• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Liability under Art. 82 GDPR for sending forged invoices!

17. February 2025
in Law on the Internet
Reading Time: 7 mins read
0 0
A A
0
cfc2b07a 084e 4105 9a27 51170d46b241 202937177
Key Facts
  • Email server security: Essential for protecting business data and avoiding financial risks.
  • Braunschweig Regional Court ruling: Confirms that unencrypted emails can have significant legal consequences.
  • Protective measures: Encryption is basic protection and necessary to meet GDPR requirements.
  • E-invoices and XML: High risk of fraud with unsecured e-invoices requires additional security precautions.

Recently, I have been able to successfully represent my clients in several similar cases that were affected by security breaches in email traffic. A recent judgment clearly shows how important it is to ensure the security of email servers and, in particular, the encryption of invoices. This issue is of great importance as it not only affects the confidentiality of business data, but also poses significant financial risks. I have already reported on the dangers of fake invoices and false IBAN transfers in several articles here on itmedialaw.com, for example here, here and here. These cases show that companies and private individuals alike can be affected by the consequences of inadequate security measures.

Content Hide
1. Legal consequences
2. The problem with e-invoices
2.1. Challenges with XML files
2.2. Solutions to minimize risk
3. Conclusion
3.1. Author: Marian Härtel

Email server security is a key issue in today’s business world. Without adequate security measures, sensitive data can easily fall into the wrong hands, which can lead to considerable financial losses. A recent ruling by the Braunschweig Regional Court (case number 7 O 47/24), in which I successfully represented the interests of the plaintiff as a lawyer, makes it clear that the use of unencrypted emails when transmitting invoices and personal data can have considerable legal consequences.

In this case, a purchase contract was sent by email in which the defendant’s bank details were manipulated. The plaintiff then transferred the purchase price to a false account, which led to considerable financial damage. The court found that the defendant had breached the GDPR by failing to take sufficient security measures. The defendant did not use transport or end-to-end encryption when sending the emails, which was deemed insufficient. The measures, such as the use of antivirus software and firewall, were not sufficient to ensure the protection of the data. The court emphasized that the encryption of emails is a basic protection that is considered a minimum measure to meet the legal requirements. The full judgment can be viewed here.

As a lawyer, I successfully represented the plaintiff in this case and was able to prove that the defendant had breached its obligations under the GDPR. The court’s decision underlines the importance of accountability and the need for appropriate security measures in email traffic. Companies should be aware of these challenges and take appropriate measures to protect their data and that of their customers. If you have any questions on this topic or need assistance, please do not hesitate to contact me. I will be happy to help you protect your interests and optimize your security measures.

Legal consequences

The court ruled that the defendant had breached the GDPR by processing the plaintiff’s personal data in culpable violation of the provisions of the GDPR. The plaintiff’s claim for damages was derived from Art. 82 para. 1 GDPR. This article provides that any person who has suffered material or non-material damage as a result of a breach of the GDPR is entitled to compensation. The plaintiff had presented all the necessary requirements for this claim and the court found that the defendant had acted culpably by not taking sufficient security measures.

The court agrees with the plaintiff that the defendant violated the principles of Art. 5, 24 and 32 GDPR by not taking appropriate technical and organizational measures to ensure the level of protection of personal data. Sending the invoice with the data contained therein by email without encryption constitutes processing within the meaning of Art. 4 No. 2 GDPR. The defendant did not even implement the lower level of protection of transport encryption, but sent its emails without any encryption. This was considered completely unsuitable within the meaning of the GDPR. The measures of implementing a firewall, an anti-virus program and password encryption of the Outlook account have no protective effect whatsoever on the sending of business emails and can be ruled out from the outset as suitable measures for the protection of personal data in email traffic.

The court emphasizes that the defendant acted culpably. Following the case law of the European Court of Justice, Art. 82 GDPR provides for a liability regime for culpability in which the burden of proof does not lie with the injured party, but with the controller. This means that the controller must prove that it has fulfilled all duties of care and cannot be accused of the slightest negligence. The defendant did not provide this proof, as it did not take the necessary encryption or other sufficient security measures.

The court ruled that the defendant had breached the accountability obligation under Art. 5 para. 2 GDPR by failing to demonstrate and prove that its security measures were suitable to protect the personal data in accordance with the level of security required by the GDPR. The use of antivirus software and firewalls is not sufficient to ensure the protection of emails, especially if no encryption is used. The ECJ has interpreted the requirements of Art. 32 GDPR to the effect that the suitability of the measures taken by the controller must be assessed by the national courts, taking into account the risks associated with the processing in question. In this case, the court found that the measures taken by the defendant were not sufficient to protect the plaintiff’s personal data.

The court agrees with the plaintiff that the damage of EUR 22,600 is a causal consequence of the breach of the GDPR. Since the defendant did not comply with a sufficient level of protection to secure the plaintiff’s personal data when sending its email with the attached contractual document, it is incumbent on the defendant to prove that the damage suffered by the plaintiff was not caused by its misconduct. The defendant has not provided this proof.

Originally, the action was brought on the basis of Section 280 BGB, although the underlying legal issues are largely comparable. However, it should be noted that the standard of care in the application of Art. 82 GDPR is much stricter – even minor negligence is sufficient to trigger a claim for damages. Due to these higher requirements, the claim ultimately boils down to Art. 82 GDPR, although a comparable liability assessment could also be derived from Section 280 BGB.

The problem with e-invoices

A particular problem arises when using e-invoices, especially in XML format. Here it can be difficult to detect manipulated documents, as XML files cannot be checked for changes as easily as PDFs. This significantly increases the risk of fraud and misuse. Companies should therefore be particularly careful when using e-invoices and ensure that all transmitted data is adequately protected. While the use of XML formats can be efficient, it also carries risks as these files can be easily manipulated. In cases where large amounts are transferred, it is particularly important that additional security measures are taken to prevent misuse.

The GDPR stipulates that personal data must be adequately protected, which also includes the sending of invoices. The use of encryption technologies can help to minimize these risks and ensure the security of data. I have highlighted the importance of security in the transmission of invoices in my previous articles and emphasize that companies must act proactively to protect their customers and their own interests.

Challenges with XML files

Although XML files offer many advantages, such as the automation of processes and easy integration into existing systems, they are also more susceptible to manipulation. As XML files are usually machine-readable, they can easily be changed by hackers without this being immediately apparent. This can lead to considerable financial losses if, for example, the bank details in an invoice are manipulated. Companies should therefore ensure that all XML files containing sensitive information are adequately protected.

Solutions to minimize risk

Companies can take various measures to minimize the risks associated with the use of e-invoices in XML format:

1. encryption: The use of encryption technologies, such as transport or end-to-end encryption, can help to protect data during transmission. This is particularly important when personal data or sensitive financial information is transmitted.

2. digital signatures: Digital signatures can be used to ensure the authenticity and integrity of e-invoices. This can help to detect and prevent manipulation.

3. two-step authentication: Implementing two-step authentication for access to systems that process e-invoices can increase protection against unauthorized access.

4. regular security audits: Regular security audits and penetration tests can help identify and fix vulnerabilities in systems before they can be exploited by attackers.

5. staff training: staff should receive regular training to make them aware of potential risks and ensure that all employees comply with the necessary safety measures.

By implementing these measures, companies can increase the security of their e-invoices and minimize the risk of fraud and misuse. If you have any questions on this topic or need support, please do not hesitate to contact me. I will be happy to help you protect your interests and optimize your security measures.

Conclusion

The security of email servers and the encryption of invoices are crucial aspects of digital business transactions. Companies should be aware of these challenges and take appropriate measures to protect their data and that of their customers. The GDPR stipulates that personal data must be adequately protected, which also includes the sending of invoices. The use of encryption technologies can help to minimize these risks and ensure the security of data. I am at your disposal to support you in these matters and to ensure that your data and that of your customers is protected in the best possible way. Should you be affected by similar problems or have any questions on this topic, please do not hesitate to contact me. I have successfully acted for my clients in numerous cases and can help you to protect your interests.

The ruling by the Braunschweig Regional Court (case reference 7 O 47/24) is an important precedent that underlines the importance of security in email traffic. The decision shows that companies that violate the GDPR must expect considerable legal consequences. The plaintiff received a purchase contract by email in which the defendant’s bank details had been manipulated. The plaintiff then transferred the purchase price to a false account, which led to considerable financial damage. The court found that the defendant culpably violated the GDPR by not taking sufficient security measures. The defendant did not use transport or end-to-end encryption when sending the emails, which was deemed insufficient. The measures, such as the use of antivirus software and firewall, were not sufficient to ensure the protection of the data. The court emphasized that the encryption of emails is a basic protection that is considered a minimum measure to meet the legal requirements.

P.S. Thanks, by the way, to my professional IT partner Velevo/Sebastian Genter, who were also able to help here with a convincing IT report.

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Weitere spannende Blogposts

YouTube/Twitch and swastikas in streams/videos?

Abusive warnings are punishable by law
29. July 2019

Currently, there is a persistent discussion about whether videos from the game "Wolfenstein: Youngblood" can be shown in the English...

Read moreDetails

Sustainable contract design for green start-ups: legal aspects

Sustainable contract design for green start-ups: legal aspects
14. February 2025

Green start-ups in Germany face a variety of legal challenges, especially when it comes to drafting contracts. One of the...

Read moreDetails

Is a new Privacy Shield coming in 2023?

Valve + 5 game publishers and violation of geoblocking/antitrust law
2. January 2023

Will the European Commission's new adequacy decision finally promote transatlantic data transfers between the U.S. and the EU? On 13/12/2022,...

Read moreDetails

Google doesn’t have to remove illegal search results worldwide

Publication of sales advertisements and classification as a trader
25. September 2019

The ECJ has ruled that Google is not obliged to make a delisting in all versions of its search engine,...

Read moreDetails

Contributor archive unlocked

Contributor archive unlocked
30. October 2019

In the meantime, I have a lot of articles and content on the blog. Nearly 1100 articles and blog posts...

Read moreDetails

Have an agency contract drawn up: Legally compliant contract drafting for advertising agencies

56daa066fa31131341a136008be4bead
8. December 2024

When I talk to agency owners in my office, I often recognize the same challenges that I experienced myself as...

Read moreDetails

#FreedomOfTagging: Influencer and the VSW

Brief reminder: Influencer as target of warning letters
21. December 2018

Influencer marketing is currently a hot topic again. This time it concerns Instagram influencer Vanessa Blumenthal, who continues to be...

Read moreDetails

Small Business Owners, VALUE Added Tax and Price Information Regulation

Online shops: Attention to advertising with EIA
11. March 2019

In line with this article, we would also like to provide some information on small businesses in accordance with Section...

Read moreDetails

Memes, remixes and reaction videos legal? – Copyright 2025: Parody and pastiche exception

Memes, remixes and reaction videos legal? – Copyright 2025: Parody and pastiche exception
9. May 2025

Memes, remix videos and reaction videos have become an integral part of online culture - but are such memes legal...

Read moreDetails
Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung
Online retail

Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung

7. July 2025

Die Vertragsänderung durch Schweigen ist wieder im Fokus. In zwei aktuellen Entscheidungen (November 2024 und Juni 2025) hat der Bundesgerichtshof...

Read moreDetails
So langsam nimmt der Shop Form an

So langsam nimmt der Shop Form an

3. July 2025
Dark Patterns: UX-Tricks im Visier von Gesetzgeber und Gerichten

Dark Patterns: UX-Tricks im Visier von Gesetzgeber und Gerichten

2. July 2025
Altersverifikation im Internet: Pflichten für Anbieter in Deutschland und Europa

Altersverifikation im Internet: Pflichten für Anbieter in Deutschland und Europa

30. June 2025
KI-Training und Urheberrecht: US-Gericht setzt auf Fair Use – was bedeutet das für KI und was gilt in Deutschland?

KI-Training und Urheberrecht: US-Gericht setzt auf Fair Use – was bedeutet das für KI und was gilt in Deutschland?

26. June 2025

Podcastfolge

Legal challenges when implementing confidential computing: data protection and encryption in the cloud

Smart Contracts und Blockchain

22. December 2024

In dieser fesselnden Podcast-Episode tauch ich tief in die Welt der Blockchain-Technologie und Smart Contracts ein. Die 25-minütige Folge beleuchtet,...

Read moreDetails
Rechtliche Herausforderungen und Chancen durch KI-Influencer und virtuelle Mitarbeitende

Rechtliche Herausforderungen und Chancen durch KI-Influencer und virtuelle Mitarbeitende

19. April 2025
Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

Leben als IT-Anwalt, Work-Life Balance, Familie und meine Karriere

25. September 2024
Rechtliche Beratung für Startups – Investitionen, die sich lohnen

Rechtliche Beratung für Startups – Investitionen, die sich lohnen

17. November 2024
Auf der dunklen Seite? Ein Rechtsanwalt im Spannungsfeld innovativer Startups

Auf der dunklen Seite? Ein Rechtsanwalt im Spannungsfeld innovativer Startups

25. September 2024

Video

Mein transparente Abrechnung

Mein transparente Abrechnung

10. February 2025

In diesem Video rede ich ein wenig über transparente Abrechnung und wie ich kommuniziere, was es kostet, wenn man mit...

Read moreDetails
Faszination zwischen und Recht und Technologie

Faszination zwischen und Recht und Technologie

10. February 2025
Meine zwei größten Herausforderungen sind?

Meine zwei größten Herausforderungen sind?

10. February 2025
Was mich wirklich freut

Was mich wirklich freut

10. February 2025
Was ich an meinem Job liebe!

Was ich an meinem Job liebe!

10. February 2025
  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung