• Areas of expertise
  • |
  • About me
  • |
  • Principles as a lawyer
  • Tel: 03322 5078053
  • |
  • info@itmedialaw.com
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Law on the Internet

Liability under Art. 82 GDPR for sending forged invoices!

17. February 2025
in Law on the Internet
Reading Time: 7 mins read
0 0
A A
0
cfc2b07a 084e 4105 9a27 51170d46b241 202937177
Key Facts
  • Email server security: Essential for protecting business data and avoiding financial risks.
  • Braunschweig Regional Court ruling: Confirms that unencrypted emails can have significant legal consequences.
  • Protective measures: Encryption is basic protection and necessary to meet GDPR requirements.
  • E-invoices and XML: High risk of fraud with unsecured e-invoices requires additional security precautions.

Recently, I have been able to successfully represent my clients in several similar cases that were affected by security breaches in email traffic. A recent judgment clearly shows how important it is to ensure the security of email servers and, in particular, the encryption of invoices. This issue is of great importance as it not only affects the confidentiality of business data, but also poses significant financial risks. I have already reported on the dangers of fake invoices and false IBAN transfers in several articles here on itmedialaw.com, for example here, here and here. These cases show that companies and private individuals alike can be affected by the consequences of inadequate security measures.

Content Hide
1. Legal consequences
2. The problem with e-invoices
2.1. Challenges with XML files
2.2. Solutions to minimize risk
3. Conclusion

Email server security is a key issue in today’s business world. Without adequate security measures, sensitive data can easily fall into the wrong hands, which can lead to considerable financial losses. A recent ruling by the Braunschweig Regional Court (case number 7 O 47/24), in which I successfully represented the interests of the plaintiff as a lawyer, makes it clear that the use of unencrypted emails when transmitting invoices and personal data can have considerable legal consequences.

In this case, a purchase contract was sent by email in which the defendant’s bank details were manipulated. The plaintiff then transferred the purchase price to a false account, which led to considerable financial damage. The court found that the defendant had breached the GDPR by failing to take sufficient security measures. The defendant did not use transport or end-to-end encryption when sending the emails, which was deemed insufficient. The measures, such as the use of antivirus software and firewall, were not sufficient to ensure the protection of the data. The court emphasized that the encryption of emails is a basic protection that is considered a minimum measure to meet the legal requirements. The full judgment can be viewed here.

As a lawyer, I successfully represented the plaintiff in this case and was able to prove that the defendant had breached its obligations under the GDPR. The court’s decision underlines the importance of accountability and the need for appropriate security measures in email traffic. Companies should be aware of these challenges and take appropriate measures to protect their data and that of their customers. If you have any questions on this topic or need assistance, please do not hesitate to contact me. I will be happy to help you protect your interests and optimize your security measures.

Legal consequences

The court ruled that the defendant had breached the GDPR by processing the plaintiff’s personal data in culpable violation of the provisions of the GDPR. The plaintiff’s claim for damages was derived from Art. 82 para. 1 GDPR. This article provides that any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation. The plaintiff had presented all the necessary requirements for this claim and the court found that the defendant had acted culpably by not taking sufficient security measures.

The court agrees with the plaintiff that the defendant violated the principles of Art. 5, 24 and 32 GDPR by not taking appropriate technical and organizational measures to ensure the level of protection of personal data. Sending the invoice with the data contained therein by email without encryption constitutes processing within the meaning of Art. 4 No. 2 GDPR. The defendant did not even implement the lower level of protection of transport encryption, but sent its emails without any encryption. This was considered completely unsuitable within the meaning of the GDPR. The measures of implementing a firewall, an anti-virus program and password encryption of the Outlook account have no protective effect whatsoever on the sending of business emails and can be ruled out from the outset as suitable measures for the protection of personal data in email traffic.

The court emphasizes that the defendant acted culpably. Following the case law of the European Court of Justice, Art. 82 GDPR provides for a liability regime for culpability in which the burden of proof does not lie with the injured party, but with the controller. This means that the controller must prove that it has fulfilled all duties of care and cannot be accused of the slightest negligence. The defendant did not provide this proof, as it did not take the necessary encryption or other sufficient security measures.

The court ruled that the defendant had breached the accountability obligation under Art. 5 para. 2 GDPR by failing to demonstrate and prove that its security measures were suitable to protect the personal data in accordance with the level of security required by the GDPR. The use of antivirus software and firewalls is not sufficient to ensure the protection of emails, especially if no encryption is used. The ECJ has interpreted the requirements of Art. 32 GDPR to the effect that the suitability of the measures taken by the controller must be assessed by the national courts, taking into account the risks associated with the processing in question. In this case, the court found that the measures taken by the defendant were not sufficient to protect the plaintiff’s personal data.

