It frequently happens that employees forward business emails to their private email accounts for various reasons. However,in Germany this is strictly prohibited. Such a violation can have severe consequences, as a board member of a public company painfully experienced (Ruling of the Higher Regional Court of Munich from July 31, 2024, Case No.: 7 U 351/23).
Forwarding of 9 Emails
A board member of a public company forwarded internal and partially confidential emails containing information about salaries, commission statements, and corporate operations to his private email account over an extended period. He included his private email address in CC, making the forwarding visible to other involved parties. When the supervisory board became aware of this behaviour, it immediately issued the board member’s dismissal without notice.
The Court Ruling
The Higher Regional Court (OLG) of Munich confirmed the legality of the dismissal without notice in its ruling on July 31, 2024. The court determined that forwarding business emails to a private account constitutes a violation of the EU General Data Protection Regulation (GDPR) and, therefore, represents a valid reason for immediate termination under § 626 (1) of the German Civil Code (BGB).
Although the court found no violation of the corporate confidentiality obligation under § 93 (1) sentence 3 of the German Stock Corporation Act (AktG)—as no trade secrets were disclosed to third parties—the board member breached his duty of care under § 91 (1) sentence 1 AktG, which requires lawful corporate governance.
The forwarding and storage of emails on a private account constitute processing as defined in Art. 4 No. 2 GDPR, which was conducted without the consent of the affected individuals.
Data Protection Assessment
Forwarding personal data, particularly sensitive information such as salaries and commission statements, to private email accounts constitutes data processing under Art. 4 No. 2 GDPR. This forwarding was neither covered by the data subjects’ consent (Art. 6 (1) lit. a GDPR) nor necessary to protect the legitimate interests of the claimant (Art. 6 (1) lit. f GDPR).
The claimant argued that he had proactively compiled documents to defend himself against potential liability claims from the company. However, the court stated that as long asthe board member was still in office, he had unrestricted access to relevant company documents. After his removal, he would still have had a statutory right to inspection under § 810 BGB if the documents were necessary for his defense.
Additionally, the risk of losing or destroying important documents was negligible, as the company is subject to commercial and tax law retention obligations.
Ultimately, the forwarding and storage of these emails were unlawful. Such actions compromise the confidentiality and security of data and may lead to unauthorized access. Companies are obliged to implement appropriate technical and organizational measures to ensure the protection of personal data. Employees, especially those in leadership positions, must be aware of this responsibility and strictly adhere to relevant guidelines.
Employees Should Be Cautious
This ruling highlights the importance of handling confidential corporate data with care. Employees should be aware that forwarding business emails to private accounts is generally considered a serious data protection violation. Depending on the circumstances, such actions can even lead to termination of employment.
However, unlike a board member, an employer must always assess whether a warning would be a more appropriate measure before terminating a regular employee. In most cases—especially if it is a first-time offense—termination is only to be expected if the forwarding was intentional or abusive.
Therefore, it is essential to understand and comply with internal corporate data protection policies to avoid both personal and legal risks.
Conclusion
The ruling of the Higher Regional Court of Munich makes it clear that the protection of confidential information and compliance with data protection regulations must be a top priority. Violations of these obligations can result in immediate termination, especially in top corporate positions. Employees should always handle sensitive data with the utmost care and strictly follow their employer’s internal policies.
