Scalable Capital – Court Ruling (Germany, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Scalable Capital had a data breach where hackers accessed sensitive customer information, including ID photos and financial details. This breach happened because old access credentials from a former IT service provider were never updated. The court ordered Scalable Capital to pay €2,500 in damages for not securing customer data properly.
What happened
Scalable Capital suffered a data breach due to outdated access credentials, exposing sensitive customer data.
Who was affected
Customers of Scalable Capital whose personal and financial information was accessed by unauthorized parties.
What the authority found
The court ruled that Scalable Capital failed to implement adequate security measures, violating GDPR's data protection requirements.
Why this matters
This case highlights the importance of regularly updating security credentials, especially when changing service providers. It serves as a warning to companies to ensure robust data protection measures are in place to avoid similar breaches.
GDPR Articles Cited
Controller is Scalable Capital, a financial services company via which customers can invest in shares etc. Data subject is a customer of this company. Upon registration, they provided numerous personal data to the controller inter alia a photo of their ID-card. On 19.10.2020, the controller informed the data subject of a data breach. Unauthorised third parties had acquired access to the following personal data of data subject: first- and last name, title, address, e-mail address, mobile phone number, place of birth, place and country of birth, nationality, marital status, tax residence and tax ID, IBAN, copy of identity card, portrait photo, which was taken in the Post-Ident procedure. Moreover, this data was accessed by these third parties on three separate instances in the period from April to October 2020. In total, these third parties had copied and stolen 389,000 records of 33,200 affected persons. The attackers were able to access the whole IT system of controller because they had acquired the access information via controller’s former IT Service provider, CodeShip Inc. Although this service provider no longer provided IT services to controller since late 2015, the access data to controller’s system had never been changed. The stolen personal information was used to obtain loans, and was offered for sale on the Darknet. Because data subject feared for identity theft and other fraud, they brought the action before Court and claimed compensation pursuant to Article 82(1) GDPR, because controller violated Article 32(1) GDPR. The Court upheld the appeal and ordered the controller to pay € 2,500, - as non-material damages to the data subject. First, the Court considered that the controller violated Article 32(1) and Article 5(1)(f) GDPR because it failed to implement sufficient organisational measures to ensure an appropriate level of data protection. In this regard, the Court considered Article 82(4) GDPR and noted that it is irrelevant whether the security d
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (1)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
Related Cases (0)
No other cases found for Scalable Capital in DE
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Scalable Capital - Germany (2021). Retrieved from cookiefines.eu
Last updated: