• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Once again: Manipulated invoices, third-party IBANs and claims for damages under Art. 82 GDPR

21. February 2025
in Other
Reading Time: 6 mins read
0 0
A A
0
fake 1726362 1280 1
Key Facts
  • Falsified invoices often lead to considerable financial problems for clients due to manipulated IBANs.
  • Art. 82 GDPR offers injured parties a claim for damages in the event of violations of the General Data Protection Regulation.
  • In future, the burden of proof for the infringement will lie with the responsible party, not the injured party.
  • Personal data such as name and address details are often misused in fake invoices.
  • German courts are increasingly recognizing immaterial damages, which improves the legal situation for injured parties.
  • Companies must take IT security measures to protect themselves from claims under Art. 82 GDPR.
  • Those responsible should provide complete documentation of their data controls in order to safeguard themselves.

Over the past few days, I have repeatedly reported on the topic of fake or manipulated invoices here on the blog. The reason: there are more and more cases on my desk where clients have got into payment difficulties due to professional-looking fake invoices. The criminals simply change the IBAN and pass it off as the supposed account of the invoice issuer. The result: amounts are not paid to the real recipient, but to unknown parties. Having already examined the possible liability issues from a civil law perspective (Sections 280 et seq. of the German Civil Code), I would now like to focus more on the emerging developments surrounding Art. 82 GDPR.

Content Hide
1. Background: Fake invoices and compromised systems
2. Art. 82 GDPR as an additional basis for claims
2.1. Standard of liability and reversal of the burden of proof
2.2. Comparison with claims under § 280 BGB
3. Practical relevance for recipients of counterfeit invoices
4. Shipper responsibility and recommended measures
5. Significance for companies and possible defense strategies
6. Conclusion and outlook
6.1. Author: Marian Härtel

Background: Fake invoices and compromised systems

Most of the cases I have seen follow a typical pattern: Criminals get hold of internal email communications or original invoices. Once this data has been captured, the documents are copied or “replicated” so that they look deceptively similar to genuine invoices. Only the bank details are exchanged in the documents. Anyone who then makes a transfer often only notices the fraud when the payment amount has already ended up irretrievably with the fraudsters.

In principle, it is conceivable to assert civil law claims under Section 280 BGB if the invoicing party or a party involved has breached contractual duties to protect. However, injured parties are often confronted with considerable difficulties in providing evidence: Who is to prove whether and when there was a failure in the IT security of the alleged sender?

This is precisely where Art. 82 GDPR comes in. Based on increasing evidence from literature and case law, a trend is emerging whereby injured parties can assert a claim for damages in the event of breaches of data protection law – such as compromised email systems.

Art. 82 GDPR as an additional basis for claims

Art. 82 GDPR grants any person who suffers damage as a result of a breach of the General Data Protection Regulation a right to compensation for material and non-material damage. The charm of this provision lies in particular in the shifting of the burden of proof, which is expressed in paragraph 3 of this provision.

Standard of liability and reversal of the burden of proof

Art. 82 par. 1 GDPR reads:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor.

”
Art. 82 para. 3 GDPR explains the decisive reversal of the burden of proof:

“The controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not responsible in any respect for the event giving rise to the damage.

”
While in the case of contractual claims under Section 280 of the German Civil Code (BGB), the injured party usually has to prove that the other contracting party has breached its obligations, this burden of proof is practically reversed under the GDPR: Now, the company potentially subject to a claim must demonstrate and prove that it is not responsible for the data protection breach.

Comparison with claims under § 280 BGB

In the classic civil law liability structure, Section 280 BGB forms the basis for claims for damages in the event of breaches of duty. However, the burden of presentation and proof for all conditions justifying liability (breach of duty, fault, damage) lies with the claimant.

Anyone who can invoke Art. 82 GDPR must generally assert the existence of a GDPR breach. However, as soon as there are indications that personal data – in particular email addresses, account details or communication content – has been misused, the controller must prove that all necessary technical and organizational measures have been taken (Art. 32 GDPR).

Practical example: If it is proven that a forged invoice was created using data from specific email traffic, there is a strong presumption that the sender’s system was compromised. It is now up to the sender to provide complete proof that their IT system was not compromised. Otherwise, a claim under Art. 82 GDPR may be successful.

Practical relevance for recipients of counterfeit invoices

In my practice, I notice that clients are often surprised by the possibilities offered by Art. 82 GDPR. The recurring question is: “Is there even a breach of data protection law if only the IBAN has been falsified?”

My experience shows that fake invoices usually involve more than just an IBAN. Personal data such as name, address, invoice content, possibly details of other employees or internal company information are misused. As soon as this data falls into unauthorized hands, a violation of the GDPR is obvious.

Advantage for those affected: The resulting damages can be of a financial and non-material nature – the latter, for example, due to the annoyance, excitement and time-consuming communication required to clarify the damage. German courts are increasingly open to awarding non-material damages if there is a noticeable impairment (see, for example, LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18, which awarded damages for a comparatively minor data protection breach).

It is true that most of the published rulings do not yet explicitly deal with the issue of forged invoices. However, it can be deduced from the principles established in decisions on general data protection breaches (e.g. inadequate data security, unauthorized disclosure of data) that compromised email communication may fall under Art. 82 GDPR.

In this context, reference should also be made to the case law of the European Court of Justice (ECJ). In particular, “Schrems II” (C-311/18) shows that the protection of personal data must be given high priority. Although this case primarily dealt with the transfer of data to third countries, it fundamentally shows how strictly courts now deal with data protection violations.

Shipper responsibility and recommended measures

I see time and again that companies – whether out of ignorance or for cost reasons – cut corners when it comes to IT security. However, Art. 5 para. 1 lit. f GDPR and Art. 32 GDPR to protect personal data with appropriate technical and organizational measures (TOM). These include, among others:

  1. Secure e-mail communication: encryption (e.g. S/MIME), unique signatures, spam filters.
  2. Up-to-date systems: Firewalls, virus protection and regular updates so that known security gaps are closed.
  3. Strict access rights: Clear assignment of authorizations within the company, logging of access.
  4. Training courses: Raising employee awareness, particularly with regard to phishing, social engineering and fake attachments.
  5. Monitoring: Proactive monitoring for anomalies, e.g. unusual changes to bank details or atypical login attempts.

Companies that neglect these points run the risk of being held liable under civil law pursuant to Art. 82 GDPR in addition to possible fines from the supervisory authorities (Art. 83 GDPR).

Significance for companies and possible defense strategies

I consider the reversal of the burden of proof to be the key reason why Art. 82 GDPR is becoming increasingly important. Anyone who is held liable as the controller must provide detailed and comprehensible evidence that they are not at fault for the data breach.

Possible defense strategies are:

  • Seamless documentation of all data security measures and corresponding controls.
  • Presentation of a clear organizational structure for the protection of personal data.
  • If necessary, use of external certifications (ISO 27001 or similar) to underpin a high level of security.
  • In the event of third-party negligence, provide evidence that the compromise was exclusively outside your own sphere (e.g. error in the recipient system, inadequate protection on the recipient side).

However, such a defense regularly requires extensive IT forensic investigations and good documentation. In many of the cases I work on, the clients only approach me after the damage has actually occurred, so that a complete review of the events is often complicated.

Conclusion and outlook

In my opinion, the development of applying claims for damages under Art. 82 GDPR to cases of manipulated invoices is a great benefit for those affected. The reversal of the burden of proof ensures that the injured party no longer has to prove in detail when and how the IT systems were compromised. Instead, the sender of a possibly falsified invoice must actively prove that there was no breach of the GDPR.

Recent case law, both at national level (e.g. LAG Baden-Württemberg, judgment of 21.08.2019 – 10 Sa 52/18) and by the European Court of Justice (ECJ, for example in its landmark decisions such as “Schrems II”), shows that the level of protection provided by the GDPR should not be underestimated. To date, there are no supreme court decisions in Germany that explicitly deal with fake invoices and Art. 82 GDPR. However, it is clear that the general principles of data protection law can also apply here.

I advise all companies to thoroughly secure the sending of invoices and the associated communication channels. Particular care should be taken when changing payment information. As a customer, you should remain vigilant, always consult with your bank in the event of unusual IBAN requests and double-check whether the bank details are actually correct.

Anyone who has already suffered financial losses as an injured party is well advised to examine the possibility of GDPR compensation in addition to contractual and tort claims. In many cases, this results in a significantly improved negotiating environment – and therefore more realistic prospects of obtaining compensation for part of the damage from the controller.

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Weitere spannende Blogposts

Influencer marketing contracts & content creator law

cc4cbb3206a631e8b56c3bdf22a57e6c
8. December 2024

When I founded JustGamers 25 years ago, "influencers" were still the gaming magazines that reported on new computer games in...

Read moreDetails

Security precautions for e-mail traffic – Karlsruhe Higher Regional Court specifies requirements

Bad evaluation in online portal: Author must be able to prove facts
10. August 2023

In a ruling published on July 27, 2023 (19 U 83/22), the Karlsruhe Higher Regional Court addressed the question of...

Read moreDetails

No withholding tax for online advertising

Risk Social Security / Tax audit for streamers, esports enthusiasts, etc.
7. November 2022

Not long ago, the topic of withholding tax on online advertising, such as Google Ads, was on everyone's lips. Also...

Read moreDetails

My strengths as a lawyer

New info on the status of the State Media Treaty
6. December 2022

One often hears the words that one should not praise oneself. But why not, if it is the truth? In...

Read moreDetails

Irish data protection authority fines Meta billions: A turning point for data protection in Europe?

District Court Frankfurt a.M. on the right to be forgotten
17. May 2024

Meta Ireland violates the GDPR: What the ruling of the Data Protection Commission means The recently concluded investigation by the...

Read moreDetails

Asset deal vs. share deal: Data protection implications of company acquisitions

Asset deal vs. share deal: Data protection implications of company acquisitions
10. October 2024

There are basically two options available to buyers when acquiring companies: the asset deal and the share deal. This distinction...

Read moreDetails

Attention GoBD: Trap in the accounting of the self-employed

5. June 2019

The problem The topic GoBD or written out "principles of proper accounting and data storage" are actually old hat. These...

Read moreDetails

Poker wins and cash games = commercial income?

Poker wins and cash games = commercial income?
27. November 2018

The Finanzgericht Münster had to decide on the conditions under which participation in poker tournaments, Internet poker events and cash...

Read moreDetails

Court proceedings via Skype

Court proceedings via Skype
7. November 2022

As a lawyer with a strong affinity for IT law, I now try to run my practice with as little...

Read moreDetails
Eigentum an Software – Wem gehört eigentlich der Code?
Copyright

Eigentum an Software – Wem gehört eigentlich der Code?

14. July 2025

Während ich an meinem eigenen WordPress-Plugin code, taucht immer wieder eine Frage auf: Gehört mir diese Software wirklich? Im Alltagsverständnis...

Read moreDetails
Startup ohne Entwickler?

Startup ohne Entwickler?

8. July 2025
Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung

Keine stillschweigende AGB-Änderung – Schweigen gilt nicht als Zustimnung

7. July 2025
So langsam nimmt der Shop Form an

So langsam nimmt der Shop Form an

3. July 2025
Dark Patterns: UX-Tricks im Visier von Gesetzgeber und Gerichten

Dark Patterns: UX-Tricks im Visier von Gesetzgeber und Gerichten

2. July 2025

Podcastfolge

8315f1ef298eb54dfeed2f5e55c8b9da 1

Erste Testfolge des ITMediaLaw Podcast

26. August 2024

Erste TestfolgeLiebe Leserinnen und Leser,ich freue mich, heute den ersten Testlauf unseres brandneuen IT Media Law Podcasts zu präsentieren! In diesem Podcast...

Read moreDetails
Legal challenges when implementing confidential computing: data protection and encryption in the cloud

Smart Contracts und Blockchain

22. December 2024
Innovative Geschäftsmodelle – Risiko und Chance zugleich

Innovative Geschäftsmodelle – Risiko und Chance zugleich

10. September 2024
Der IT Media Law Podcast. Folge Nr. 1: Worum geht es hier eigentlich?

Der IT Media Law Podcast. Folge Nr. 1: Worum geht es hier eigentlich?

26. August 2024
Influencer und Gaming: Rechtliche Herausforderungen in der digitalen Unterhaltungswelt

Influencer und Gaming: Rechtliche Herausforderungen in der digitalen Unterhaltungswelt

25. September 2024

Video

Mein transparente Abrechnung

Mein transparente Abrechnung

10. February 2025

In diesem Video rede ich ein wenig über transparente Abrechnung und wie ich kommuniziere, was es kostet, wenn man mit...

Read moreDetails
Faszination zwischen und Recht und Technologie

Faszination zwischen und Recht und Technologie

10. February 2025
Meine zwei größten Herausforderungen sind?

Meine zwei größten Herausforderungen sind?

10. February 2025
Was mich wirklich freut

Was mich wirklich freut

10. February 2025
Was ich an meinem Job liebe!

Was ich an meinem Job liebe!

10. February 2025
  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung