01/22, Art. 82 GDPR para. 23). Proof of concrete (including immaterial) damage is therefore required (OLG Frankfurt a.M., judgment of March 2, 2022, 13 U 206/20). 69 (2) In addition, this view would place an unfair burden on those responsible within the meaning of the GDPR. 70 The present case shows that a large number of people - in this case 33,200 customers - can be affected in the event of a data leak at large companies. If each of these people were to be entitled to five-figure damages because of a violation of the GDPR, without the affected parties having suffered any specific impairment, this would potentially result in payment obligations for companies that could threaten their existence, even though the impairment of their customers' rights could be classified as rather minor are. 71 (3) The existence of specific immaterial damage, which also includes fears, stress as well as loss of comfort and time (OLG Frankfurt a. M., judgment of March 2, 2022, 13 U 206/20 with reference to Kühling/Buchner/Bergt , 3rd edition 2020, GDPR Art. 82 Rn. 18 b), the plaintiff has not demonstrated this, although the defendant had already explicitly pointed out in a written statement dated September 16, 2022 that there was a lack of a substantiated statement from the plaintiff in this regard. 72 The plaintiff's subsequent statements, for example in the written statement dated November 8th, 2022, are limited to general statements about what damage might be understood under certain circumstances. However, there was no specific presentation of the specific, individual impairments of the plaintiff here. 73 In the statement of claim, the plaintiff also only stated unsubstantiatedly that the plaintiff's data had been misused because the plaintiff repeatedly fell victim to phishing SMSes and fraudulent telephone calls (BI. 27 d.A.). 74 The court initially intended to hear the plaintiff for information purposes, as was later requested by the plaintiff on pages 38 and 39 of the written statement dated November 8th, 2022 (BI. 157/158 d.A.), which is why the appointment was made on July 20th, 2022 (BI. 43/44 d.A.) the plaintiff's personal appearance was ordered. However, due to the plaintiff's request in a letter dated August 10, 2022 (BI. 45/46 d.A.), according to which the plaintiff was 100% severely disabled and therefore unable to appear at the appointment, the plaintiff was granted an order dated August 11th. Released from personal appearance in 2022, although the appearance of an informed representative remained ordered (BI. 47 d.A.). The court's questions at the hearing included, among other things, the plaintiff's statements on BI. 27 d.A. The plaintiff's representative who appeared was unable to answer and a query to the plaintiff himself was unsuccessful (BI. 205 d.A.). 75 Even in the subsequent written statement dated December 6, 2022, there was no further substantiated presentation of the individual impairments suffered by the plaintiff. 76 2. The application for a declaratory judgment is justified, Art. 82 Para. 1 GDPR. 77 a) The defendant has violated Art. 32 GDPR. 78 b) If the plaintiff suffers material damage in the future due to unauthorized access by third parties to the defendant's data archive, which is therefore causal to the defendant's violation of Art. 32 GDPR, he is entitled to a claim for damages against the defendant in accordance with Art. 82 para. 1 GDPR to. 79 c) There is a possibility of material damage occurring because the plaintiff's data is still “lost” and could therefore potentially be misused. Even if the data was accessed in 2020, from the point of view of “The Internet does not forget,” it cannot be ruled out that the plaintiff's personal data, which was obtained through the data incident, will cause damage to him in the future. The data loss that occurred affects a not insignificant part of the plaintiff's personal data. 80 3. Due to the defendant's lack of an existing payment obligation, the plaintiff is not entitled to reimbursement of pre-litigation legal fees amounting to €859.28, as the defendant has not already defaulted within the meaning of Section 286 of the German Civil Code (BGB). The request for a declaratory judgment was not asserted in the lawyer's letter dated April 26, 2022 (Appendix K4), so this letter did not serve to prepare it. 81 111. Since this is not a final judgment, a referral for a preliminary ruling to the ECJ pursuant to Article 267(3) TFEU was not necessary, as requested by the defendant. 82 The cost decision results from Section 92 Paragraph 2 No. 2 ZPO. The plaintiff only prevails with regard to the application for a declaratory judgment, which was assessed at €300, whereas he wins with his application for benefits in the amount of €300. 5,100 € does not penetrate, so he only wins by 6%. 83 The decision on provisional enforceability is based on Sections 708 No. 11,711 ZPO. 84 The decision on the amount in dispute results from Section 48 GKG in conjunction with Sections 3 and 5 ZPO. An amount of €300 was added to the quantified claim no. 1 for the declaratory judgment, which was determined by means of the estimate.