The Munich-based fintech company Scalable had to report a data leak in October 2020. In December 2021, the Munich Regional Court awarded a plaintiff damages for non-material loss. Scalable has now withdrawn the appeal it filed. What does this mean for data protection damages claims in the future?

Data leak at Scalable

Scalable Capital is an asset manager based in Munich. The company recently surpassed the ten billion euro mark in customer funds. The fintech company thus achieved rapid growth.

In October 2020, however, the successful company reported a data protection incident: unauthorized persons had gained access to personal data of 33,000 current and former customers. This involved data such as tax and custody account information, as well as addresses. This had been made possible by a security hole in the cloud environment. Apparently, however, there has not yet been any misuse of this data.

Judgment of the Munich Regional Court

In December 2021, a plaintiff won damages under the GDPR for non-material damage before the Munich Regional Court. He was a former customer of Scalable and affected by the data leak. The stolen data included: first and last name, title, address, email address, cell phone number, date, place and country of birth, nationality, marital status, tax residency and tax ID, IBAN, copy of ID, portrait photo, which was taken in the Post-Ident procedure.

As a result of criminal investigations in the course of the civil proceedings, it came to light that the perpetrators had attempted to obtain credit with the stolen data and had offered the data on the Darknet.

The Munich Regional Court ruled in favor of the plaintiff and awarded him damages in the amount of €2,500. The damages were based on Article 82 of the GDPR. Scalable had violated Art. 32 DSGVO (security of processing). It was irrelevant whether any security deficiencies of third-party companies whose services were used could be attributed to the controller. Rather, the accusation is that Scalable, as the responsible party, did not itself take sufficient organizational measures to prevent the data loss in dispute.

Significance of the judgment

After Scalable had withdrawn its appeal to the Munich Higher Regional Court in July of this year, as has now become known, the ruling is the first legally binding judgment on damages due to a data leak. Even if it has no binding effect on other courts, it sends a clear signal.

The reluctance of German courts to award damages for non-material damage could thus decline significantly.

Our team of experts offers advice and services on all aspects of data protection. Contact You are welcome to contact us!

DSB buchen