LG München - 31 O 16606/20
LG München I - 31 O 16606/20 | |
---|---|
Court: | LG München I (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR Article 82 GDPR Article 82(1) GDPR Article 82(3) GDPR Article 82(4) GDPR |
Decided: | 09.12.2021 |
Published: | 21.12.2021 |
Parties: | Scalable Capital |
National Case Number/Name: | 31 O 16606/20 |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | German |
Original Source: | rewis.io (in German) |
Initial Contributor: | Giel Ritzen |
The Regional Court of Munich ordered Scalable Capital to pay non-material damages of € 2,500, - to data subject pursuant to Article 82(1) GDPR, for a theft of their personal identity and financial data, because it violated Article 32(1) GDPR which led to a data breach.
English Summary
Facts
Controller is Scalable Capital, a financial services company via which customers can invest in shares etc. Data subject is a customer of this company. Upon registration, they provided numerous personal data to the controller inter alia a photo of their ID-card. On 19.10.2020, the controller informed the data subject of a data breach. Unauthorised third parties had acquired access to the following personal data of data subject: first- and last name, title, address, e-mail address, mobile phone number, place of birth, place and country of birth, nationality, marital status, tax residence and tax ID, IBAN, copy of identity card, portrait photo, which was taken in the Post-Ident procedure. Moreover, this data was accessed by these third parties on three separate instances in the period from April to October 2020. In total, these third parties had copied and stolen 389,000 records of 33,200 affected persons.
The attackers were able to access the whole IT system of controller because they had acquired the access information via controller’s former IT Service provider, CodeShip Inc. Although this service provider no longer provided IT services to controller since late 2015, the access data to controller’s system had never been changed. The stolen personal information was used to obtain loans, and was offered for sale on the Darknet.
Because data subject feared for identity theft and other fraud, they brought the action before Court and claimed compensation pursuant to Article 82(1) GDPR, because controller violated Article 32(1) GDPR.
Holding
The Court upheld the appeal and ordered the controller to pay € 2,500, - as non-material damages to the data subject.
First, the Court considered that the controller violated Article 32(1) and Article 5(1)(f) GDPR because it failed to implement sufficient organisational measures to ensure an appropriate level of data protection. In this regard, the Court considered Article 82(4) GDPR and noted that it is irrelevant whether the security deficiencies of CodeShip could be attributed to controller. Due to the quality and sensitivity of the stored data, as well as the scope of access, it was negligent of controller to rely on CodeShip to have erased the access information, without checking this with CodeShip and/or changing the access information themselves.
Second, the Court found that it is also not relevant that controller immediately took all necessary measures to exclude further unlawful access to the digital document archive after the incident, since they should have done so immediately after the termination of the business relationship with CodeShip.
Third, the Court stated that the requirement of causality between the GDPR breach and the damage, laid down in Article 82(1) GDPR, had been fulfilled. This requirement is not sufficed if damage occurred, but did not result directly from a breach of the controller (OLG Stuttgart, judgment of 31 March 2021, ref. 9 U 34/21). However, in this case, the Court noted that the damage would not have occurred if controller would have taken sufficient organisational security measures.
Lastly, the Court considered that Article 82 GDPR also covers non-material damage like the “loss of control over data” (which is mentioned as example in recital 75). In this regard, the Court considered the judgement of LG Essen, judgement of 23.9.2021 - 6 O 190/21, and held that in this case, there is not only an "insignificant or perceived violation of personal rights", and that identity theft is obviously sufficient for a claim for damages. Because the data subject’s personal data had not yet been misused, however, the Court considered that the amount of € 2,500, - was appropriate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Offense The plaintiff is the defendant's customer. Before entering into the business relationship, the plaintiff provided the defendant, a financial services company, with a large amount of personal data. With regard to the individual data, reference is made to pages 3 and 5 of the application (see also Appendix K 2). He also had to authenticate himself using the Postident procedure, whereby his identity card was photographed. Subsequently, the plaintiff used his customer account to invest in shares and securities. On October 19, 2020 the plaintiff was informed by the defendant that unauthorized third parties had unlawfully accessed part of the data stored in your data archive. The following data was stolen from the plaintiff: first and last name, title, address, email address, mobile phone number, date, place and country of birth, nationality, marital status, tax residence and tax ID, IBAN, copy of ID, portrait photo, which was made in the Post-Ident procedure. The plaintiff further submits that it can be inferred from the criminal investigation file of the Bamberg Public Prosecutor's Office (Az .: [xxx]) that access to the defendant's customer data at three different times in the year 2020 specifically took place on April 15/16, 2020, on August 5, 6, 2020 and on October 10, 11, 2020. With