Germany: Forwarding Business Emails to A Private Account: A Clear Violation of the GDPR

Higher Regional Court of Munich, Judgment of July 31, 2024 – 7 U351/23

The judgment of the Higher Regional Court of Munich highlights the importance of data protection, particularly the GDPR, and clearly demonstrates its far-reaching impact on the working world. In the present case, the court decided that forwarding business emails to a private email account without appropriate permission constitutes a clear violation of the GDPR. This breach of duty can justify an extraordinary termination.

The Facts of the Case

In the case underlying the decision, a board member of a non-listed AG [NB: similar to an unlisted PLC in the UK] sent several emails to various recipients, including his co-board member, an employee of the sister company, and the company's tax consulting firm. The emails included, among other things, overviews of payroll statements, revenue figures, and the minutes of an internal meeting. The board member sent all these emails from his business email account but included his private email address in the CC field.

After the company became aware of the circumstances, the supervisory board decided to remove the board member from the board and to terminate the board service contract for cause without notice. The board member filed a lawsuit against this decision.

The Decision

The Higher Regional Court of Munich ruled that forwarding emails to a private account constitutes a violation of the GDPR. Furthermore, this constitutes an important reason within the meaning of sec. 626 para. 1 of the German Civil Code (BGB), which is required for a valid extraordinary termination.

A violation of the GDPR does not necessarily constitute an important reason within the meaning of sec. 626 para. 1 BGB, but it does at least when sensitive data of the company or third parties are involved. The forwarded emails contained such data.

According to Art. 5(1)(f) GDPR, personal data must be processed in a manner that ensures appropriate security of the data. Since private email accounts generally do not have the same security standards as business email accounts, forwarding emails containing such data to a private email account poses a significant risk to the security and confidentiality of the data. This creates the risk that unauthorized third parties may gain access to this data.

The forwarding of emails by the board member constitutes a breach of the duty of care under sec. 93 para. 1s. 1 of the German Stock Corporation Act (AktG), which requires the board to ensure compliance with legal provisions. The forwarding of emails to the private account and their storage there constitutes processing within the meaning of Art. 4(2) GDPR, which was not covered by the consent of the data subject under Art. 6(1)(a) GDPR. Forwarding was also not necessary to protect the legitimate interests of the board member.

The forwarding of emails cannot be justified by the fact that he forwarded only emails that were indispensable due to worrying changes in the company to later prove that the board member himself did not make any mistakes leading to liability. Prophylactic self-help is not necessary because the board member had access to the documents during his term of office and had a right of inspection under sec. 810 BGB after his removal.

The Higher Regional Court classified the forwarding of emails as grossly negligent and recognized it as a significant breach of duty by the board member. The court found the extraordinary termination to be effective, as repeated and systematic disregard of data protection regulations constitutes a serious breach of trust.

Conclusion

The judgment highlights the increasing relevance of data protection in employment relationships. The decision makes it clear that violations of the GDPR can have labor law consequences. Both employers and employees are obliged to handle personal data carefully. To avoid legal violations, employers are encouraged to create guidelines that instruct employees on how to handle data. Such a guideline should also regulate the forwarding of emails, and it is recommended to generally prohibit forwarding to a private email account.