After a data leak, the asset manager Scalable Capital was sentenced by the Munich I Regional Court to pay damages for violating the General Data Protection Regulation – GDPR.
Data is a matter of trust, and customers are entitled to appropriate protection. This is especially true when it comes to sensitive personal data. In the event of data theft, consumers may have claims for damages under the General Data Protection Regulation, explains the commercial law firm MTR Rechtsanwälte.
This is highlighted by a judgment of the Munich I Regional Court against Scalable Capital (ref. 31 O 16606/20). In October 2020, the online broker announced that a data leak had occurred. As a result, unauthorized persons gained access to highly sensitive personal data such as address, email address, account number, tax ID, or ID copies of more than 33,000 customers. Scalable admitted that after a hacker attack on a former service provider, there were also security loopholes in its own access area, which allowed hackers to obtain the data.
The plaintiff maintained a customer account with Scalable Capital, which he used for investments in securities and stocks. As a victim of data theft, he asserted claims for damages. Due to the stolen data, he was exposed to the risk of identity theft, attempts to access his used services, and other fraud attempts.
The lawsuit was successful. The Munich LG was persuaded that the security breach could have been avoided. However, Scalable Capital failed to take appropriate organizational measures. Thus, the access data for the service provider was not changed after the end of the business relationship. Although the plaintiff did not suffer material losses after the data theft, he is nevertheless entitled to non-material damages in the amount of 2,500 euros under Art. 82 para. 1 GDPR due to the theft of his personal data, according to the Munich LG. Furthermore, Scalable must cover all future damages caused by the data theft.
The Cologne LG also awarded damages to a victim of data theft at Scalable Capital (ref.: 28 O 328/21).
The judgments show that the GDPR provides a good basis for claims for damages in cases of data theft. Companies should, therefore, pay even more attention to adequately protecting their customers’ data.
Lawyers experienced in IT law can provide advice.