each of these accesses, part of the total of 389,000 data records from the 33,200 affected persons was copied and stolen. According to the defendant's presentation, however, the access to the data of the plaintiff should have taken place on August 6th, 2021 (document dated November 29th, 2021 p. 16, p. 170 dA), although this should be a typo in the indication of the year, it but this is not relevant to the decision. The defendant had with its former service provider CS. Access information to your complete IT system is stored. The attacker used this access data to gain access to part of the document archive and the customer data contained therein. The contractual relationship between the defendant and CS. was ended at the end of 2015, whereby the defendant provided the access data to its IT system, which was owned by CS. were known, at least not changed until the disputed incident. With a view to the damage suffered by the plaintiff after inspection of the investigation files of the Bamberg Public Prosecutor's Office, it was obvious that the perpetrators tried to obtain credits with stolen customer data. Furthermore, the investigation file shows that the stolen data was offered on the Darknet. As a result, the plaintiff is of the opinion that he is now permanently exposed to the risk that the data stolen from him for identity theft, attempts to access the online services he used or other attempts at fraud are used. On September 27th, 2020 there were a total of 10 failed login attempts with his email provider (Annex K 3). The plaintiff is therefore of the opinion that he is therefore entitled to claims according to Art. 82 (1) GDPR in conjunction with § 253 BGB because the defendant processed his data in violation of Art. 32 GDPR. The plaintiff therefore requests: It is determined that the defendant is obliged to compensate the plaintiff for all material future damage suffered by the plaintiff as a result of unauthorized access Third parties on the data archive of the defendant in the period from April to October 2020. The defendant is sentenced to pay the plaintiff reasonable compensation for pain and suffering, the amount of which is at the discretion of the court, plus interest at a rate of 5 percentage points above the base rate since pending litigation The defendant requests that the complaint be dismissed, pointing out in particular that they will take all possible measures in the wake of the data incident in order to counteract misuse of their customers' data and to clarify the matter. She cooperated closely with the responsible authorities and external experts. The plaintiff suffered no material or immaterial disadvantages as a result of the data incident. It is also not known that other customers of the defendant have been harmed as a result of abuse. The plaintiff is not entitled to the asserted claims for several reasons. The defendant would not be guilty of any violation of the General Data Protection Regulation. The plaintiff, burdened with evidence and burdened with evidence, presented unsubstantiated and inconclusive. The data incident in itself does not mean that the defendant has violated the GDPR. The technical and organizational measures taken by the defendant were appropriate. The defendant uses, in particular, a secure, standardized IT infrastructure with, among other things, application and database servers, storage capacities, redundancy systems and backup solutions to process the entire customer business. The IT infrastructure on which the document archive is based is also certified in accordance with IEC 27001: 2013, 27017: 2015, 27018: 2019, ISO / IEC 9001: 2015 and CSA STAR CCM v3.0.1. For criminal access, one operated by the defendant is said to be Utility has not been compromised. One could therefore not speak of a "hack" of the defendant's system. The attacker, whose identity could not yet be determined, could not gain access to the customer documents in the document archive by overcoming the IT security systems implemented by the defendant. Rather, access was made using illegally obtained access information. These were apparently previously as a result of a cyber attack on the CS company. Inc., which had been contracted to provide software services for the defendant. The defendant was therefore a collateral victim of that cyber attack on the third company, the commissioning of CS. by [xxx] was preceded by a careful selection and testing process, which included, among other things, an in-depth examination of the specifications of the service offered and the IT-specific security standards of CS. a castle. Providing access information to the defendant's digital environment to CS. was already necessary for the execution of the software services from a technical point of view in order to be able to connect the external deployment service program to the digital environment of [xxx]. Otherwise, the defendant is not at fault with regard to an alleged GDPR violation. After all, there is no causality of an alleged GDPR violation for the alleged damage. With regard to further details, reference is made to the statement of defense of May 12, 2021. The application for a declaration is inadmissible due to a lack of interest in accordance with Section 256 (1) ZPO. The plaintiff, burdened with evidence and burdened with evidence, did not present any circumstances from which it follows that material damage as a result of the data incident is likely. To supplement the facts, reference is made to the exchanged pleadings and annexes as well as the minutes of the meeting. The reopening of the hearing due to the fact of the defendant's pleading dated November 29, 2021 was not prompted (Section 156 ZPO). The statements contained therein were taken into account by the court, but are ultimately not relevant to the decision.