• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Once again: Manipulated invoices, third-party IBANs and claims for damages under Art. 82 GDPR

21. February 2025
in Other
Reading Time: 6 mins read
0 0
A A
0
fake 1726362 1280 1
Key Facts
  • Falsified invoices often lead to considerable financial problems for clients due to manipulated IBANs.
  • Art. 82 GDPR offers injured parties a claim for damages in the event of violations of the General Data Protection Regulation.
  • In future, the burden of proof for the infringement will lie with the responsible party, not the injured party.
  • Personal data such as name and address details are often misused in fake invoices.
  • German courts are increasingly recognizing immaterial damages, which improves the legal situation for injured parties.
  • Companies must take IT security measures to protect themselves from claims under Art. 82 GDPR.
  • Those responsible should provide complete documentation of their data controls in order to safeguard themselves.

Over the past few days, I have repeatedly reported on the topic of fake or manipulated invoices here on the blog. The reason: there are more and more cases on my desk where clients have got into payment difficulties due to professional-looking fake invoices. The criminals simply change the IBAN and pass it off as the supposed account of the invoice issuer. The result: amounts are not paid to the real recipient, but to unknown parties. Having already examined the possible liability issues from a civil law perspective (Sections 280 et seq. of the German Civil Code), I would now like to focus more on the emerging developments surrounding Art. 82 GDPR.

Content Hide
1. Background: Fake invoices and compromised systems
2. Art. 82 GDPR as an additional basis for claims
2.1. Standard of liability and reversal of the burden of proof
2.2. Comparison with claims under § 280 BGB
3. Practical relevance for recipients of counterfeit invoices
4. Shipper responsibility and recommended measures
5. Significance for companies and possible defense strategies
6. Conclusion and outlook
6.1. Author: Marian Härtel

Background: Fake invoices and compromised systems

Most of the cases I have seen follow a typical pattern: Criminals get hold of internal email communications or original invoices. Once this data has been captured, the documents are copied or “replicated” so that they look deceptively similar to genuine invoices. Only the bank details are exchanged in the documents. Anyone who then makes a transfer often only notices the fraud when the payment amount has already ended up irretrievably with the fraudsters.

In principle, it is conceivable to assert civil law claims under Section 280 BGB if the invoicing party or a party involved has breached contractual duties to protect. However, injured parties are often confronted with considerable difficulties in providing evidence: Who is to prove whether and when there was a failure in the IT security of the alleged sender?

This is precisely where Art. 82 GDPR comes in. Based on increasing evidence from literature and case law, a trend is emerging whereby injured parties can assert a claim for damages in the event of breaches of data protection law – such as compromised email systems.

Art. 82 GDPR as an additional basis for claims

Art. 82 GDPR grants any person who suffers damage as a result of a breach of the General Data Protection Regulation a right to compensation for material and non-material damage. The charm of this provision lies in particular in the shifting of the burden of proof, which is expressed in paragraph 3 of this provision.

Standard of liability and reversal of the burden of proof

Art. 82 par. 1 GDPR reads:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor.

”
Art. 82 para. 3 GDPR explains the decisive reversal of the burden of proof:

“The controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not responsible in any respect for the event giving rise to the damage.

”
While in the case of contractual claims under Section 280 of the German Civil Code (BGB), the injured party usually has to prove that the other contracting party has breached its obligations, this burden of proof is practically reversed under the GDPR: Now, the company potentially subject to a claim must demonstrate and prove that it is not responsible for the data protection breach.

Comparison with claims under § 280 BGB

In the classic civil law liability structure, Section 280 BGB forms the basis for claims for damages in the event of breaches of duty. However, the burden of presentation and proof for all conditions justifying liability (breach of duty, fault, damage) lies with the claimant.

Anyone who can invoke Art. 82 GDPR must generally assert the existence of a GDPR breach. However, as soon as there are indications that personal data – in particular email addresses, account details or communication content – has been misused, the controller must prove that all necessary technical and organizational measures have been taken (Art. 32 GDPR).

Practical example: If it is proven that a forged invoice was created using data from specific email traffic, there is a strong presumption that the sender’s system was compromised. It is now up to the sender to provide complete proof that their IT system was not compromised. Otherwise, a claim under Art. 82 GDPR may be successful.

Practical relevance for recipients of counterfeit invoices

In my practice, I notice that clients are often surprised by the possibilities offered by Art. 82 GDPR. The recurring question is: “Is there even a breach of data protection law if only the IBAN has been falsified?”

My experience shows that fake invoices usually involve more than just an IBAN. Personal data such as name, address, invoice content, possibly details of other employees or internal company information are misused. As soon as this data falls into unauthorized hands, a violation of the GDPR is obvious.

Advantage for those affected: The resulting damages can be of a financial and non-material nature – the latter, for example, due to the annoyance, excitement and time-consuming communication required to clarify the damage. German courts are increasingly open to awarding non-material damages if there is a noticeable impairment (see, for example, LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18, which awarded damages for a comparatively minor data protection breach).

It is true that most of the published rulings do not yet explicitly deal with the issue of forged invoices. However, it can be deduced from the principles established in decisions on general data protection breaches (e.g. inadequate data security, unauthorized disclosure of data) that compromised email communication may fall under Art. 82 GDPR.

In this context, reference should also be made to the case law of the European Court of Justice (ECJ). In particular, “Schrems II” (C-311/18) shows that the protection of personal data must be given high priority. Although this case primarily dealt with the transfer of data to third countries, it fundamentally shows how strictly courts now deal with data protection violations.

Shipper responsibility and recommended measures

I see time and again that companies – whether out of ignorance or for cost reasons – cut corners when it comes to IT security. However, Art. 5 para. 1 lit. f GDPR and Art. 32 GDPR to protect personal data with appropriate technical and organizational measures (TOM). These include, among others:

  1. Secure e-mail communication: encryption (e.g. S/MIME), unique signatures, spam filters.
  2. Up-to-date systems: Firewalls, virus protection and regular updates so that known security gaps are closed.
  3. Strict access rights: Clear assignment of authorizations within the company, logging of access.
  4. Training courses: Raising employee awareness, particularly with regard to phishing, social engineering and fake attachments.
  5. Monitoring: Proactive monitoring for anomalies, e.g. unusual changes to bank details or atypical login attempts.

Companies that neglect these points run the risk of being held liable under civil law pursuant to Art. 82 GDPR in addition to possible fines from the supervisory authorities (Art. 83 GDPR).

Significance for companies and possible defense strategies

I consider the reversal of the burden of proof to be the key reason why Art. 82 GDPR is becoming increasingly important. Anyone who is held liable as the controller must provide detailed and comprehensible evidence that they are not at fault for the data breach.

Possible defense strategies are:

  • Seamless documentation of all data security measures and corresponding controls.
  • Presentation of a clear organizational structure for the protection of personal data.
  • If necessary, use of external certifications (ISO 27001 or similar) to underpin a high level of security.
  • In the event of third-party negligence, provide evidence that the compromise was exclusively outside your own sphere (e.g. error in the recipient system, inadequate protection on the recipient side).

However, such a defense regularly requires extensive IT forensic investigations and good documentation. In many of the cases I work on, the clients only approach me after the damage has actually occurred, so that a complete review of the events is often complicated.

Conclusion and outlook

In my opinion, the development of applying claims for damages under Art. 82 GDPR to cases of manipulated invoices is a great benefit for those affected. The reversal of the burden of proof ensures that the injured party no longer has to prove in detail when and how the IT systems were compromised. Instead, the sender of a possibly falsified invoice must actively prove that there was no breach of the GDPR.

Recent case law, both at national level (e.g. LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18) and by the European Court of Justice (ECJ, for example in its landmark decisions such as “Schrems II”), shows that the level of protection provided by the GDPR should not be underestimated. To date, there are no supreme court decisions in Germany that explicitly deal with fake invoices and Art. 82 GDPR. However, it is clear that the general principles of data protection law can also apply here.

I advise all companies to thoroughly secure the sending of invoices and the associated communication channels. Particular care should be taken when changing payment information. As a customer, you should remain vigilant, always consult with your bank in the event of unusual IBAN requests and double-check whether the bank details are actually correct.

Anyone who has already suffered financial losses as an injured party is well advised to examine the possibility of GDPR compensation in addition to contractual and tort claims. In many cases, this results in a significantly improved negotiating environment – and therefore more realistic prospects of obtaining compensation for part of the damage from the controller.

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Weitere spannende Blogposts

What will change in the new Youth Media Protection State Treaty?

Streamers and airtime restrictions? KJM declares JusProg ineffective
16. December 2019

Together with the new media state treaty, there will also be some changes in the Youth Media Protection State Treaty...

Read moreDetails

Twitch Streams and Let’s Plays: Attention!

youtube 3503481 960 720
2. January 2019

In line with this article from today, I would like to briefly emphasize that citation law does not apply to...

Read moreDetails

Multi-tenant architectures in the SaaS sector: data separation and compliance requirements

6e405ef66c83bf9de2066fb73a1deafc
9. November 2024

Multi-tenant architectures are the backbone of modern SaaS solutions, as they enable efficient use of resources and scalability. However, they...

Read moreDetails

BGH decides on the scope of the claim for removal under competition law)

BGH considers Uber Black to be anti-competitive
17. May 2024

The First Civil Senate of the Federal Court of Justice, which is responsible for competition law among other things, has...

Read moreDetails

Liability of website operators for user comments – When and how operators are responsible for their users’ content

Creating contracts with face models and voice models: A guide for the gaming industry
15. March 2025

Introduction The responsibility of website operators for user-generated content has become much more important in recent years, both in case...

Read moreDetails

Injunctive debtor is liable for Google Cache!

Online shops: Attention to advertising with EIA
1. October 2019

Anyone who has read about the blog here in recent months will have noticed that I am now very critical...

Read moreDetails

Data leakage can be expensive, DSGVO breach in a different way

LG Munich: Data protection consent on dating platform
7. November 2022

Last year, British Airways suffered a data leak that allegedly affected more than 250,000 customers and involved highly sensitive data...

Read moreDetails

Greenwashing: what it is and why it might violate competition law

Greenwashing: what it is and why it might violate competition law
9. July 2023

In today's world, where sustainability and environmental awareness are becoming increasingly important, companies have realized that they can gain a...

Read moreDetails

BGH confirms ruling against darknet marketplace operator

Abusive warnings are punishable by law
7. November 2022

The Karlsruhe Regional Court sentenced the defendant to a total term of imprisonment of six years for several narcotics and...

Read moreDetails
Lis pendens

Lis pendens

16. October 2024

Definition and legal basis: Lis pendens refers to the state of a legal dispute that occurs when a lawsuit is...

Read moreDetails
Gemeinsame Glücksspielbehörde der Länder

Gemeinsame Glücksspielbehörde der Länder

1. July 2023
Marketing contract Influencer / Streamer

Marketing contract Influencer / Streamer

26. June 2023
Warranty exclusion

Warranty exclusion

16. October 2024
Business split

Business split

16. October 2024

Podcast Folgen

“Digitales Recht Entschlüsselt” mit Rechtsanwalt Marian Härtel

“Digitales Recht Entschlüsselt” mit Rechtsanwalt Marian Härtel

25. September 2024

In diesem spannenden 30-minütigen Podcast entschlüsselt Rechtsanwalt Marian Härtel die komplexe Welt des digitalen Rechts für Selbstständige, Startups und Solopreneure....

Rechtliche Risiken bei langen Entwicklungszeiten und der Stornierung von Crowdfundingspielen

Rechtliche Risiken bei langen Entwicklungszeiten und der Stornierung von Crowdfundingspielen

20. April 2025

In dieser Episode erörtern wir die rechtlichen Herausforderungen, denen Spieleentwickler bei der Finanzierung durch Crowdfunding gegenüberstehen. Wir beleuchten die Verpflichtungen...

Legal challenges when implementing confidential computing: data protection and encryption in the cloud

Smart Contracts und Blockchain

22. December 2024

In dieser fesselnden Podcast-Episode tauch ich tief in die Welt der Blockchain-Technologie und Smart Contracts ein. Die 25-minütige Folge beleuchtet,...

Rechtliche Herausforderungen im Gaming-Universum: Ein Leitfaden für Entwickler, Esportler und Gamer

Was wird 2025 für Startups juristisch bringen? Chancen? Risiken?

24. January 2025

In dieser spannenden Episode des itmedialaw-Podcasts tauchen wir tief in die rechtlichen Entwicklungen ein, die die Startup-Welt im Jahr 2025...

  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung