LG München - 31 O 16606/20

From GDPRhub
LG Munich I - 31 O 16606/20
Courts logo1.png
Court: LG Munich I (Germany)
Jurisdiction: Germany
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 82 GDPR
Article 82(1) GDPR
Article 82(3) GDPR
Article 82(4) GDPR
Decided: 09.12.2021
Published: 21.12.2021
Parties: Scalable Capital
National Case Number/Name: 31 O 16606/20
European Case Law Identifier:
Appeal from:
Appeal to: Unknown
Original Language(s): German
Original Source: rewis.io (in German)
Initial Contributor: Giel Ritzen

The Regional Court of Munich ordered Scalable Capital to pay non-material damages of € 2,500, - to data subject pursuant to Article 82(1) GDPR, for a theft of their personal identity and financial data, because it violated Article 32(1) GDPR which led to a data breach.

English Summary

Facts

Controller is Scalable Capital, a financial services company via which customers can invest in shares etc. Data subject is a customer of this company. Upon registration, they provided numerous personal data to the controller inter alia a photo of their ID-card. On 19.10.2020, the controller informed the data subject of a data breach. Unauthorised third parties had acquired access to the following personal data of data subject: first- and last name, title, address, e-mail address, mobile phone number, place of birth, place and country of birth, nationality, marital status, tax residence and tax ID, IBAN, copy of identity card, portrait photo, which was taken in the Post-Ident procedure. Moreover, this data was accessed by these third parties on three separate instances in the period from April to October 2020. In total, these third parties had copied and stolen 389,000 records of 33,200 affected persons.

The attackers were able to access the whole IT system of controller because they had acquired the access information via controller’s former IT Service provider, CodeShip Inc. Although this service provider no longer provided IT services to controller since late 2015, the access data to controller’s system had never been changed. The stolen personal information was used to obtain loans, and was offered for sale on the Darknet.

Because data subject feared for identity theft and other fraud, they brought the action before Court and claimed compensation pursuant to Article 82(1) GDPR, because controller violated Article 32(1) GDPR.

Holding

The Court upheld the appeal and ordered the controller to pay € 2,500, - as non-material damages to the data subject.

First, the Court considered that the controller violated Article 32(1) and Article 5(1)(f) GDPR because it failed to implement sufficient organisational measures to ensure an appropriate level of data protection. In this regard, the Court considered Article 82(4) GDPR and noted that it is irrelevant whether the security deficiencies of CodeShip could be attributed to controller. Due to the quality and sensitivity of the stored data, as well as the scope of access, it was negligent of controller to rely on CodeShip to have erased the access information, without checking this with CodeShip and/or changing the access information themselves.

Second, the Court found that it is also not relevant that controller immediately took all necessary measures to exclude further unlawful access to the digital document archive after the incident, since they should have done so immediately after the termination of the business relationship with CodeShip.

Third, the Court stated that the requirement of causality between the GDPR breach and the damage, laid down in Article 82(1) GDPR, had been fulfilled. This requirement is not sufficed if damage occurred, but did not result directly from a breach of the controller (OLG Stuttgart, judgment of 31 March 2021, ref. 9 U 34/21). However, in this case, the Court noted that the damage would not have occurred if controller would have taken sufficient organisational security measures.

Lastly, the Court considered that Article 82 GDPR also covers non-material damage like the “loss of control over data” (which is mentioned as example in recital 75). In this regard, the Court considered the judgement of LG Essen, judgement of 23.9.2021 - 6 O 190/21, and held that in this case, there is not only an "insignificant or perceived violation of personal rights", and that identity theft is obviously sufficient for a claim for damages. Because the data subject’s personal data had not yet been misused, however, the Court considered that the amount of € 2,500, - was appropriate.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Subject

Compensation for damages under Art. 82 (1) GDPR due to theft of data from the data controller; fault of the data controller due to failure to change access data after change of operator.
Tenor

    It is established that the defendant is obliged to compensate the plaintiff for all material future damages suffered by the plaintiff as a result of unauthorised access by third parties to the defendant's data archive in the period from April to October 2020.
    The defendant is ordered to pay the plaintiff non-material damages in the amount of EUR 2,500, plus interest in the amount of 5 percentage points above the base rate since 04.02.2021.
    The defendant is to bear the costs of the legal dispute.
    The judgment is provisionally enforceable for the plaintiff against security in the amount of 110% of the respective amount to be enforced.

Order

The value in dispute is set at €5,100.00.
Facts

The plaintiff is a customer of the defendant. Before entering into the business relationship, the plaintiff provided the defendant, a financial services company, with numerous personal data. With regard to the individual data, reference is made to the statement of claim, pages 3 and 5 (see also annex K 2). In addition, he had to legitimise himself by means of the Postident procedure, whereby his identity card was photographed.

Subsequently, the plaintiff used his customer account to invest in shares and securities. On 19 October 2020, the plaintiff was informed by the defendant that unauthorised third parties had unlawfully accessed part of the data stored in their data archive. The following data was stolen from the plaintiff:

First and last name, title, address, e-mail address, mobile phone number, date, place and country of birth, nationality, marital status, tax residency and tax ID, IBAN, copy of identity card, portrait photo taken in the Post-Ident procedure.

The plaintiff further submits that the criminal investigation file of the Bamberg Public Prosecutor General's Office (Ref.: [xxx]) shows that the defendant's customer data was accessed at three different times in 2020, specifically on 15/16 April 2020, on 5/6 August 2020 and on 10/11 October 2020. During each of these accesses, a part of the total of 389,000 data records of the 33,200 persons concerned was copied and stolen. According to the defendant's submission, however, the plaintiff's data was accessed on 6 August 2021 (written statement of 29 November 2021, p. 16, file, p. 170), although this may be a typographical error in the indication of the year, but this is not relevant for the decision.

The defendant had deposited with its former service provider CS. access information to its complete IT system. The attacker used this access data to gain access to part of the document archive and the customer data contained therein.

The contractual relationship between the defendant and CS. was terminated at the end of 2015, whereby the defendant did not change the access data to its IT system, which were known to CS., at least until the incident in question.

With regard to the damage suffered by the plaintiff, it was obvious after inspection of the investigation file of the Bamberg Public Prosecutor's Office that the perpetrators had attempted to obtain credit with stolen customer data. Furthermore, the investigation file shows that the stolen data was offered on the Darknet.

Due to this, the plaintiff is of the opinion that he is now permanently exposed to the risk that the data captured about him will be used for identity theft, attempts to access online services used by him or other fraud attempts. Thus, on 27.9.2020, there had been a total of 10 failed login attempts at his email provider (Annex K 3).

The plaintiff is therefore of the opinion that he is therefore entitled to claims pursuant to Art. 82 para. 1 DSGVO in conjunction with. § Section 253 of the German Civil Code (BGB), as the defendant processed his data in breach of Article 32 of the GDPR.

The plaintiff therefore requests:

    It is established that the defendant is obliged to compensate the plaintiff for all material future damages suffered by the plaintiff as a result of the unauthorised access by third parties to the defendant's data archive in the period from April to October 2020.
    The defendant is ordered to pay the plaintiff reasonable damages for pain and suffering, the amount of which is left to the discretion of the court, together with interest at a rate of 5 percentage points above the base rate from the date of lis pendens.

The defendant requests that the action be dismissed.

In this regard, it points out in particular that in the aftermath of the data incident it took all possible measures to counteract any misuse of its customers' data and to clarify the facts. It cooperated closely with the competent authorities and external experts.

The plaintiff had not suffered any material or immaterial disadvantages as a result of the data incident. It was also not known that other customers of the defendant had been damaged due to misuse.

The plaintiff was not entitled to the asserted claims for several reasons.

The defendant would not be charged with a breach of the General Data Protection Regulation. The plaintiff, who had the burden of proof and presentation, had made unsubstantiated and inconclusive submissions in this respect. The data incident in itself did not constitute a breach of the GDPR by the defendant. The defendant's technical and organisational measures were appropriate.

In particular, the defendant uses a secure standardised IT infrastructure with, among other things, application and database servers, storage capacities, redundancy systems and backup solutions for the processing of the entire customer business. The IT infrastructure underlying the document archive is also certified to IEC 27001:2013, 27017:2015, 27018:2019, ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.

For criminal access, a utility operated by the Respondent had not been compromised. Therefore, one could not speak of a "hack" of the defendant's system.

The attacker, whose identity could not be determined so far, did not gain access to the client documents in the document archive by overcoming the IT security systems implemented by the defendant. Rather, access was gained by exploiting illegally obtained access information. This had apparently been obtained beforehand as a result of a cyber-attack on the company CS. Inc., which had been commissioned to provide software services for the defendant. The defendant was therefore a collateral victim of the cyber-attack on the third party company.

The commissioning of CS. by [xxx] was preceded by a careful selection and review process, which included, among other things, an in-depth substantive examination of the specifications of the service offered and the IT-specific security standards of CS. The provision of the access information to the digital environment of the defendant to CS. was already necessary for the execution of the software services from a technical point of view in order to be able to connect the external deployment utility to the digital environment of [xxx].

Moreover, the defendant was not at fault with regard to an alleged breach of the GDPR. Finally, there is no causality of an alleged breach of the GDPR for the alleged damage. With regard to the further details, reference is made to the statement of defence of 12 May 2021.

The request for a declaratory judgement is inadmissible for lack of interest in a declaratory judgement pursuant to § 256 (1) ZPO. The plaintiff, who has the burden of presentation and proof, has not presented any circumstances which show that the occurrence of material damage as a result of the data incident is probable.

In order to supplement the facts, reference is made to the exchanged pleadings and annexes as well as to the minutes of the hearing.

The reopening of the hearing due to the statement of the defendant dated 29.11.2021 was not necessary (§ 156 ZPO). The statements contained therein were taken into account by the court, but are ultimately not relevant for the decision.
Reasons for decision
1

The action is admissible, with the local jurisdiction of the Munich Regional Court resulting from Article 44(1) sentence 1 of the GDPR, Section 12 of the ZPO.
2

With regard to the application for a declaratory judgement, the interest in a declaratory judgement required pursuant to § 256 (1) ZPO is to be affirmed, since there is the possibility that further damages will result from the use of the illegally obtained data. This would only not be the case if, from the plaintiff's point of view, there is no reason to at least expect damage to occur (cf. Bacher BeckOK ZPO, Vorweık/Wolf 42nd edition as of 01.09.2021 § 256 marginal no. 24). However, especially in the case of such an extensive tapping of data, it is to be assumed, when looking at it from a lifelike perspective, that this was not done without a specific, and indeed illegal, intention.
3

The action is also well-founded.
4

The plaintiff has a claim against the defendant for payment of 2,500 euros pursuant to Article 82(1) of the GDPR as non-material damages.
5

According to this provision, any person who has suffered material or non-material damage as a result of a breach of the Regulation is entitled to compensation from the controller or the processor.
6

Pursuant to Article 82(3) of the GDPR, the burden of presentation and proof for the conditions justifying liability is borne by the claimant in accordance with general principles of civil procedure. A reversal of the burden of proof is expressly provided for in Art. 82(3) only with regard to the aspect of fault. It is therefore also incumbent on the infringed party to prove the data protection breach. The general accountability of Art. 5(2), 24(1) GDPR refers to a responsibility towards the authority. However, a reversal of the burden of proof or easing of the burden of proof cannot be based on this (Quaas BeckOK Datenschutzrecht, Wolff/Brink; 36th Edition Stand: 01.05.2021 § 82 Rn. 51; 9 U 34/21 OLG Stuttgart judgement of 31.03.2021; LG Frankfurt of 18.01.2021 - 2-30 O 147/20).
7

With regard to the issue of data protection breach, Art. 32 DSGVO (security of processing) requires appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. In addition, the requirements or specifications for proper and secure data handling can be taken from Article 5(1)(f) DSGVO (principles for the processing of personal data), from recitals 39 and 78 Regulation (EU) 2016/679 p. 12 as well as the Annex to Section 9 BDSG 2003. (cf. Kühling/Buchner/Herbst, 3rd ed. 2020, DS-GVO Art. 5 para. 76).
8

In particular, Recital 39 mentions as required measures that it is ensured that unauthorised persons do not have access to the data and cannot use either the data or the devices with which they are processed. The Annex to Section 9 BDSG 2003 listed technical and organisational measures that can also be used to fulfil the requirements of Article 5(1)(f).
9

Based on these requirements, the defendant committed a data protection breach.
10

It can be left open here whether any security deficiencies at the third-party company can be attributed to the defendant. This is because the defendant itself did not take sufficient organisational measures to prevent the loss of data at issue (see also Article 82(4) of the GDPR).
11

It is undisputed that the defendant did not change the access data for the company CS. after the end of the business relationship. As the defendant submits that it had to assume that the access information would be completely and permanently deleted by CS., it could not rely on this in view of the large scope (access to the complete IT system) and due to the quality and sensitivity of the stored data. Since the defendant obviously did not check the deletion, it had been negligent to leave the access data unchanged for several years from the termination of the business relationship in 2015 until the access to the defendant's customer data in 2020. The defendant cannot exonerate itself in this respect by the extensive explanations about the technical and organisational measures (TOMs). Moreover, it would be irrelevant here if - as the defendant claims - the document archive did not yet contain any customer data in 2015. In any case, this data was subsequently included in the archive.
12

Insofar as the defendant, as evidenced by its letter of 19.10.2020, immediately took all necessary measures after the incident to exclude further unlawful access to the digital document archive, it is - contrary to the view of the defendant - not to be regarded as unreasonable that this could have been done immediately after the termination of the business relationship with the company CS. Even if this would have required - and has now required - a certain amount of effort, this cannot be justification for leaving the customers' data in a certain area exposed to the risk of (possible) unauthorised access from outside.
13

If the defendant also emphasises that CS. is an independent company whose possible shortcomings cannot therefore be attributed to it from the outset, this is irrelevant. For there was also an inadequacy on the part of the defendant or a breach of the GDPR on its own part, and it was precisely the lack of legal and factual possibility to supervise, control or instruct the deletion process at CS., as submitted by the defendant, that required the defendant to take its own corresponding security measures.
14

There is also the required causality between the "GDPR breach" and the "damage". Article 82(1) GDPR requires that the damage occurs as a result of a specific GDPR breach. Although it is not sufficient that damage is merely attributable to a processing of personal data in the context of which a legal violation had occurred (OLG Stuttgart, judgment of 31 March 2021, ref. 9 U 34/21, p. 8, Annex B 2; Paal, MMR 2020, 14, 17 with further references), in the present case the damage is not only based on such a processing. It must be assumed that the specific data incident would not have occurred if the security standards considered adequate had been observed (cf. Quaas, in: BeckOK Datenschutzrecht, Wolff/Brink, 33rd ed., 01.08.2020, Art. 82 DSGVO marginal no. 51; 26 - contributory causation is sufficient).
15

Insofar as the defendant cites the judgment of the Regional Court of Munich I of 02.09.2021, 23 O 10931/20, the reasons for the decision speak precisely for the existence of damage in the present case. The Regional Court correctly points out that according to Article 82 of the GDPR, non-material damage caused by a breach of the regulation can also be compensated and that the recitals (No. 75) (in particular) also mention non-pecuniary damage caused by discrimination, identity theft or fraud, damage to reputation, loss of confidentiality of personal data subject to professional secrecy or social disadvantages (cf. BeckOK Datenschutz/Quaas DSGVO Article 82 para. 23). In the proceedings there, the court based its decision in particular on the fact that the plaintiff limited himself to arguing that his damage consisted in the loss of control over his data (which is also mentioned in recital no. 75!). While there an attack on the account of the e-mail address is the basis, in the present case much more extensive and sensitive data has been tapped. Contrary to the opinion of the LG Essen, judgement of 23.9.2021 - 6 O 190/21, this is not only an "insignificant or perceived violation of personal rights". Incidentally, the LG Essen also mentions that a claim for damages for pain and suffering under Art. 82 GDPR is not limited to serious damage, so that a general exclusion of minor cases is prohibited. The court also obviously (and correctly) assumes that identity theft would be sufficient for a claim for damages for pain and suffering.
16

Recitals 75 and 85 of the GDPR list examples of concrete impairments that may constitute "physical, material or non-material damage", such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorised removal of pseudonymisation or other significant economic or social disadvantages. Recital 146 of the GDPR also states that the concept of harm must be "interpreted broadly in the light of the case law of the Court of Justice in a way that is fully consistent with the objectives of this Regulation" and that "data subjects should receive full and effective compensation for the harm suffered". The focus here is on a deterrent effect of the damages, which is to be achieved in particular through their amount. This idea is also derived from Art. 4 Ill TEU. According to this, the member states are required to sanction violations effectively. For only in this way would effective enforcement of EU law - and thus also of the GDPR - be guaranteed (Wybitul/Haß/Albrecht: NJW 2018, 113, beck-online; cf. also Korch, NJW 2021, 978 - "From recital 146 p. 3 it follows that the concept of damage is to be understood broadly").
17

In the present case, due to the extent and nature of the plaintiff's stolen data, such identity theft must be assumed, which gives rise to a claim for damages.
18

Thus, in a letter dated 19.10. 2020 (Annex K 7), the defendant informed the affected customers, thus also the plaintiff, that the following data were affected by the incident: "personal data and contact data, data for the legally required identification of the customer (e.g. ID data), the information collected in the context of the suitability test, data relating to the account and/or securities account (e.g. reference account connection, reports, securities statements, invoices) as well as tax data (e.g. tax identification number)" and that an attempt could be made to deceive third parties with the identity of the customer in order to obtain advantages (identity abuse).
19

The criteria of Art. 83(2) may be used to assess the amount of damages, such as the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing in question, the categories of personal data concerned (cf. Quaas BeckOK Datenschutzrecht, Wolff/Brink 37th ed. as of 01.08.2021 marginal no. 31), whereby the determination is otherwise incumbent on the court pursuant to Section 287 ZPO (BeckOK DatenschutzR/Quaas, 32nd ed. 1.2.2020, DS-GVO Art. 82 marginal no. 31).
20

However, when assessing the amount of the non-material damages, it must be taken into account that the data in dispute has obviously not yet been misused, at least not to the detriment of the plaintiff, and therefore at most a more or less high risk can be assumed. However, the deterrent effect of the damages intended by the legislator must also be taken into account - as mentioned above. Weighing up all these aspects, the court considers (non-material) damages in the amount of 2,500 euros to be appropriate.
21

Insofar as the defendant believes that a preliminary ruling by the ECJ is mandatory, which was recently established by the BVerfG, decision of 14.1.2021 - 1 BvR 2853/19, it overlooks Article 267 (3) TFEU. Whereas in the facts underlying the aforementioned decision, neither the appeal complaint had been reached nor the Local Court had allowed the appeal, this is undoubtedly given in the present case (cf. section 511 (1), (2) no. 1 of the Code of Civil Procedure), so that no decision of last instance is given.
22

The claim for interest results from §§ 291, 288 section 1 BGB.
23

Costs §§ 91 Para. 1, 92 Para. 2 No. 2 ZPO; provisional enforceability § 709 ZPO; amount in dispute: §§ 3, 5 ZPO, whereby the court was guided by the amount in dispute specified by the plaintiff in the application.