The Munich Higher Regional Court clarified in its ruling of 31.07.2024 under file number 7 U 351/23 that forwarding work emails to private email addresses without the consent of the person concerned can constitute a serious breach of data protection law.
The case impressively shows how quickly managers and employees can find themselves in legal gray areas if they handle personal data carelessly.
Young start-ups in particular often do not take these requirements and problems seriously enough, but appearances are deceptive: even in the agile start-up world, problems lurk from a purely formal legal perspective if data protection is neglected.
It is high time to familiarize yourself with the legal principles and rethink how you handle personal data.
After all, ignorance is no defense against punishment, and the consequences can threaten the existence of a young company.
The facts of the case: Management Board systematically forwards business emails to private account
In the case decided by the Munich Higher Regional Court, a board member of an AG had forwarded business emails with sensitive content such as salary statements, employee commission claims, contracts with customers and compliance matters to his private email address in at least 9 cases.
According to the Management Board, this was done in consultation with the former CEO.
The Supervisory Board of the AG then revoked the appointment of the Management Board member and terminated his Management Board employment contract without notice.
What at first glance sounds like an internal matter turned out to be a serious breach of data protection.
Even if the forwarding may have been done without malicious intent, the Executive Board should have first obtained the consent of the persons concerned.
Especially in start-ups, where there is often a relaxed culture of communication and hierarchies are flat, the temptation to neglect data protection regulations is great.
However, this case makes it clear that extreme caution is required.
Even if you think you are acting in the interests of the company, careless forwarding can have serious consequences.
The decision of the OLG Munich: Violation of the GDPR
The Munich Higher Regional Court ruled in favor of the Supervisory Board.
The forwarding of the emails to the private account of the Management Board constituted a breach of the General Data Protection Regulation (GDPR).
According to Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable natural person.
The forwarding and storage of emails containing such data on private servers is therefore only permitted with the consent of the data subject or if there is a legal basis for permission.
The court clarified that it does not matter whether the forwarding takes place in a professional or private context.
The only decisive factor is that personal data was processed without justification.
For many start-ups, this interpretation may seem strict, but it is in line with the spirit of the GDPR, which focuses on the protection of personal data.
Founders and their employees must therefore be aware of their responsibility and handle data with care.
The significance of the ruling for startups
The ruling makes it clear that the handling of personal data requires the utmost caution.
Many founders and employees in start-ups are not aware of the data protection relevance of seemingly harmless forwarding of business emails to private addresses.
But everyone should be aware of this by now at the latest: Even a single email can contain sensitive personal data, the unauthorized processing of which can have serious legal consequences.
Especially in the startup context, it is important to always ask yourself whether you are authorized to forward an email to private accounts.
Even if you believe you are acting in the interests of the company, careless forwarding can be seen as a breach of data protection.
It is therefore important to raise awareness of the sensitivity of personal data and, if in doubt, it is better to ask too many questions.
After all, the consequences of a data protection breach can be life-threatening, especially for a young company.
Everything is conceivable, from warnings and claims for damages to severe fines.
Conclusion:
Before forwarding a business email to a private email address, you should always ask yourself whether you are authorized to do so.
If in doubt, it is better to ask too many questions than risk a data protection breach.
As this case shows, even a careless forwarding or the mere inclusion of a private email address in CC can be expensive.
Startups are well advised to sensitize their employees to this issue and to establish clear rules for handling personal data.
This is the only way to prevent supposedly harmless actions from having far-reaching legal consequences.
Especially in times when data protection is becoming increasingly important, it is essential to familiarize yourself with the applicable regulations and to live by them in your day-to-day work.
Only by handling data responsibly can legal risks be minimized and the trust of customers and business partners strengthened.
In this sense, the ruling of the Munich Higher Regional Court should be seen as a wake-up call to take data protection obligations seriously and to exercise the utmost care when handling personal data.
Especially in the agile start-up world.
