28. Oct 22

Data theft – Company to pay compensation for breaching GDPR

In the aftermath of a data leak, German digital asset manager Scalable Capital has been ordered by the Munich I Regional Court – the Landgericht (LG) München I – to pay compensation for breaching the General Data Protection Regulation (GDPR).

Customers are entitled to expect that the high level of trust they place in those whom they entrust with their data is accompanied by high standards of data protection, particularly when it comes to personal data. We at the commercial law firm MTR Rechtsanwälte note that consumers who fall victim to data theft are entitled to claim compensation pursuant to the GDPR.

Case in point: a ruling of the Munich I Regional Court concerning the asset management company Scalable Capital (case ref.: 31 O 16606/20). In October of 2020, the online broker disclosed that there had been a data leak which had resulted in authorized persons obtaining access to highly sensitive personal information such as the address, email, account number, taxpayer ID number, and copies of identity documents for more than 33,000 customers. The company admitted that security vulnerabilities in their login area had allowed hackers to gain access to the data following a cyberattack against a former service provider.

The plaintiff maintained a customer account with Scalable Capital for the purposes of investing money in securities and shares. After personally falling victim to the aforementioned data theft, he asserted claims for compensation, arguing that the stolen data meant that he had been exposed to a greater risk of identity theft, attempts to access the services he used, as well as other attempts to defraud him.

The action was successful. The LG München concluded that the security vulnerabilities had been avoidable and that Scalable Capital had failed to take appropriate organizational measures, with the court noting that the login details for the service provider were not changed after the business relationship came to an end. The Munich court went on to clarify that while the plaintiff had not suffered any material damage or loss in the aftermath of the data leak, he was nonetheless entitled to receive 2,500 euros in compensation for non-material damage resulting from the theft of his personal data pursuant to Art. 82(1) of the GDPR. Scalable Capital will additionally be required to pay compensation for any future damage or loss resulting from the leak.

Cologne’s regional court – the Landgericht (LG) Köln – has also awarded compensation to a victim of data theft at Scalable Capital (case ref.: 28 O 328/21).

The rulings demonstrate that the GDPR can serve as an effective basis for asserting claims for compensation in cases involving stolen data. All the more reason for companies to ensure their customers’ data is adequately protected.

Lawyers with experience in the field of IT law can provide counsel.

For more information:


Do you have any questions?
Make an appointment at one of our locations in Cologne, Berlin, Dusseldorf, Frankfurt, Hamburg, Munich or Stuttgart!