Necessary due diligence under data protection law upon contract termination

A data leak occurring at a service provider can have significant consequences despite the contract having ended long before.

A now final judgment by the Regional Court of Munich (of December 9, 2021 – 31 O 16606/20) shows the possible consequences if a company does not monitor data erasure, and clarifies the measures required to protect a company against claims.

A. Facts of the case: Scalable - Regional Court of Munich I, Final Judgment of December 9, 2021 - 31 O 16606/20

The defendant is an online broker. On October 16, 2020, following a customer enquiry, the company determined that there had been three instances of unauthorized access of the user data of a total of 33,200 customers between April and October 2020.

This unauthorized data access was possible because a former contractual partner of the company held access credentials for the whole IT system and had not erased this at the end of the contract. Using this access credentials, an unknown attacker was able to access the customer documents in the document archive without needing to override the implemented IT security system.

The company had neither changed this access credentials at the end of the business relationship, nor had it ensured that it had been erased.

The Munich judges considered this to be an infringement of the obligation arising from Art. 32 GDPR and Art. 5 GDPR.

Art. 32 GDPR stipulates that appropriate technical and organizational measures must be taken to ensure a level of security appropriate to the risk. The requirements and stipulations for the lawful and secure handling of data can further be extracted from Art. 5(1)(f) GDPR, recitals 39 and 78 GDPR and the Annex to Section 9 BDSG [German Federal Data Protection Act] 2003. (cf. Kühling/Buchner/Herbst, 3rd ed. 2020, DS-GVO Art. 5 recital 76)

In particular, recital 39 of the GDPR specifies that personal data should be processed in such a way that ensures their security and confidentiality, which includes ensuring that unauthorized persons do not have access to the data and cannot use either the data or the devices on which they are processed.

The company defended itself by claiming that its technical and organizational measures were appropriate. During the whole business relationship, the company used a secure and standardized IT infrastructure which included, inter alia, application and database servers, storage capacities, redundancy systems and backup solutions. The IT infrastructure underlying the document archive is also certified according to IEC 27001:2013, 27017:2015, 27018:2019, ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1. (Regional Court of Munich I, 31 O 16606/20, recital 23)

However, it was indisputable and decisive that the company had not changed the service provider’s access credentials after the end of the business relationship. Due to the quality and sensitivity of the stored data, the company should not have relied on the service provider completely and permanently erasing the access credentials. As the company had not verified such erasure, it was negligent in leaving the access credentials unchanged since the end of the business relationship with the service provider.

Therefore, the Court affirmed an infringement of the GDPR and awarded the plaintiff, whose data had already been made available on the dark web, a payment claim in the amount of €2,500 in compensation for non-material damage. It was further determined that the company is obligated to compensate the plaintiff for any future material damage that the plaintiff may incur due to the unauthorized access of the data archive in the period from April to October 2020.

In parallel proceedings, the Regional Court of Cologne handed down a decision that was also favorable to the data subject (judgment of May 18, 2022 – 28 O 328/21). In this case, the Court only awarded the plaintiff a claim in the amount of €1,200, as the data subject’s data had not been made available on the dark web.

B. Summary/Implications for practice

As the judgments show, data subjects can be awarded a claim – despite comprehensive IT security measures on the part of the controller – in the event of an organizational error, such as failing to verify the erasure of data at the end of a business relationship or to change such access credentials.

Even if the damage compensation claims are low individual amounts, the total damage for the company can rapidly reach massive amounts. This is especially likely in the event of a wave of lawsuits. Individual amounts can multiply rapidly in this case. For this reason, controllers should be cautious and not rely on former contractual partners erasing access credentials. To stay on the safe side, in addition to the necessary verifications, access information to the IT security system should be changed at the end of a business relationship in order to avoid liability for damages. This is of significant interest to companies, as fines could be added to the private claims.