The court agrees with the plaintiff that the damage of EUR 22,600 is a causal consequence of the breach of the GDPR. Since the defendant did not comply with a sufficient level of protection to secure the plaintiff’s personal data when sending its email with the attached contractual document, it is incumbent on the defendant to prove that the damage suffered by the plaintiff was not caused by its misconduct. The defendant has not provided this proof.

Originally, the action was brought on the basis of Section 280 BGB, although the underlying legal issues are largely comparable. However, it should be noted that the standard of care in the application of Art. 82 GDPR is much stricter – even minor negligence is sufficient to trigger a claim for damages. Due to these higher requirements, the claim ultimately boils down to Art. 82 GDPR, although a comparable liability assessment could also be derived from Section 280 BGB.

The problem with e-invoices

A particular problem arises when using e-invoices, especially in XML format. Here it can be difficult to detect manipulated documents, as XML files cannot be checked for changes as easily as PDFs. This significantly increases the risk of fraud and misuse. Companies should therefore be particularly careful when using e-invoices and ensure that all transmitted data is adequately protected. While the use of XML formats can be efficient, it also carries risks as these files can be easily manipulated. In cases where large amounts are transferred, it is particularly important that additional security measures are taken to prevent misuse.

The GDPR stipulates that personal data must be adequately protected, which also includes the sending of invoices. The use of encryption technologies can help to minimize these risks and ensure the security of data. I have highlighted the importance of security in the transmission of invoices in my previous articles and emphasize that companies must act proactively to protect their customers and their own interests.

Challenges with XML files

Although XML files offer many advantages, such as the automation of processes and easy integration into existing systems, they are also more susceptible to manipulation. As XML files are usually machine-readable, they can easily be changed by hackers without this being immediately apparent. This can lead to considerable financial losses if, for example, the bank details in an invoice are manipulated. Companies should therefore ensure that all XML files containing sensitive information are adequately protected.

Solutions to minimize risk

Companies can take various measures to minimize the risks associated with the use of e-invoices in XML format:

1. encryption: The use of encryption technologies, such as transport or end-to-end encryption, can help to protect data during transmission. This is particularly important when personal data or sensitive financial information is transmitted.

2. digital signatures: Digital signatures can be used to ensure the authenticity and integrity of e-invoices. This can help to detect and prevent manipulation.

3. two-step authentication: Implementing two-step authentication for access to systems that process e-invoices can increase protection against unauthorized access.

4. regular security audits: Regular security audits and penetration tests can help identify and fix vulnerabilities in systems before they can be exploited by attackers.

5. staff training: staff should receive regular training to make them aware of potential risks and ensure that all employees comply with the necessary safety measures.

By implementing these measures, companies can increase the security of their e-invoices and minimize the risk of fraud and misuse. If you have any questions on this topic or need support, please do not hesitate to contact me. I will be happy to help you protect your interests and optimize your security measures.

Conclusion

The security of email servers and the encryption of invoices are crucial aspects of digital business transactions. Companies should be aware of these challenges and take appropriate measures to protect their data and that of their customers. The GDPR stipulates that personal data must be adequately protected, which also includes the sending of invoices. The use of encryption technologies can help to minimize these risks and ensure the security of data. I am at your disposal to support you in these matters and to ensure that your data and that of your customers is protected in the best possible way. Should you be affected by similar problems or have any questions on this topic, please do not hesitate to contact me. I have successfully acted for my clients in numerous cases and can help you to protect your interests.

The ruling by the Braunschweig Regional Court (case reference 7 O 47/24) is an important precedent that underlines the importance of security in email traffic. The decision shows that companies that violate the GDPR must expect considerable legal consequences. The plaintiff received a purchase contract by email in which the defendant’s bank details had been manipulated. The plaintiff then transferred the purchase price to a false account, which led to considerable financial damage. The court found that the defendant culpably violated the GDPR by not taking sufficient security measures. The defendant did not use transport or end-to-end encryption when sending the emails, which was deemed insufficient. The measures, such as the use of antivirus software and firewall, were not sufficient to ensure the protection of the data. The court emphasized that the encryption of emails is a basic protection that is considered a minimum measure to meet the legal requirements.

