Scalable Capital – Court Ruling (Germany, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Scalable Capital, an online stockbroker, faced a court ruling after a data breach exposed customer information. The court found that Scalable Capital failed to secure its systems properly, which could have led to identity theft. They were ordered to pay €1,200 in damages to the affected customer.
What happened
A data breach allowed a third party to access a customer's personal information due to Scalable Capital's inadequate security measures.
Who was affected
A customer of Scalable Capital whose personal data was potentially accessed and misused during the breach.
What the authority found
The court ruled that Scalable Capital violated GDPR rules by not implementing proper security measures to protect personal data.
Why this matters
This case highlights the importance of strong security practices for companies handling personal data. It serves as a reminder that businesses can be held accountable for breaches that result from negligence.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is Scalable Capital, an online stockbroker. The data subject is a customer of the controller. The controller informed the data subject about a data breach which had occurred on 19 October 2020. A third party had accessed parts of the data subject's personal information, potentially including personal, tax and contact data and their IBAN. The breach was conducted by using the credentials of CodeShip Inc., a "Software as a Service" company which the controller had contracted in the past. The contract was terminated in 2015. After the termination, the controller did not delete or change the credentials of CodeShip Inc. The third party obtained the credentials by means of a cyber attack against CodeShip Inc. The third party used CodeShip’s – still valid – credentials three times between April and October 2020 to gain access to the controller's database. Some of the data obtained was supposedly used for identity theft or for other fraudulent behaviour. After the breach, the controller paid the data subject a one-year subscription to the identity protection service “meine SCHUFA Plus”. The court ordered the controller to pay €1200 as non-material damages to the data subject. The court found that the controller violated Article 32(1) and Article 5(1)(f) GDPR because it had not implemented technical and organisational measures to ensure an appropriate level of security, especially in regards to “integrity and confidentiality”. The controller contributed to the data breach and potential identity theft by not deactivating or changing CodeShip’s credentials for several years. Although it could not be verified by the court that the data subject’s identity was fraudulently used by a third person, the court found that the risk alone establishes an immaterial damage pursuant to Article 82(1) GDPR. When assessing the amount of damages pursuant to Article 82(2) GDPR, the court considered as mitigating factors that the data was not used for any fraudulent behaviou
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (1)
Other cases involving Scalable Capital in DE
Details
Ruling Date
18 May 2022
Authority
DPA LGKln
About this data
Cite as: Cookie Fines. Scalable Capital - Germany (2022). Retrieved from cookiefines.eu
Last updated: