In its decision of 18 December 2024 (file no. 12 U 9/24), the Higher Regional Court of Schleswig-Holstein tightened the data security requirements for the electronic transmission of invoices.
Facts of case
In the (German) case in question, a craftsman business (the plaintiff) had sent a final invoice to a private customer (the defendant) by email. However, the email, which the invoice was attached to in PDF format, was intercepted and manipulated by an unknown third party - in particular, the banking details were changed. The customer then transferred the invoiced amount (approx. €15,000) to the wrong account. When the craftsman realised that payment had not been made, the customer was dunned.
The Regional Court of Kiel had initially decided in favour of the craftsman's business. However, the Higher Regional Court of Schleswig-Holstein overturned this decision and dismissed the claim.
Legal assessment
The court initially clarified that payment to an incorrect account does not constitute fulfilment of the payment obligation. However, the Higher Regional Court affirmed the customer's claim for damages under Art 82 of the General Data Protection Regulation (GDPR) against the craftsman business.
At the core of the decision, there is the finding that the craftsman business had breached its obligations under Articles 5, 25 and 32 GDPR by not implementing sufficient technical protection measures when sending emails.
The court took a close look at the requirements of Art. 32 GDPR for suitable technical and organisational measures and came to the following conclusion:
"In the opinion of the Senate, [...] mere transport layer security in the exchange of business emails containing personal data between enterprise and customer is not sufficient for the customer, at least in view of the high financial risk existing here due to falsification of the attached invoice issued by the plaintiff, and cannot constitute "appropriate" protection within the meaning of the GDPR. Rather, end-to-end encryption is currently the method of choice."
Reversal of the burden of proof in favour of the customer
The court's view regarding the burden of proof is also significant. According to Art. 82 (3) GDPR, the controller (here: the craftsman business) must prove that it is "in no way responsible for the event causing the damage". The craftsman business was unable to do so.
The court stated that an email which is only protected by transport layer security can be accessed by unauthorised third parties at various points. The craftsman business had not provided evidence that such access did not take place within its sphere of control.
Practical consequences
The Higher Regional Court of Schleswig-Holstein permitted an appeal as the question of the level of protection required when sending business emails containing personal data has not yet been clarified at supreme-court level. It therefore remains to be seen whether the German Supreme Court will confirm the strict requirements of the Higher Regional Court of Schleswig-Holstein.
Until then, however, companies are well advised to critically review their email encryption practices and, if necessary, switch to end-to-end encryption or alternative transmission channels in order to avoid risks.
If you have any questions, the KWR data protection team will be happy to assist you.