Following a data leak, the asset manager Scalable Capital was sentenced to pay damages by the Munich I Regional Court for violating the General Data Protection Regulation – GDPR.
Data is a matter of trust, and customers are entitled to appropriate protection. This is especially true when it comes to sensitive personal data. In case of data theft, consumers may be entitled to compensation under the General Data Protection Regulation, explains the business law firm MTR Rechtsanwälte.
This is highlighted by a judgment of the Munich I Regional Court regarding Scalable Capital (Case No. 31 O 16606/20). In October 2020, the online broker announced a data leak. Unauthorized persons gained access to highly sensitive personal data such as addresses, email addresses, account numbers, tax IDs, or copies of ID documents from more than 33,000 customers. Scalable admitted that after a hacker attack on a former service provider, security gaps also emerged in its own access area, allowing hackers to access the data.
The plaintiff maintained a customer account with Scalable Capital, which he used for investments in securities and stocks. As a victim of the data theft, he asserted claims for damages. The stolen data exposed him to the risk of identity theft, attempts to access his used services, and other fraud attempts.
The lawsuit was successful. The Munich Regional Court concluded that the security gap could have been avoided. However, Scalable Capital failed to take appropriate organizational measures. For example, the access data for the service provider were not changed after the business relationship ended. Although the plaintiff did not incur material losses after the data theft, due to Art. 82 Par. 1 GDPR, he is entitled to non-material damages of 2,500 euros for the theft of his personal data, according to the Munich Regional Court. Furthermore, Scalable must cover all future damages arising from the data theft.
The Cologne Regional Court also awarded damages to a victim of data theft at Scalable Capital (Case No. 28 O 328/21).
The judgments show that the GDPR provides a solid legal basis for claims for damages in cases of data theft. Companies should therefore pay even more attention to adequately protecting their customers’ data.
Lawyers experienced in IT law can provide advice.
