An external service provider of the Berlin public transport company (BVG) has become the target of an IT attack. As a result, the perpetrators gained access to the personal data of up to 180,000 BVG customers. The company informed the affected persons as well as the Berlin data protection authority immediately after the incident and has thus fulfilled its information obligations under the GDPR.

In a public statement the company announced that, as far as is currently known, no sensitive data such as account details or password information was affected. Nevertheless, the data protection incident could have even more far-reaching consequences for the company: Affected customers have the option of asserting a claim for damages against BVG in accordance with Art. 82 para. 1 GDPR. Only some time ago, the Federal Court of Justice (BGH) ruled that the hurdles for compensation for those affected by a so-called data leak must be significantly lowered (case reference: VI ZR 10/24 of 18 November 2024). 

To ensure the security of personal data, it is particularly important in practice to develop an appropriate data protection and IT security concept. This is the only way to prevent potential data breaches. In addition, when working with external service providers, care must be taken to ensure that they themselves offer sufficient guarantees in accordance with Art. 28 para. 1 GDPR for the protection of personal data. „If these principles are not adhered to, the controller risks immaterial claims for damages due to data protection incidents,“ explains lawyer Zeynep Kenar. „Because even if the responsible body works with external service providers, it is liable to the outside world for possible data protection violations.“