• Areas of expertise
  • |
  • About me
  • |
  • Principles as a lawyer
  • Tel: 03322 5078053
  • |
  • info@itmedialaw.com
ITMediaLaw - Rechtsanwalt Marian Härtel
  • en English
  • de Deutsch
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
Kurzberatung
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
      • Ideal partner
      • About lawyer Marian Härtel
      • Video series – about me
      • Why a lawyer and business consultant?
      • Principles as a lawyer
      • Focus on start-ups
      • Nerd und Rechtsanwalt
      • Ideal partner
      • How can I help clients?
    • Über die Kanzlei
      • How clients benefit from my network of colleagues, partners and service providers
      • Quick and flexible access
      • Agile and lean law firm
      • Team: Saskia Härtel – WHO AM I?
      • Price overview
    • How can I help clients?
    • Sonstige Informationen
      • Einwilligungen widerrufen
      • Privatsphäre-Einstellungen ändern
      • Historie der Privatsphäre-Einstellungen
      • Privacy policy
    • Testimonials
    • Imprint
  • Leistungen
    • Focus areas of attorney Marian Härtel
      • Support with the foundation
      • Games law consulting
      • Advice in e-commerce
      • Support and advice of agencies
      • Legal advice in corporate law: from incorporation to structuring
      • Legal compliance and expert opinions
      • Streamers and influencers
      • Cryptocurrencies, Blockchain and Games
      • Outsourcing – for companies or law firms
    • Arbeitsschwerpunkte
      • Games and esports law
        • Esports. What is it?
      • Corporate law
      • IT/IP Law
      • Consulting for influencers and streamers
        • Influencer & Streamer
      • Contract review and preparation
      • DLT and Blockchain consulting
        • Blockchain Overview
      • Investment advice
      • AI and SaaS
  • Artikel/News
    • Langartikel / Guides
    • Law and computer games
    • Law and Esport
    • Law on the Internet
    • Blockchain and web law
    • Online retail
    • Data protection Law
    • Copyright
    • Competition law
    • Copyright
    • EU law
    • Law on the protection of minors
    • Labour law
    • Tax
    • Kanzlei News
    • Other
  • Videos/Podcasts
    • Videos
    • Podcast
      • ITMediaLaw Podcast
      • ITMediaLaw Kurz-Podcast
  • Knowledge base
  • Contact
ITMediaLaw - Rechtsanwalt Marian Härtel
Home Other

Once again: Manipulated invoices, third-party IBANs and claims for damages under Art. 82 GDPR

21. February 2025
in Other
Reading Time: 6 mins read
0 0
A A
0
fake 1726362 1280 1
Key Facts
  • Falsified invoices often lead to considerable financial problems for clients due to manipulated IBANs.
  • Art. 82 GDPR offers injured parties a claim for damages in the event of violations of the General Data Protection Regulation.
  • In future, the burden of proof for the infringement will lie with the responsible party, not the injured party.
  • Personal data such as name and address details are often misused in fake invoices.
  • German courts are increasingly recognizing immaterial damages, which improves the legal situation for injured parties.
  • Companies must take IT security measures to protect themselves from claims under Art. 82 GDPR.
  • Those responsible should provide complete documentation of their data controls in order to safeguard themselves.

Over the past few days, I have repeatedly reported on the topic of fake or manipulated invoices here on the blog. The reason: there are more and more cases on my desk where clients have got into payment difficulties due to professional-looking fake invoices. The criminals simply change the IBAN and pass it off as the supposed account of the invoice issuer. The result: amounts are not paid to the real recipient, but to unknown parties. Having already examined the possible liability issues from a civil law perspective (Sections 280 et seq. of the German Civil Code), I would now like to focus more on the emerging developments surrounding Art. 82 GDPR.

Content Hide
1. Background: Fake invoices and compromised systems
2. Art. 82 GDPR as an additional basis for claims
2.1. Standard of liability and reversal of the burden of proof
2.2. Comparison with claims under § 280 BGB
3. Practical relevance for recipients of counterfeit invoices
4. Shipper responsibility and recommended measures
5. Significance for companies and possible defense strategies
6. Conclusion and outlook

Background: Fake invoices and compromised systems

Most of the cases I have seen follow a typical pattern: Criminals get hold of internal email communications or original invoices. Once this data has been captured, the documents are copied or “replicated” so that they look deceptively similar to genuine invoices. Only the bank details are exchanged in the documents. Anyone who then makes a transfer often only notices the fraud when the payment amount has already ended up irretrievably with the fraudsters.

In principle, it is conceivable to assert civil law claims under Section 280 BGB if the invoicing party or a party involved has breached contractual duties to protect. However, injured parties are often confronted with considerable difficulties in providing evidence: Who is to prove whether and when there was a failure in the IT security of the alleged sender?

This is precisely where Art. 82 GDPR comes in. Based on increasing evidence from literature and case law, a trend is emerging whereby injured parties can assert a claim for damages in the event of breaches of data protection law – such as compromised email systems.

Art. 82 GDPR as an additional basis for claims

Art. 82 GDPR grants any person who suffers damage as a result of a breach of the General Data Protection Regulation a right to compensation for material and non-material damage. The charm of this provision lies in particular in the shifting of the burden of proof, which is expressed in paragraph 3 of this provision.

Standard of liability and reversal of the burden of proof

Art. 82 par. 1 GDPR reads:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor.

”
Art. 82 para. 3 GDPR explains the decisive reversal of the burden of proof:

“The controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not responsible in any respect for the event giving rise to the damage.

”
While in the case of contractual claims under Section 280 of the German Civil Code (BGB), the injured party usually has to prove that the other contracting party has breached its obligations, this burden of proof is practically reversed under the GDPR: Now, the company potentially subject to a claim must demonstrate and prove that it is not responsible for the data protection breach.

Comparison with claims under § 280 BGB

In the classic civil law liability structure, Section 280 BGB forms the basis for claims for damages in the event of breaches of duty. However, the burden of presentation and proof for all conditions justifying liability (breach of duty, fault, damage) lies with the claimant.

Anyone who can invoke Art. 82 GDPR must generally assert the existence of a GDPR breach. However, as soon as there are indications that personal data – in particular email addresses, account details or communication content – has been misused, the controller must prove that all necessary technical and organizational measures have been taken (Art. 32 GDPR).

Practical example: If it is proven that a forged invoice was created using data from specific email traffic, there is a strong presumption that the sender’s system was compromised. It is now up to the sender to provide complete proof that their IT system was not compromised. Otherwise, a claim under Art. 82 GDPR may be successful.

Practical relevance for recipients of counterfeit invoices

In my practice, I notice that clients are often surprised by the possibilities offered by Art. 82 GDPR. The recurring question is: “Is there even a breach of data protection law if only the IBAN has been falsified?”

My experience shows that fake invoices usually involve more than just an IBAN. Personal data such as name, address, invoice content, possibly details of other employees or internal company information are misused. As soon as this data falls into unauthorized hands, a violation of the GDPR is obvious.

Advantage for those affected: The resulting damages can be of a financial and non-material nature – the latter, for example, due to the annoyance, excitement and time-consuming communication required to clarify the damage. German courts are increasingly open to awarding non-material damages if there is a noticeable impairment (see, for example, LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18, which awarded damages for a comparatively minor data protection breach).

It is true that most of the published rulings do not yet explicitly deal with the issue of forged invoices. However, it can be deduced from the principles established in decisions on general data protection breaches (e.g. inadequate data security, unauthorized disclosure of data) that compromised email communication may fall under Art. 82 GDPR.

In this context, reference should also be made to the case law of the European Court of Justice (ECJ). In particular, “Schrems II” (C-311/18) shows that the protection of personal data must be given high priority. Although this case primarily dealt with the transfer of data to third countries, it fundamentally shows how strictly courts now deal with data protection violations.

Shipper responsibility and recommended measures

I see time and again that companies – whether out of ignorance or for cost reasons – cut corners when it comes to IT security. However, Art. 5 para. 1 lit. f GDPR and Art. 32 GDPR to protect personal data with appropriate technical and organizational measures (TOM). These include, among others:

  1. Secure e-mail communication: encryption (e.g. S/MIME), unique signatures, spam filters.
  2. Up-to-date systems: Firewalls, virus protection and regular updates so that known security gaps are closed.
  3. Strict access rights: Clear assignment of authorizations within the company, logging of access.
  4. Training courses: Raising employee awareness, particularly with regard to phishing, social engineering and fake attachments.
  5. Monitoring: Proactive monitoring for anomalies, e.g. unusual changes to bank details or atypical login attempts.

Companies that neglect these points run the risk of being held liable under civil law pursuant to Art. 82 GDPR in addition to possible fines from the supervisory authorities (Art. 83 GDPR).

Significance for companies and possible defense strategies

I consider the reversal of the burden of proof to be the key reason why Art. 82 GDPR is becoming increasingly important. Anyone who is held liable as the controller must provide detailed and comprehensible evidence that they are not at fault for the data breach.

Possible defense strategies are:

  • Seamless documentation of all data security measures and corresponding controls.
  • Presentation of a clear organizational structure for the protection of personal data.
  • If necessary, use of external certifications (ISO 27001 or similar) to underpin a high level of security.
  • In the event of third-party negligence, provide evidence that the compromise was exclusively outside your own sphere (e.g. error in the recipient system, inadequate protection on the recipient side).

However, such a defense regularly requires extensive IT forensic investigations and good documentation. In many of the cases I work on, the clients only approach me after the damage has actually occurred, so that a complete review of the events is often complicated.

Conclusion and outlook

In my opinion, the development of applying claims for damages under Art. 82 GDPR to cases of manipulated invoices is a great benefit for those affected. The reversal of the burden of proof ensures that the injured party no longer has to prove in detail when and how the IT systems were compromised. Instead, the sender of a possibly falsified invoice must actively prove that there was no breach of the GDPR.

Recent case law, both at national level (e.g. LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18) and by the European Court of Justice (ECJ, for example in its landmark decisions such as “Schrems II”), shows that the level of protection provided by the GDPR should not be underestimated. To date, there are no supreme court decisions in Germany that explicitly deal with fake invoices and Art. 82 GDPR. However, it is clear that the general principles of data protection law can also apply here.

I advise all companies to thoroughly secure the sending of invoices and the associated communication channels. Particular care should be taken when changing payment information. As a customer, you should remain vigilant, always consult with your bank in the event of unusual IBAN requests and double-check whether the bank details are actually correct.

Anyone who has already suffered financial losses as an injured party is well advised to examine the possibility of GDPR compensation in addition to contractual and tort claims. In many cases, this results in a significantly improved negotiating environment – and therefore more realistic prospects of obtaining compensation for part of the damage from the controller.

Beliebte Beträge

The legal protection of a business plan

5b698c02ae6e02ed43d05d01c467b658
24. September 2024

A business plan is an indispensable strategic document for start-ups and company founders. It serves as a roadmap for business...

Read moreDetails

As a teenager, make e-sports men/streamers self-employed?

As a teenager, make e-sports men/streamers self-employed?
2. January 2020

The industry of streamers and e-sports enthusiasts is very young compared to other industries and therefore also for lawyers and...

Read moreDetails

European Accessibility Act and BFSG: Accessibility will be mandatory for websites, online stores & software from 2025

european economic interest grouping eeig
25. April 2025

Accessibility in the digital world is no longer just a voluntary option, but is becoming a legal obligation. The European...

Read moreDetails

Coalition agreement 2025: changes to commercial law for companies, the self-employed and investors

Coalition agreement 2025: changes to commercial law for companies, the self-employed and investors
9. April 2025

The 2025 coalition agreement of the (presumably) new federal government under the leadership of the CDU/CSU and SPD contains extensive...

Read moreDetails

Modern contract design 2025 in the influencer and agency business

Modern contract design 2025 in the influencer and agency business
7. April 2025

Influencer marketing and agency collaborations have gained enormously in importance in recent years. With new technologies, global networking and changing...

Read moreDetails

Influencers abroad: no free pass from German laws

Influencers abroad: no free pass from German laws
14. April 2025

Many influencers dream of escaping the German winter and their local obligations - be it to Dubai, Madeira or the...

Read moreDetails

Influencer agency contracts and Section 627 BGB: Effectively exclude termination in a relationship of trust

Influencer agency contracts and Section 627 BGB: Effectively exclude termination in a relationship of trust
12. April 2025

Contracts between influencers and their agencies or between managers and artists are often based on a close relationship of trust....

Read moreDetails

Liability when using VibeCoding and no-code platforms – implications for legal due diligence

Liability when using VibeCoding and no-code platforms – implications for legal due diligence
31. March 2025

VibeCoding describes a current trend in which software is no longer programmed manually, but is developed almost exclusively using AI...

Read moreDetails

The romanticization of the “fail fast” principle in startups – When does failure become deception towards stakeholders?

The romanticization of the “fail fast” principle in startups – When does failure become deception towards stakeholders?
3. April 2025

"Fail fast, fail often" - hardly any other motto characterizes the start-up culture as much as the idea of trying...

Read moreDetails

5.0 60 reviews

  • Avatar Lennart Korte ★★★★★ vor 2 Monaten
    Ich kann Herrn Härtel als Anwalt absolut weiterempfehlen! Sein Service ist erstklassig – schnelle Antwortzeiten, effiziente … Mehr Arbeit und dabei sehr kostengünstig, was für Startups besonders wichtig ist. Er hat für mein Startup einen Vertrag erstellt, und ich bin von seiner professionellen und zuverlässigen Arbeit überzeugt. Klare Empfehlung!
  • Avatar R.H. ★★★★★ vor 3 Monaten
    Ich kann Hr. Härtel nur empfehlen! Er hat mich bei einem Betrugsversuch einer Krypto Börse rechtlich vertreten. Ich bin sehr … Mehr zufrieden mit seiner engagierten Arbeit gewesen. Ich wurde von Anfang an kompetent, fair und absolut transparent beraten. Trotz eines zähen Verfahrens und einer großen Börse als Gegner, habe ich mich immer sicher und zuversichtlich gefühlt. Auch die Schnelligkeit und die sehr gute Erreichbarkeit möchte ich an der Stelle hoch loben und nochmal meinen herzlichsten Dank aussprechen! Daumen hoch mit 10 Sternen!
  • Avatar P! Galerie ★★★★★ vor 4 Monaten
    Herr Härtel hat uns äusserst kompetent in einen lästigen Fall mit META betreut. Er war effizient, beharrlich, aber auch mit … Mehr uns geduldig. Menschlich top, bis wir am Ende Dank ihm erfolgreich zum Ziel gekommen sind. Können wir wärmstens empfehlen. Und nochmals danke. P.H.
  • Avatar Philip Lucas ★★★★★ vor 8 Monaten
    Wir haben Herrn Härtel für unser Unternehmen konsultiert und sind äußerst zufrieden mit seiner Arbeit. Von Anfang an hat … Mehr er einen überaus kompetenten Eindruck gemacht und sich als ein sehr angenehmer Gesprächspartner erwiesen. Seine fachliche Expertise und seine verständliche und zugängliche Art im Umgang mit komplexen Themen haben uns überzeugt. Wir freuen uns auf eine langfristige und erfolgreiche Zusammenarbeit!
  • Avatar Doris H. ★★★★★ vor 10 Monaten
    Herr Härtel hat uns bezüglich eines Telefonvertrags beraten und vertreten. Wir waren mit seinem Service sehr zufrieden. Er … Mehr hat stets schnell auf unsere E-mails und Anrufe reagiert und den Sachverhalt einfach und verständlich erklärt. Wir würden Herrn Härtel jederzeit wieder beauftragen.Vielen Dank für die hervorragende Unterstützung
  • Avatar Mikael Hällgren ★★★★★ vor einem Monat
    I got fantastic support from Marian Härtel. He managed to get my wrongfully suspended Instagram account restored. He was … Mehr incredibly helpful the whole way until the positive outcome. Highly recommended!
  • Avatar Mosaic Mask Studio ★★★★★ vor 5 Monaten
    Die Kanzlei ist immer ein verlässlicher Partner bei der Sichtung und Bearbeitung von Verträgen in der IT Branche. Es ist … Mehr stets ein professioneller Austausch auf Augenhöhe.
    Die Ergebnisse sind auf hohem Niveau und haben die interessen unsers Unternehmens immer bestmöglich wiedergespiegelt.
    Vielen Dank für die sehr gute Zusammenarbeit.
  • Avatar Philipp Skaar ★★★★★ vor 8 Monaten
    Als kleines inhabergeführtes Hotel sehen wir uns ab und dann (bei sonst weit über dem Durchschnitt liegenden Bewertungen) … Mehr der Herausforderung von aus der Anonymität heraus agierenden "Netz-Querulanten" gegenüber gestellt. Herr Härtel versteht es außerordentlich spür- und feinsinnig, derartige - oftmals auf Rufschädigung ausgerichtete - Bewertungen bereits im Keim, also außergerichtlich, zu ersticken und somit unseren Betrieb vor weiteren Folgeschäden zu bewahren. Seine Umsetzungsgeschwindigkeit ist beeindruckend, seine bisherige Erfolgsquote = 100%.Ergo: Unsere erste Adresse zur Abwehr von geschäftsschädigenden Angriffen aus dem Web.
  • ●
  • ●
  • ●
  • ●

Video-Galerie

Be careful not to offer only binary login options!
Be careful not to offer only binary login options!
Short video about Marian Härtel - Contact
Short video about Marian Härtel – Contact
Lean office structures and quickly accessible
Lean office structures and quickly accessible
Blocking minority

Blocking minority

27. June 2023

Blocking minority is a term used in corporate law and refers to the ability of one or more shareholders to...

Read moreDetails
d05f2367 adba 436f b9f9 b77892754071 202725299

Power of attorney for acquiescence

29. March 2025
Federal Fiscal Court

Federal Fiscal Court

27. June 2023
elektronisches wertpapiergesetz ewpg

Electronic Securities Register Ordinance – eWpRV

28. June 2023
ESOP agreement

Prototype Funding

25. June 2023

Podcast Folgen

092def0649c76ad70f0883df970929cb

Influencers and gaming: legal challenges in the digital entertainment world

26. September 2024

In this captivating episode, lawyer Marian Härtel takes listeners on an exciting journey through the dynamic world of influencers and...

8315f1ef298eb54dfeed2f5e55c8b9da 1

First test episode of the ITMediaLaw Podcast

26. August 2024

First test episodeDear readers, I am delighted to present the first test run of our brand new IT Media Law...

c9c5d7fd380061a8018074c2ca5a81bf

Startups and innovation in Germany – challenges and opportunities

26. September 2024

This insightful podcast episode takes an in-depth look at the startup and innovation landscape in Germany and Europe. The discussion...

9e9bbb286e0d24cb5ca04eccc9b0c902

Legal challenges of innovative business models

1. October 2024

In this captivating podcast episode, I dive deep into the world of legal challenges associated with innovative business models as...

  • Home
  • Imprint
  • Privacy policy
  • Terms
  • Agile and lean law firm
  • Ideal partner
  • Contact
  • Videos
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Contact
  • Leistungen
    • Support with the foundation
    • Focus areas of attorney Marian Härtel
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Games law consulting
    • Support and advice of agencies
    • Legal advice in corporate law: from incorporation to structuring
    • Cryptocurrencies, Blockchain and Games
    • Investment advice
    • Booking as speaker
    • Legal compliance and expert opinions
    • Legal advice in corporate law: from incorporation to structuring
    • Contract review and preparation
  • About lawyer Marian Härtel
    • About lawyer Marian Härtel
    • Agile and lean law firm
    • Focus on start-ups
    • Principles as a lawyer
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Why a lawyer and business consultant?
    • Focus on start-ups
    • How can I help clients?
    • Team: Saskia Härtel – WHO AM I?
    • Testimonials
    • Imprint
  • Videos
    • Video series – about me
    • Information videos – about Marian Härtel
    • Videos on services
    • Blogpost – individual videos
    • Shorts
    • Third-party videos
    • Podcast format
    • Other videos
  • Knowledge base
  • Podcast
  • Blogposts
    • Lange Artikel / Ausführungen
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Labour law
    • EU law
    • Corporate
    • Competition law
    • Copyright
    • Tax
    • Internally
    • Other
  • en English
  • de Deutsch
Kostenlose Kurzberatung