The Munich Higher Regional Court clarified in its ruling of 31.07.2024 under file number 7 U 351/23 that forwarding work emails to private email addresses without the consent of the person concerned can constitute a serious breach of data protection law. The case impressively shows how quickly managers and employees can find themselves in legal gray areas if they handle personal data carelessly. Young start-ups in particular often do not take these requirements and problems seriously enough, but appearances are deceptive: even in the agile start-up world, problems lurk from a purely formal legal perspective if data protection is neglected. It is high time to familiarize yourself with the legal principles and rethink how you handle personal data. After all, ignorance is no defense against punishment, and the consequences can threaten the existence of a young company.
In the case decided by the Munich Higher Regional Court, a board member of an AG had forwarded business emails with sensitive content such as salary statements, employee commission claims, contracts with customers and compliance matters to his private email address in at least 9 cases. According to the Management Board, this was done in consultation with the former CEO. The Supervisory Board of the AG then revoked the appointment of the Management Board member and terminated his Management Board employment contract without notice. What at first glance sounds like an internal matter turned out to be a serious breach of data protection. Even if the forwarding may have been done without malicious intent, the Executive Board should have first obtained the consent of the persons concerned. Especially in start-ups, where there is often a relaxed culture of communication and hierarchies are flat, the temptation to neglect data protection regulations is great. However, this case makes it clear that extreme caution is required. Even if you think you are acting in the interests of the company, careless forwarding can have serious consequences.
The Munich Higher Regional Court ruled in favor of the Supervisory Board. The forwarding of the emails to the private account of the Management Board constituted a breach of the General Data Protection Regulation (GDPR). According to Art. 4 No. 1 GDPR, personal data is any information relating to an identified or identifiable natural person. The forwarding and storage of emails containing such data on private servers is therefore only permitted with the consent of the data subject or if there is a legal basis for permission. The court clarified that it does not matter whether the forwarding takes place in a professional or private context. The only decisive factor is that personal data was processed without justification. For many start-ups, this interpretation may seem strict, but it is in line with the spirit of the GDPR, which focuses on the protection of personal data. Founders and their employees must therefore be aware of their responsibility and handle data with care.
The ruling makes it clear that the handling of personal data requires the utmost caution. Many founders and employees in start-ups are not aware of the data protection relevance of seemingly harmless forwarding of business emails to private addresses. But everyone should be aware of this by now at the latest: Even a single email can contain sensitive personal data, the unauthorized processing of which can have serious legal consequences. Especially in the startup context, it is important to always ask yourself whether you are authorized to forward an email to private accounts. Even if you believe you are acting in the interests of the company, careless forwarding can be seen as a breach of data protection. It is therefore important to raise awareness of the sensitivity of personal data and, if in doubt, it is better to ask too many questions. After all, the consequences of a data protection breach can be life-threatening, especially for a young company. Everything is conceivable, from warnings and claims for damages to severe fines.
Before forwarding a business email to a private email address, you should always ask yourself whether you are authorized to do so. If in doubt, it is better to ask too many questions than risk a data protection breach. As this case shows, even a careless forwarding or the mere inclusion of a private email address in CC can be expensive. Startups are well advised to sensitize their employees to this issue and to establish clear rules for handling personal data. This is the only way to prevent supposedly harmless actions from having far-reaching legal consequences. Especially in times when data protection is becoming increasingly important, it is essential to familiarize yourself with the applicable regulations and to live by them in your day-to-day work. Only by handling data responsibly can legal risks be minimized and the trust of customers and business partners strengthened. In this sense, the ruling of the Munich Higher Regional Court should be seen as a wake-up call to take data protection obligations seriously and to exercise the utmost care when handling personal data. Especially in the agile start-up world.
Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.
Introduction Technology is rapidly evolving and opening doors to new opportunities in the legal field, a development that always fascinates...
Read moreDetails
The ArnsbergCourt Arnsberg has in its judgment of 22.02.2024 (Ref. 4 O 273/23) decideddecided that the absence of a telephone...
Read moreDetails
In the last few months, I have had to deal several times with the question of whether a team/organization is...
Read moreDetails
There could soon be a ruling by the European Court of Justice that could startle German website providers who have...
Read moreDetails
In a recently published LinkedIn post, it was announced that the interface between smart contracts, decentralized financial systems (DeFi) and...
Read moreDetails
Introduction Drafting contracts in the field of artificial intelligence (AI) is one of the most exciting and challenging tasks of...
Read moreDetails
Influencer marketing has become an important tool in digital marketing in recent years. For start-ups, it offers an effective way...
Read moreDetails
A business plan is an indispensable strategic document for start-ups and company founders. It serves as a roadmap for business...
Read moreDetails
The data protection authorities from Bavaria have published a collection of questions and answers on data protection on websites. Questions...
Read moreDetailsDie Wahl eines Unternehmensnamens ist für Gründerinnen und Gründer eine strategische Entscheidung – kreativ, aber vor allem auch rechtlich. Domainname,...
Read moreDetails
In dieser aufschlussreichen Episode des ITmedialaw-Podcasts wird ein tiefgehender Blick auf die Schnittstelle von Web3, Blockchain-Technologie und Recht geworfen....
Read moreDetails
In diesem Video rede ich ein wenig über transparente Abrechnung und wie ich kommuniziere, was es kostet, wenn man mit...
Read moreDetails
