• Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Other

Once again: Manipulated invoices, third-party IBANs and claims for damages under Art. 82 GDPR

21. February 2025
in Other
Reading Time: 6 mins read
0 0
A A
0
fake 1726362 1280 1
Key Facts
  • Falsified invoices often lead to considerable financial problems for clients due to manipulated IBANs.
  • Art. 82 GDPR offers injured parties a claim for damages in the event of violations of the General Data Protection Regulation.
  • In future, the burden of proof for the infringement will lie with the responsible party, not the injured party.
  • Personal data such as name and address details are often misused in fake invoices.
  • German courts are increasingly recognizing immaterial damages, which improves the legal situation for injured parties.
  • Companies must take IT security measures to protect themselves from claims under Art. 82 GDPR.
  • Those responsible should provide complete documentation of their data controls in order to safeguard themselves.

Over the past few days, I have repeatedly reported on the topic of fake or manipulated invoices here on the blog. The reason: there are more and more cases on my desk where clients have got into payment difficulties due to professional-looking fake invoices. The criminals simply change the IBAN and pass it off as the supposed account of the invoice issuer. The result: amounts are not paid to the real recipient, but to unknown parties. Having already examined the possible liability issues from a civil law perspective (Sections 280 et seq. of the German Civil Code), I would now like to focus more on the emerging developments surrounding Art. 82 GDPR.

Content Hide
1. Background: Fake invoices and compromised systems
2. Art. 82 GDPR as an additional basis for claims
2.1. Standard of liability and reversal of the burden of proof
2.2. Comparison with claims under § 280 BGB
3. Practical relevance for recipients of counterfeit invoices
4. Shipper responsibility and recommended measures
5. Significance for companies and possible defense strategies
6. Conclusion and outlook

Background: Fake invoices and compromised systems

Most of the cases I have seen follow a typical pattern: Criminals get hold of internal email communications or original invoices. Once this data has been captured, the documents are copied or “replicated” so that they look deceptively similar to genuine invoices. Only the bank details are exchanged in the documents. Anyone who then makes a transfer often only notices the fraud when the payment amount has already ended up irretrievably with the fraudsters.

In principle, it is conceivable to assert civil law claims under Section 280 BGB if the invoicing party or a party involved has breached contractual duties to protect. However, injured parties are often confronted with considerable difficulties in providing evidence: Who is to prove whether and when there was a failure in the IT security of the alleged sender?

This is precisely where Art. 82 GDPR comes in. Based on increasing evidence from literature and case law, a trend is emerging whereby injured parties can assert a claim for damages in the event of breaches of data protection law – such as compromised email systems.

Art. 82 GDPR as an additional basis for claims

Art. 82 GDPR grants any person who suffers damage as a result of a breach of the General Data Protection Regulation a right to compensation for material and non-material damage. The charm of this provision lies in particular in the shifting of the burden of proof, which is expressed in paragraph 3 of this provision.

Standard of liability and reversal of the burden of proof

Art. 82 par. 1 GDPR reads:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor.

”
Art. 82 para. 3 GDPR explains the decisive reversal of the burden of proof:

“The controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not responsible in any respect for the event giving rise to the damage.

”
While in the case of contractual claims under Section 280 of the German Civil Code (BGB), the injured party usually has to prove that the other contracting party has breached its obligations, this burden of proof is practically reversed under the GDPR: Now, the company potentially subject to a claim must demonstrate and prove that it is not responsible for the data protection breach.

Comparison with claims under § 280 BGB

In the classic civil law liability structure, Section 280 BGB forms the basis for claims for damages in the event of breaches of duty. However, the burden of presentation and proof for all conditions justifying liability (breach of duty, fault, damage) lies with the claimant.

Anyone who can invoke Art. 82 GDPR must generally assert the existence of a GDPR breach. However, as soon as there are indications that personal data – in particular email addresses, account details or communication content – has been misused, the controller must prove that all necessary technical and organizational measures have been taken (Art. 32 GDPR).

Practical example: If it is proven that a forged invoice was created using data from specific email traffic, there is a strong presumption that the sender’s system was compromised. It is now up to the sender to provide complete proof that their IT system was not compromised. Otherwise, a claim under Art. 82 GDPR may be successful.

Practical relevance for recipients of counterfeit invoices

In my practice, I notice that clients are often surprised by the possibilities offered by Art. 82 GDPR. The recurring question is: “Is there even a breach of data protection law if only the IBAN has been falsified?”

My experience shows that fake invoices usually involve more than just an IBAN. Personal data such as name, address, invoice content, possibly details of other employees or internal company information are misused. As soon as this data falls into unauthorized hands, a violation of the GDPR is obvious.

Advantage for those affected: The resulting damages can be of a financial and non-material nature – the latter, for example, due to the annoyance, excitement and time-consuming communication required to clarify the damage. German courts are increasingly open to awarding non-material damages if there is a noticeable impairment (see, for example, LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18, which awarded damages for a comparatively minor data protection breach).

It is true that most of the published rulings do not yet explicitly deal with the issue of forged invoices. However, it can be deduced from the principles established in decisions on general data protection breaches (e.g. inadequate data security, unauthorized disclosure of data) that compromised email communication may fall under Art. 82 GDPR.

In this context, reference should also be made to the case law of the European Court of Justice (ECJ). In particular, “Schrems II” (C-311/18) shows that the protection of personal data must be given high priority. Although this case primarily dealt with the transfer of data to third countries, it fundamentally shows how strictly courts now deal with data protection violations.

Shipper responsibility and recommended measures

I see time and again that companies – whether out of ignorance or for cost reasons – cut corners when it comes to IT security. However, Art. 5 para. 1 lit. f GDPR and Art. 32 GDPR to protect personal data with appropriate technical and organizational measures (TOM). These include, among others:

  1. Secure e-mail communication: encryption (e.g. S/MIME), unique signatures, spam filters.
  2. Up-to-date systems: Firewalls, virus protection and regular updates so that known security gaps are closed.
  3. Strict access rights: Clear assignment of authorizations within the company, logging of access.
  4. Training courses: Raising employee awareness, particularly with regard to phishing, social engineering and fake attachments.
  5. Monitoring: Proactive monitoring for anomalies, e.g. unusual changes to bank details or atypical login attempts.

Companies that neglect these points run the risk of being held liable under civil law pursuant to Art. 82 GDPR in addition to possible fines from the supervisory authorities (Art. 83 GDPR).

Significance for companies and possible defense strategies

I consider the reversal of the burden of proof to be the key reason why Art. 82 GDPR is becoming increasingly important. Anyone who is held liable as the controller must provide detailed and comprehensible evidence that they are not at fault for the data breach.

Possible defense strategies are:

  • Seamless documentation of all data security measures and corresponding controls.
  • Presentation of a clear organizational structure for the protection of personal data.
  • If necessary, use of external certifications (ISO 27001 or similar) to underpin a high level of security.
  • In the event of third-party negligence, provide evidence that the compromise was exclusively outside your own sphere (e.g. error in the recipient system, inadequate protection on the recipient side).

However, such a defense regularly requires extensive IT forensic investigations and good documentation. In many of the cases I work on, the clients only approach me after the damage has actually occurred, so that a complete review of the events is often complicated.

Conclusion and outlook

In my opinion, the development of applying claims for damages under Art. 82 GDPR to cases of manipulated invoices is a great benefit for those affected. The reversal of the burden of proof ensures that the injured party no longer has to prove in detail when and how the IT systems were compromised. Instead, the sender of a possibly falsified invoice must actively prove that there was no breach of the GDPR.

Recent case law, both at national level (e.g. LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18) and by the European Court of Justice (ECJ, for example in its landmark decisions such as “Schrems II”), shows that the level of protection provided by the GDPR should not be underestimated. To date, there are no supreme court decisions in Germany that explicitly deal with fake invoices and Art. 82 GDPR. However, it is clear that the general principles of data protection law can also apply here.

I advise all companies to thoroughly secure the sending of invoices and the associated communication channels. Particular care should be taken when changing payment information. As a customer, you should remain vigilant, always consult with your bank in the event of unusual IBAN requests and double-check whether the bank details are actually correct.

Anyone who has already suffered financial losses as an injured party is well advised to examine the possibility of GDPR compensation in addition to contractual and tort claims. In many cases, this results in a significantly improved negotiating environment – and therefore more realistic prospects of obtaining compensation for part of the damage from the controller.

Beliebte Beträge

The legal protection of a business plan

5b698c02ae6e02ed43d05d01c467b658
24. September 2024

A business plan is an indispensable strategic document for start-ups and company founders. It serves as a roadmap for business...

Read moreDetails

As a teenager, make e-sports men/streamers self-employed?

As a teenager, make e-sports men/streamers self-employed?
2. January 2020

The industry of streamers and e-sports enthusiasts is very young compared to other industries and therefore also for lawyers and...

Read moreDetails

Liability of influencers and agencies for advertised products – legal risks and current developments

Liability of influencers and agencies for advertised products – legal risks and current developments
10. May 2025

Influencer marketing has become an integral part of modern advertising. Influencers recommend products and services of all kinds on social...

Read moreDetails

Confidentiality strategy for startups: NDAs, trade secret law and practical measures

Confidentiality strategy for startups: NDAs, trade secret law and practical measures
28. April 2025

Start-ups thrive on innovative ideas, creative concepts and unique technologies. Whether it's a novel algorithm, a special business idea, a...

Read moreDetails

Setting up a business abroad for OnlyFans-Business: opportunities & risks

Setting up a business abroad for OnlyFans-Business: opportunities & risks
11. May 2025

Running your own OnlyFans business often raises the question for creators and agencies based in Germany: Is it worth setting...

Read moreDetails

Right of withdrawal for tradesman services: massive legal uncertainty to continue in 2025

Right of withdrawal for tradesman services: massive legal uncertainty to continue in 2025
8. May 2025

In 2025, many tradespeople and service providers still face an often underestimated problem: contracts concluded with consumers outside of business...

Read moreDetails

NIS2 compliance 2025: relevance for SaaS and media start-ups

Risks when using and offering no-code platforms as SaaS
2. May 2025

Why another contribution to the NIS2 Directive? Do we really need a separate blog post on the NIS2 Directive in...

Read moreDetails

Software development: The new concept of defects according to §§ 327 ff. BGB

Software development: The new concept of defects according to §§ 327 ff. BGB
7. May 2025

On January 1, 2022, the German legislator fundamentally reformed the regulations for consumer contracts for digital products. For software developers...

Read moreDetails

Regulation (EU) 2024/1083 – The European Media Freedom Act (EMFA) at a glance

Regulation (EU) 2024/1083 – The European Media Freedom Act (EMFA) at a glance
6. May 2025

In May 2024, the European Media Freedom Act (EMFA) was published in the Official Journal of the EU with Regulation...

Read moreDetails
  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung