Table of Contents
Worried About the DATEV Breach? What the 2026 Payroll Error Means for Your Business
As an advisor in the technical and compliance space, I want to bring your attention to a critical incident involving DATEV, a major software provider for tax advisors and auditors. Between January 8 and 9, 2026, a malfunction in their LODAS payroll module caused significant service disruptions. More alarmingly, this technical failure triggered a serious GDPR data privacy breach, where sensitive client payroll data was misdirected to unrelated users.
If your firm uses DATEV for payroll processing, you need to understand exactly what happened and your responsibilities regarding data protection.
What Happened: The Technical Breakdown
The core issue originated in DATEV’s LODAS module, the system used for processing payroll test runs. Users rely on this function to verify payroll accuracy before the final submission deadline (typically the 10th of the month).
- Initial Failure: On January 8, users reported that test payroll runs submitted to the cloud were not returning results. The system status remained stuck on “under analysis.”
- Failed Workaround: A temporary fix was implemented to force the return of these test runs.
- Data Leak: This workaround seemingly corrupted the cloud cache or database assignments. Instead of receiving their own data, users began downloading full payroll test results belonging to completely different companies.
This cross-client contamination meant that sensitive employee data—including salaries, tax IDs, and personal addresses—was exposed to unauthorized third parties. While the service disruption was resolved by the evening of January 9, the privacy implications remain acute.
The GDPR Implication: Who Is Responsible?
This incident creates a complex liability scenario under the General Data Protection Regulation (GDPR). Because DATEV acts primarily as a data processor, the ultimate responsibility for data safety often falls on the data controller—in this case, the law firm or the company utilizing the software.
Here is how the responsibility matrix generally applies:
- DATEV’s Role: They have admitted to the error and stated they will inform the relevant data protection supervisory authorities (such as BayLDS). They have also begun notifying affected law firms.
- The Tax Advisor/Law Firm’s Role: If you received data meant for another firm, or if your client’s data was sent elsewhere, you must assess your reporting obligations. You may need to notify your clients so they can inform their employees.
- The Company’s Role: If you use LODAS directly, you are the data controller. You must inform the data protection authority within 72 hours of becoming aware of the breach and notify affected employees.
Why This Matters for Cloud Security
This incident highlights a specific vulnerability in centralized cloud processing versus on-premises software. In a local environment, cross-client contamination is nearly impossible. In a shared cloud infrastructure, cache errors can lead to massive data exposure.
While DATEV is a highly reputable provider with high security standards, this event proves that no system is immune to error.
Recommended Actions
If you suspect your data was involved in the January 2026 DATEV incident, take these steps immediately:
- Check Notifications: Review all communications from DATEV to see if your firm was flagged as an affected party.
- Verify Data Logs: Check your download history from January 8–9 for any files that do not belong to your clients. Delete them immediately and document the deletion.
- Consult Legal Counsel: Determine if you need to file a report with your state data protection authority to remain compliant.