On 31 July 2024, the German Higher Regional Court of Munich (OLG München) delivered a judgment providing key insights into the repercussions board members may encounter for violating the General Data Protection Regulation (GDPR). Although the primary legal question centered around the legality of an executive’s dismissal under German corporate and employment law, the court’s decision was heavily influenced by its determination that the executive had prompted the company to engage in unlawful data processing, thereby breaching the GDPR. This blog post highlights the essential facts of the case and the court’s findings regarding the data protection issues involved.
Background
The case involved a board member of a German corporation who, over several months, systematically forwarded internal business emails to his private email account by adding his personal address in the CC field. These emails contained personal data and confidential information relating to the company and third parties, including a bank inquiry under anti-money laundering regulations, employee compensation claims, salary statements of a former board chair, plans for employee commissions, and internal disputes regarding responsibilities within the executive board.
The board member argued that he forwarded the emails for personal recordkeeping, anticipating potential use in his own legal defense. When the company discovered this practice, it immediately removed him from office and terminated his service contract based on a serious breach of duty.
GDPR Findings
The court held that the board member’s act of forwarding internal business emails to his private email account constituted processing of personal data under Article 4(2) GDPR, as it involved both the transmission and storage of personal data on an external server outside the company’s control.
The court further held that this processing was unlawful because none of the legal bases set out in Article 6(1) GDPR applied. In particular, the board member did not obtain the consent of the individuals whose personal data appeared in the emails—such as employees and fellow board members—and could not rely on the “legitimate interests” ground under Article 6(1)(f), since his stated purpose (retaining the data for possible future legal proceedings) was insufficient to outweigh the rights and interests of the data subjects.
The court emphasized that the emails included particularly sensitive information, such as salary statements, commission plans, and details about employees’ legal claims and internal board disputes, which aggravated the seriousness of the breach.
Under German corporate and employment law, the court found that the GDPR violation resulting from the board member’s actions justified both his removal from office and the summary termination of his service contract.
This decision underscores the significant data protection risks associated with forwarding business emails to personal accounts—a practice that, while sometimes done for convenience or recordkeeping, constitutes “processing” under the GDPR and may be unlawful if not supported by a valid legal basis. Organizations should review and update internal policies regarding the use of personal email for work-related communications to ensure compliance with GDPR requirements.
* * *
Covington & Burling continues to monitor and advise companies on navigating EU data protection law. We closely monitor the decisions of the Court of Justice of the EU as well as significant rulings from national courts across the EU Member States. We are happy to assist you with any inquiries related to compliance with EU data protection law.