A ruling by the Munich Higher Regional Court (OLG) shows the fatal consequences of forwarding work emails to a private email account: The court confirmed the termination without notice of a member of the Management Board for a serious breach of the GDPR.
Termination without notice after forwarding confidential emails
The decision of the OLG Munich of July 31, 2024 (case no. 5 HK O 14476/21) deals with the extraordinary termination without notice and dismissal of a member of the management board of a former stock corporation (AG), which has since been converted into a GmbH. The plaintiff, a former member of the management board, filed a lawsuit against the dismissal and termination of his management board employment contract.
The case mainly revolved around the forwarding of confidential emails from the company by the board member to his private GMX account.
Serious GDPR breach is sufficient for termination without notice
The court found that the repeated forwarding of confidential information to the plaintiff's private email account constituted a serious breach of data protection regulations, in particular the General Data Protection Regulation (GDPR). These violations constituted good cause for termination without notice in accordance with Section 626 BGB.
"The fact that the forwarded emails contained extremely sensitive data (commission plans, salary and commission statements, compliance processes, disputes between board members of the defendant), in the confidentiality of which the defendant had a very high interest and which not only related to the relationship between the parties, but also concerned third parties (in particular the employee ...), who could assume that their data would not end up on private email accounts such as the plaintiff's", explains the OLG Munich.
Even without passing on the data to unauthorized third parties, the court found a serious breach of the duty of care pursuant to Section 93 (1) AktG, which was reflected in particular in the disregard of data protection regulations. The plaintiff had used his private e-mail address in CC in at least nine cases without obtaining the corresponding consent.
Reading tip: ECJ ruling on GDPR fines: What discretion does a data protection authority have?
After OLG ruling: consequences for companies
The decision of the Munich Higher Regional Court has far-reaching consequences for companies, in particular for their management boards, managing directors and supervisory boards:
- Strict compliance with the GDPR:
Companies must ensure that board members and managing directors strictly observe the provisions of the GDPR. The unauthorized forwarding of personal data, in particular confidential company information, can constitute an important reason for termination. Management boards are obliged to take appropriate measures to ensure compliance with data protection regulations in their companies. - Responsibility of supervisory bodies:
Supervisory boards and shareholders' meetings must act quickly if there is a reason for termination and ensure that the collegial body is convened without delay. A delay can result in the two-week period of Section 626 (2) BGB expiring, which could jeopardize the effectiveness of a termination without notice. - Internal guidelines on data security:
Companies should develop internal guidelines that clearly regulate the handling of sensitive data. This also includes defining sanctions in the event of breaches. These guidelines should be communicated regularly and accompanied by training. - Weighing up the proportionality of dismissals:
The court has once again confirmed that a serious breach of duty can justify termination without notice even in the case of long-standing and successful activities by a member of the Management Board if the company's trust in the Management Board has been destroyed. This shows that a careful weighing of interests is required, in which the severity of the breach of duty is particularly important.
Management boards must also comply with the GDPR
The ruling by the Munich Higher Regional Court makes it clear that data protection now also plays a central role for board members. Companies are well advised to draw up clear guidelines for handling confidential data and to consistently monitor compliance with them. For board members and managing directors, this means that data protection violations can have considerable personal and professional consequences - up to and including termination without notice.
Source: OLG Munich, final judgment of 31.07.2024 - 7 U 351/23 e