P.S. Thanks, by the way, to my professional IT partner Velevo/Sebastian Genter, who were also able to help here with a convincing IT report.

Beliebte Beträge

Social media accounts as a company: who keeps followers when employees change?

Social media accounts as a company: who keeps followers when employees change?
4. May 2025

Social media have become valuable assets for modern companies. Followers, profiles and reach can determine customer relationships, employer image and...

Read moreDetails

Digital Services Act (DSA): What creators, influencers and agencies need to know now

Digital Services Act (DSA): What creators, influencers and agencies need to know now
16. May 2025

Key Facts: Stricter transparency obligations for platforms: The Digital Services Act (DSA) forces Very Large Online Platforms (VLOPs) such as...

Read moreDetails

Legally compliant contract drafting for software development on no-code platforms

Legally compliant contract drafting for software development on no-code platforms
26. April 2025

No-code and low-code platforms enable start-ups and agencies to develop software and digital products quickly and without in-depth programming knowledge....

Read moreDetails

Automated pricing and dynamic pricing in e-commerce

automatisierte preisgestaltung und dynamic pricing im ee28091commerce 1
2. April 2025

In the digital economy, automated pricing and dynamic pricing strategies are now part of everyday life. Whether for online shopping,...

Read moreDetails

Growth hacking and viral marketing – legal requirements

growth hacking und virales marketing juristische anforderungen 1
1. April 2025

Growth hacking and viral marketing promise start-ups rapid growth and a wide reach with a low budget. In the digital...

Read moreDetails

Liability of website operators for user comments – When and how operators are responsible for their users’ content

Creating contracts with face models and voice models: A guide for the gaming industry
15. March 2025

Introduction The responsibility of website operators for user-generated content has become much more important in recent years, both in case...

Read moreDetails

AI editing of OnlyFans content & Instagram campaigns: Important legal tips!

ai generated g63ed67bf8 1280
23. February 2025

Copyright and original material Copyright regulations protect the intellectual property of those who create photo and video material. The OnlyFans...

Read moreDetails

Digitalization and contract law: Electronic signature in accordance with the eIDAS Regulation

Digitalization and contract law: Electronic signature in accordance with the eIDAS Regulation
3. March 2025

Introduction: Digitalization and modern contract law Advancing digitalization is changing all business processes, especially in the area of contract design....

Read moreDetails

Right of reply on social media: Differences and comparison to press law

Right of reply on social media: Differences and comparison to press law
11. February 2025

The right of reply is a key instrument in the German legal system that enables those affected to respond to...

Read moreDetails

5.0 60 reviews

  • Avatar Mikael Hällgren ★★★★★ vor einem Monat
    I got fantastic support from Marian Härtel. He managed to get my wrongfully suspended Instagram account restored. He was … Mehr incredibly helpful the whole way until the positive outcome. Highly recommended!
  • Avatar Lennart Korte ★★★★★ vor 2 Monaten
    Ich kann Herrn Härtel als Anwalt absolut weiterempfehlen! Sein Service ist erstklassig – schnelle Antwortzeiten, effiziente … Mehr Arbeit und dabei sehr kostengünstig, was für Startups besonders wichtig ist. Er hat für mein Startup einen Vertrag erstellt, und ich bin von seiner professionellen und zuverlässigen Arbeit überzeugt. Klare Empfehlung!
  • Avatar R.H. ★★★★★ vor 3 Monaten
    Ich kann Hr. Härtel nur empfehlen! Er hat mich bei einem Betrugsversuch einer Krypto Börse rechtlich vertreten. Ich bin sehr … Mehr zufrieden mit seiner engagierten Arbeit gewesen. Ich wurde von Anfang an kompetent, fair und absolut transparent beraten. Trotz eines zähen Verfahrens und einer großen Börse als Gegner, habe ich mich immer sicher und zuversichtlich gefühlt. Auch die Schnelligkeit und die sehr gute Erreichbarkeit möchte ich an der Stelle hoch loben und nochmal meinen herzlichsten Dank aussprechen! Daumen hoch mit 10 Sternen!
  • Avatar P! Galerie ★★★★★ vor 4 Monaten
    Herr Härtel hat uns äusserst kompetent in einen lästigen Fall mit META betreut. Er war effizient, beharrlich, aber auch mit … Mehr uns geduldig. Menschlich top, bis wir am Ende Dank ihm erfolgreich zum Ziel gekommen sind. Können wir wärmstens empfehlen. Und nochmals danke. P.H.
  • Avatar Mosaic Mask Studio ★★★★★ vor 5 Monaten
    Die Kanzlei ist immer ein verlässlicher Partner bei der Sichtung und Bearbeitung von Verträgen in der IT Branche. Es ist … Mehr stets ein professioneller Austausch auf Augenhöhe.
    Die Ergebnisse sind auf hohem Niveau und haben die interessen unsers Unternehmens immer bestmöglich wiedergespiegelt.
    Vielen Dank für die sehr gute Zusammenarbeit.
  • Avatar Philip Lucas ★★★★★ 9 months ago
    Wir haben Herrn Härtel für unser Unternehmen konsultiert und sind äußerst zufrieden mit seiner Arbeit. Von Anfang an hat … Mehr er einen überaus kompetenten Eindruck gemacht und sich als ein sehr angenehmer Gesprächspartner erwiesen. Seine fachliche Expertise und seine verständliche und zugängliche Art im Umgang mit komplexen Themen haben uns überzeugt. Wir freuen uns auf eine langfristige und erfolgreiche Zusammenarbeit!
  • Avatar Doris H. ★★★★★ 11 months ago
    Herr Härtel hat uns bezüglich eines Telefonvertrags beraten und vertreten. Wir waren mit seinem Service sehr zufrieden. Er … Mehr hat stets schnell auf unsere E-mails und Anrufe reagiert und den Sachverhalt einfach und verständlich erklärt. Wir würden Herrn Härtel jederzeit wieder beauftragen.Vielen Dank für die hervorragende Unterstützung
  • Avatar Philipp Skaar ★★★★★ 9 months ago
    Als kleines inhabergeführtes Hotel sehen wir uns ab und dann (bei sonst weit über dem Durchschnitt liegenden Bewertungen) … Mehr der Herausforderung von aus der Anonymität heraus agierenden "Netz-Querulanten" gegenüber gestellt. Herr Härtel versteht es außerordentlich spür- und feinsinnig, derartige - oftmals auf Rufschädigung ausgerichtete - Bewertungen bereits im Keim, also außergerichtlich, zu ersticken und somit unseren Betrieb vor weiteren Folgeschäden zu bewahren. Seine Umsetzungsgeschwindigkeit ist beeindruckend, seine bisherige Erfolgsquote = 100%.Ergo: Unsere erste Adresse zur Abwehr von geschäftsschädigenden Angriffen aus dem Web.
  • ●
  • ●
  • ●
  • ●

Video-Galerie

How do I help with contract review and drafting?
How do I help with contract review and drafting?
Why a handshake is not enough: "Professional contracts for start-ups"
Why a handshake is not enough: “Professional contracts for start-ups”
What do I love about my job?
What do I love about my job?
legal framework for crowd sensing projects data protection and remuneration models for participatory sensor networks

External body

10. November 2024

Definition and legal basis Third-party management refers to the transfer of management and leadership tasks to persons who are not...

Read moreDetails
Data economy

Data economy

16. October 2024

Personality law

25. June 2023
98b343eb e2c4 445a 93ee 0358fd3c6da6 20245689

Legal capacity

29. March 2025
e057729ffab890823751877fa97817f8

Price Indication Ordinance (PAngV)

9. November 2024

Podcast Folgen

Blick in die Zukunft: Wie Technologie das Recht verändert

Blick in die Zukunft: Wie Technologie das Recht verändert

18. February 2025

In der letzten Folge der ersten Staffel des ITmedialaw.com Podcasts werfen wir einen Blick in die Zukunft des Rechts im...

Rechtliche Herausforderungen im Gaming-Universum: Ein Leitfaden für Entwickler, Esportler und Gamer

Was wird 2025 für Startups juristisch bringen? Chancen? Risiken?

24. January 2025

In dieser spannenden Episode des itmedialaw-Podcasts tauchen wir tief in die rechtlichen Entwicklungen ein, die die Startup-Welt im Jahr 2025...

Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

25. September 2024

In dieser fesselnden Episode meines IT-Medialaw Podcasts teile ich, Marian Härtel, meine persönliche Reise als leidenschaftlicher IT-Rechtsanwalt. Ich erzähle von...

Startups und Innovation in Deutschland – Herausforderungen und Chancen

Startups und Innovation in Deutschland – Herausforderungen und Chancen

25. September 2024

In dieser aufschlussreichen Podcast-Episode wird ein tiefgreifender Blick auf die Startup- und Innovationslandschaft in Deutschland und Europa geworfen. Die Diskussion...

  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung