Scalable Capital ordered to compensate data subject for non-material damages Summary Our remarks Upon registration as a customer at Scalable Capital, • The case signifies that the German Court applies a individuals provided a range of personal data that broad interpretation of the right to compensation was later compromised in a data breach. Attackers for non-material damages. A data controller could were able to gain access to Scalable Capital’s entire be held liable for such damages that might result IT system by acquiring access information from the from a data breach within its responsibility. firm’s former IT service provider, CodeShip Inc. As • When doing a risk assessment, take into account a result, the attackers gained access to a range of the nature and severity of a possible infringement. personal data, including the data subjects’ first and last name, title, address, email address, mobile phone • In this case, even though there was no evidence number, nationality, marital status, tax residence of existing fraud or misuse of the personal data, and tax ID, IBAN, copy of identity card, and portrait the personal data involved in the breach was so photo. These third parties accessed the data on three comprehensive that the risk for future material separate occasions between April and October 2020, damage was taken into account. stealing a total of 389,000 records from 33,200 affected • To avoid being held liable for inflicting non-material individuals. damages or the risk of future material damages as Although CodeShip Inc. had ceased providing IT a result of a data breach, it is important to ensure services to Scalable Capital in late 2015, the access adequacy of technical and organizational security data to Scalable Capital’s system had never been measures: changed. The stolen personal data was subsequently used to obtain loans and was also offered for sale on ° Make sure that only current third-party business the dark web. relations have access to your systems. Conduct regular security assessments and penetration The Decision of the Court of LG Bonn testing to identify vulnerabilities in your system and The Court of LG Bonn ordered the controller to organization (including partners) and implement pay 2,500 EUR to the data subject for the following adequate measures to address them. violations: ° Monitor access to personal data, limit it to authorized • The controller failed to implement organizational personnel (internally as well as regarding third measures to ensure an appropriate level of data parties), and revoke access for those who no longer protection by not excluding CodeShip from access require access. to their digital document archives immediately after the termination of their business relationship (GPDR, Articles 31(1) and 5(1)(f)). • The Court found that the data breach had caused non-material damage to the affected individuals, such as feelings of uncertainty, loss of trust, and anxiety about potential misuse of their personal data. Therefore, the Court ordered compensation for non-material damage (GDPR, Article 82(1)). Published: 09-12-2021 Journal number: 31 O 16606/20 Tags: 05 Data Security, 08 Compensation for non-material damages 56