Current requirements for securing invoice delivery by email
In its judgment of February 10, 2025 (Ref. 12 U 9/24), the Schleswig-Holstein Higher Regional Court significantly specified the requirements for IT security in the electronic transmission of invoices by businesses. A key component of this decision is the explicit obligation to ensure an adequate level of protection regarding the confidentiality of personal data when sending invoice documents via email. The judgment clarifies that even the transmission of sensitive documents such as invoices generally requires end-to-end encryption to comply with data protection regulations under the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
Legal background: Protection of personal data in email correspondence
In the present case, the Schleswig-Holstein Higher Regional Court had to address whether a business is required, when sending invoices by email, to implement technical and organizational measures to prevent unauthorized access to the personal data contained within. The specific scenario involved the transmission of an invoice which, in addition to standard billing data, also included personal details of the invoice recipient. The recipient objected to the lack of transport or even end-to-end encryption, as, in theory, third parties could have accessed the confidential information during transmission.
According to Article 5(1)(f) GDPR and Article 32 GDPR, controllers are obliged to ensure the protection of personal data through both technical and organizational measures. Encryption of electronic communication constitutes a practical method of safeguarding the integrity and confidentiality of the data.
Requirements for email communication: The court’s decision
The judges in Schleswig-Holstein emphasized that, even when sending invoices—which may appear less sensitive than other personal data at first glance—there is an increased need for protection. Invoices may contain, in addition to names and addresses, information about consumer behavior, bank details, information about contractual items, or other protected information. Unauthorized access to such data can result in significant detriment to the data subject.
The court made it clear that failing to use end-to-end encryption when transmitting an invoice does not satisfy the requirements of the GDPR, unless there is an explicit agreement with the recipient, in which the recipient has been fully informed and has expressly waived such protective measures. Such a waiver must be clearly documented and made voluntarily.
Practical implications for companies and the significance of the judgment
The judgment provides reason to critically review internal procedures for the electronic dispatch of documents. From a data protection perspective, IT security extends beyond securing one’s own IT system and also covers the secure external transfer of data. Companies that regularly or automatically send invoices to customers or business partners via email face the challenge of guaranteeing secure transmission. Depending on technical infrastructure and business model, this may necessitate the implementation of encryption-based communication systems or individual communication agreements with recipients.
With regard to liability issues, the Higher Regional Court notes that violations of data protection obligations may lead to claims for damages in accordance with Article 82 GDPR. Demonstrating that all required security measures have been technically and organizationally implemented remains a continual responsibility for data controllers.
Further implications and selected outstanding questions
Interplay with other legal provisions
In addition to the GDPR, other regulations must be observed. For example, the Fiscal Code (AO) and the Commercial Code (HGB) may impose requirements regarding the retention and integrity of electronic invoice documents, while tax secrecy under Section 30 AO carries its own protection obligations.
Ongoing developments in IT security law
In light of the rapid evolution of technical standards and regular reassessment of the state of the art under Article 32 GDPR, the adequacy of implemented security measures must always be adapted to current requirements. The Schleswig-Holstein Higher Regional Court explicitly emphasizes that the state of the art is constantly evolving and companies are therefore required to regularly review and adjust their measures.
Protection of legitimate expectations and liability risks
The judgment underlines that companies may face significant need for action to ensure the protection of legitimate expectations of customers and business partners. In the event of a dispute, it can be decisive to proceed with clearly documented and transparent measures in order to effectively address any recourse and damage claims.
Outlook
The decision from Schleswig-Holstein can serve as a guideline for handling the transmission of sensitive documents by email and sets a high standard for data protection in business practice. Companies thus face high expectations regarding encryption technologies and targeted risk assessment.
For further clarification of specific legal questions or if there is uncertainty regarding the requirements for secure electronic communication, the Rechtsanwalt of MTR Legal Rechtsanwälte are at your disposal.
