Key Facts

Manipulated invoices often result in payments to false accounts, which leads to complex legal challenges.
The Higher Regional Court of Schleswig-Holstein ruled that payments to false accounts do not constitute performance if the invoice was altered without authorization.
Companies must demonstrate sufficient security measures to protect personal data, especially in the case of financial risks.
End-to-end encryption is seen as a necessary measure for the protection of e-mail traffic.
A breach of the GDPR requires proof and evidence of the security measures taken by the controller.
Customers must check invoices; contributory negligence can reduce claims for damages.
The ruling serves as an important precedent for the liability of companies in the event of digital manipulation.

Recently, I have been working on a large number of cases involving hacked email servers and relevant financial amounts. Invoices are often manipulated so that payments are made to false accounts. These cases are particularly sensitive, as there is often a lack of clear precedents and technical expertise and careful legal analysis are crucial. I have already referred to the problem of fake invoices and false IBAN transfers in previous articles, in particular in the articles Fake invoices and false IBAN transfers and Fake invoices with a false IBAN – What to do if you have fallen for fraudsters?

Content Hide

1. Background to the case

2. Liability under the GDPR and BGB

3. Safety measures and practice

4. Conclusion and recommendation for action

Background to the case

In a recent ruling, the Higher Regional Court of Schleswig-Holstein decided that the payment of an amount to an incorrect account does not constitute fulfilment of the payment obligation if the invoice has been altered without authorization. However, the customer can assert a claim for damages that may arise from Art. 82 GDPR if the company has breached its obligations under the GDPR. In addition to the GDPR, a claim for damages under Section 280 of the German Civil Code (BGB) can often also be considered, as this may involve a breach of contractual obligations.

The Higher Regional Court corrected the judgment of the Regional Court by stating that the payment to the wrong account did not have a fulfillment effect. This is due to the fact that the creditor did not receive the amount for free disposal. Performance by payment to a third party pursuant to Section 362 (2) of the German Civil Code (BGB) is only given if the creditor is legally authorized by the creditor to receive the payment in his own name. As this was not the case, the payment obligation remained in place.

A central point of the decision is the question of whether the company has taken sufficient security measures to protect the personal data from unauthorized access. The court emphasizes that pure transport encryption is not sufficient when sending emails containing personal data, especially where there is a high financial risk. Instead, end-to-end encryption is recommended as an appropriate measure. Companies must prove that they have taken appropriate security measures to protect personal data in accordance with the level of security required by the GDPR.

The Higher Regional Court found that a breach of the provisions of the GDPR cannot be assumed simply because unauthorized access to personal data has taken place. Rather, the controller must demonstrate and prove that the security measures taken were suitable to protect the personal data from unauthorized access. The requirements for the security measures depend on the risks associated with the processing and must be assessed individually.

In this case, the Higher Regional Court ruled that the plaintiff had substantiated that it had taken sufficient minimum protection measures in the form of SMTP via TLS for email traffic with contractual partners. However, this submission was disputed by the defendant. However, the court did not see sufficient evidence of a breach of duty by the plaintiff that would have been causal for the defendant’s damage. However, contributory negligence on the part of the customer could be relevant if the manipulated invoice differed from previous invoices.

The Higher Regional Court’s decision underlines the importance of appropriate security measures in digital business transactions. Companies must ensure that they take sufficient measures to protect personal data, especially when it comes to sensitive information such as bank details. Failure to do so may result in claims for damages under the GDPR or the German Civil Code.

Liability under the GDPR and BGB

A claim for damages under Art. 82 GDPR presupposes that the processing of personal data culpably violated the provisions of the GDPR, the data subject suffered damage and there is a causal link between the unlawful processing and the damage. In addition to the GDPR, Section 280 of the German Civil Code (BGB) may also be relevant if the company has breached its contractual obligations by failing to provide sufficient protection against manipulation.

The decision of the Higher Regional Court shows that liability under the GDPR is not automatically given if unauthorized access to personal data takes place. Rather, the controller must prove that it has taken all reasonable measures to protect the data. End-to-end encryption is considered the standard for protecting personal data in email traffic.

A claim for damages under Section 280 BGB requires that the company has breached a contractual obligation and that this breach was causal for the damage. In cases of invoice manipulation, this may mean that the company did not provide sufficient protection against unauthorized access to emails. The burden of proof for a breach of duty generally lies with the injured party, unless there are indications that the company was at fault.

The decision of the Higher Regional Court also emphasizes that contributory negligence on the part of the customer can be taken into account in accordance with Section 254 BGB if the customer has not sufficiently checked the manipulated invoice. This can significantly reduce the claim for damages.

Safety measures and practice

The Higher Regional Court emphasizes that pure transport encryption is not sufficient when sending emails with personal data, especially if there is a high financial risk. End-to-end encryption is recommended as an appropriate measure. Companies must prove that they have taken appropriate security measures to protect personal data from unauthorized access.

The decision underlines the importance of adequate security measures in digital business transactions and serves as an important precedent for the liability of companies in such cases. Companies should regularly review and adapt their security measures to ensure that they comply with the requirements of the GDPR.

In practice, this means that companies should not only rely on transport encryption, but must also ensure that the entire communication chain is secured. This can be achieved by implementing end-to-end encryption solutions that ensure that only the authorized recipient can read the message.

In addition, companies should conduct regular training for their employees to ensure that they are familiar with the security measures and know how to react to suspicious emails. A well-thought-out security concept can help to minimize liability in the event of manipulation.

Conclusion and recommendation for action

The decision of the Schleswig-Holstein Higher Regional Court underlines the importance of appropriate security measures in digital business transactions. Companies are obliged to take suitable measures to protect their customers from manipulation. Failure to do so may result in claims for damages under the GDPR or the German Civil Code (BGB). This decision serves as an important precedent for the liability of companies in such cases, with many affected parties referring to the judgment of the Karlsruhe Higher Regional Court of July 27, 2023 (19 U 83/22), which is not always applicable. Such cases often reveal a lack of technical knowledge on the part of judges, who do not fully grasp the complexity of digital security measures. It is therefore crucial that those affected consult a lawyer who has both legal and technical expertise.

If you have paid a counterfeit invoice and are now being asked to pay again because the first payment did not have a fulfillment effect, you should contact me. With my experience and access to technical experts, I can ensure that all relevant aspects are taken into account to effectively represent your rights. Together, we can successfully assert your claims and ensure that you receive the compensation to which you are entitled. Do not hesitate to contact me to protect your interests in the best possible way.

5.0 60 reviews

Mikael Hällgren ★★★★★ vor einem Monat
I got fantastic support from Marian Härtel. He managed to get my wrongfully suspended Instagram account restored. He was … Mehr incredibly helpful the whole way until the positive outcome. Highly recommended!
Lennart Korte ★★★★★ vor 2 Monaten
Ich kann Herrn Härtel als Anwalt absolut weiterempfehlen! Sein Service ist erstklassig – schnelle Antwortzeiten, effiziente … Mehr Arbeit und dabei sehr kostengünstig, was für Startups besonders wichtig ist. Er hat für mein Startup einen Vertrag erstellt, und ich bin von seiner professionellen und zuverlässigen Arbeit überzeugt. Klare Empfehlung!
R.H. ★★★★★ vor 3 Monaten
Ich kann Hr. Härtel nur empfehlen! Er hat mich bei einem Betrugsversuch einer Krypto Börse rechtlich vertreten. Ich bin sehr … Mehr zufrieden mit seiner engagierten Arbeit gewesen. Ich wurde von Anfang an kompetent, fair und absolut transparent beraten. Trotz eines zähen Verfahrens und einer großen Börse als Gegner, habe ich mich immer sicher und zuversichtlich gefühlt. Auch die Schnelligkeit und die sehr gute Erreichbarkeit möchte ich an der Stelle hoch loben und nochmal meinen herzlichsten Dank aussprechen! Daumen hoch mit 10 Sternen!
P! Galerie ★★★★★ vor 4 Monaten
Herr Härtel hat uns äusserst kompetent in einen lästigen Fall mit META betreut. Er war effizient, beharrlich, aber auch mit … Mehr uns geduldig. Menschlich top, bis wir am Ende Dank ihm erfolgreich zum Ziel gekommen sind. Können wir wärmstens empfehlen. Und nochmals danke. P.H.
Mosaic Mask Studio ★★★★★ vor 5 Monaten
Die Kanzlei ist immer ein verlässlicher Partner bei der Sichtung und Bearbeitung von Verträgen in der IT Branche. Es ist … Mehr stets ein professioneller Austausch auf Augenhöhe.
Die Ergebnisse sind auf hohem Niveau und haben die interessen unsers Unternehmens immer bestmöglich wiedergespiegelt.
Vielen Dank für die sehr gute Zusammenarbeit.
Philip Lucas ★★★★★ 9 months ago
Wir haben Herrn Härtel für unser Unternehmen konsultiert und sind äußerst zufrieden mit seiner Arbeit. Von Anfang an hat … Mehr er einen überaus kompetenten Eindruck gemacht und sich als ein sehr angenehmer Gesprächspartner erwiesen. Seine fachliche Expertise und seine verständliche und zugängliche Art im Umgang mit komplexen Themen haben uns überzeugt. Wir freuen uns auf eine langfristige und erfolgreiche Zusammenarbeit!
Doris H. ★★★★★ 11 months ago
Herr Härtel hat uns bezüglich eines Telefonvertrags beraten und vertreten. Wir waren mit seinem Service sehr zufrieden. Er … Mehr hat stets schnell auf unsere E-mails und Anrufe reagiert und den Sachverhalt einfach und verständlich erklärt. Wir würden Herrn Härtel jederzeit wieder beauftragen.Vielen Dank für die hervorragende Unterstützung
Philipp Skaar ★★★★★ 9 months ago
Als kleines inhabergeführtes Hotel sehen wir uns ab und dann (bei sonst weit über dem Durchschnitt liegenden Bewertungen) … Mehr der Herausforderung von aus der Anonymität heraus agierenden "Netz-Querulanten" gegenüber gestellt. Herr Härtel versteht es außerordentlich spür- und feinsinnig, derartige - oftmals auf Rufschädigung ausgerichtete - Bewertungen bereits im Keim, also außergerichtlich, zu ersticken und somit unseren Betrieb vor weiteren Folgeschäden zu bewahren. Seine Umsetzungsgeschwindigkeit ist beeindruckend, seine bisherige Erfolgsquote = 100%.Ergo: Unsere erste Adresse zur Abwehr von geschäftsschädigenden Angriffen aus dem Web.