Geschäfts-E-Mails privat weiterleiten: DSGVO-Falle | IT-Medienrecht

Erfahren Sie, warum das Weiterleiten von Geschäfts-E-Mails an private Adressen eine DSGVO-Falle ist. Schützen Sie sich vor schwerwiegenden…

The Munich Higher Regional Court clarified in its ruling of July 31, 2024, under file number 7 U 351/23 that forwarding work emails to private email addresses without the consent of the person concerned can constitute a serious breach of data protection law. This case impressively shows how quickly managers and employees can find themselves in legal gray areas if they handle personal data carelessly. Young start-ups in particular often do not take these requirements seriously enough.

However, appearances are deceptive: even in the agile start-up world, significant formal legal problems can arise if data protection is neglected. It is high time to familiarize yourself with these legal principles and rethink how personal data is handled. Ignorance is no defense against punishment, and the consequences can threaten the existence of a young company.

Data Protection Warning: OLG Munich Rules Against Forwarding Work Emails to Private Accounts

The Case: Management Forwards Business Emails to Private Accounts

In the case decided by the Munich Higher Regional Court, a board member of an AG had forwarded business emails with sensitive content to his private email address. This included salary statements, employee commission claims, customer contracts, and compliance matters. This occurred in at least nine instances.

The board member claimed this was done in consultation with the former CEO. However, the Supervisory Board of the AG subsequently revoked the board member's appointment and terminated his employment contract without notice.

What initially seemed like an internal matter quickly became a serious breach of data protection. Even if the forwarding was done without malicious intent, the Executive Board should have obtained the consent of the persons concerned first. Especially in start-ups, where communication is often relaxed and hierarchies are flat, the temptation to neglect data protection regulations is great. This case, however, makes it clear that extreme caution is required. Careless forwarding can have severe consequences, even if done in the perceived interest of the company.

The Decision of the OLG Munich: Violation of the GDPR

The Munich Higher Regional Court ruled in favor of the Supervisory Board, determining that forwarding emails to a private account constituted a breach of the General Data Protection Regulation (GDPR). According to Art. 4 No. 1 GDPR, personal data includes any information relating to an identified or identifiable natural person.

The forwarding and storage of emails containing such data on private servers is only permitted with the data subject's consent or if there is a legal basis for permission. The court clarified that it does not matter whether the forwarding occurs in a professional or private context. The sole decisive factor is whether personal data was processed without justification.

For many start-ups, this interpretation may seem strict. However, it aligns with the spirit of the GDPR, which focuses on protecting personal data. Founders and their employees must therefore be aware of their responsibility and handle data with the utmost care.

The Significance of the Ruling for Start-ups

This ruling underscores that handling personal data requires extreme caution. Many founders and employees in start-ups are unaware of the data protection relevance of seemingly harmless actions, such as forwarding business emails to private addresses. Now, everyone should be aware of this critical issue.

Even a single email can contain sensitive personal data. Unauthorized processing of this data can lead to serious legal consequences. Especially in the start-up context, it is crucial to always question whether you are authorized to forward an email to private accounts. Even if you believe you are acting in the company's best interest, careless forwarding can be seen as a breach of data protection.

Therefore, it is essential to raise awareness about the sensitivity of personal data. When in doubt, it is always better to ask too many questions. The consequences of a data protection breach can be life-threatening for a young company, ranging from warnings and claims for damages to severe fines. Such actions can lead to severe consequences for young companies, including warnings and hefty fines.

Conclusion: Protecting Personal Data in the Workplace

Before forwarding a business email to a private address, always consider whether you are authorized to do so. If in doubt, asking too many questions is better than risking a data protection breach. As this case demonstrates, even a seemingly careless forwarding or the mere inclusion of a private email address in CC can prove costly.

Start-ups are well-advised to sensitize their employees to this issue and establish clear rules for handling personal data. This is the only way to prevent supposedly harmless actions from having far-reaching legal consequences. In an era where data protection is increasingly vital, it is essential to familiarize yourself with applicable regulations and adhere to them in daily work. Responsible data handling minimizes legal risks and strengthens trust with customers and business partners. The Munich Higher Regional Court's ruling serves as a wake-up call to take data protection obligations seriously and exercise the utmost care with personal data, particularly within the agile start-up world.