Hacker attack: do customers need to be informed?

von Ramona

As already announced in the media, electronics retailer Conrad fell victim to a hacker attack. This was due to an IT security gap in the company’s own IT systems. This allowed strangers to access a database with almost 14 million customer records over a period of several months. The customer data records included the customers’ postal addresses, e-mail addresses, fax numbers and IBAN numbers. The Bavarian State Office for Data Protection Supervision was also involved in this case.

From the point of view of the authorities, it was not necessary to notify the data subjects of this data protection incident. Nevertheless, the electronics retailer has decided to inform customers about this data protection incident on its website.

Do you have to inform data subjects about a hacker attack?

According to Art. 34 Para. 1 GDPR, data subjects only have to be informed about a data protection incident if this results in a high risk for their rights and freedoms. It is therefore necessary to make a prognosis decision as to whether there is a high risk for those affected. However, an assessment is difficult, as the GDPR does not specifically differentiate the criteria according to which the classification under “no risk”, “an average risk” and “a high risk” is measured.

Note that you have to report the data protection incident to the supervisory authority if there is a normal risk! However, the person concerned must only be informed if this incident carries a high risk for the rights and freedoms of the person concerned. In such cases, it is necessary to weigh up the loss of reputation of the company and those affected by providing transparent information.

However, the decision of the supervisory authority cannot be fully understood, which is why the persons concerned did not have to be informed in this case. After all, the payment information of those affected has been disclosed to third parties. As well as e-mail addresses with which the hackers can send malware or phishing e-mails. From our point of view, this is a data protection incident that triggers a reporting obligation both to the supervisory authority and to the persons concerned.

This incident also shows how important IT security is in the company. Deficiencies in IT security can lead to the disclosure of millions of data records.
Our IT security team helps you to identify and ward off risks – for example by setting up an ISMS. Contact us!


Ramona ist seit ihrer Ausbildung zur Kauffrau für Büromanagement bei uns tätig. Sie kennt deshalb unser Dienstleistungs-Portfolio sehr genau. Mittlerweile unterstützt sie unser Team nicht nur im Backoffice sondern steht unseren Kunden auch als zertifizierte Datenschutzbeauftragte mit Rat und Tat zur Seite. Service- und Lösungsorientierung, Flexibilität und Kompetenz stehen für sie an erster Stelle.