Munich Higher Regional Court ruling: GDPR violation leads to the immediate dismissal of a board member

On July 31, 2024, the Higher Regional Court (OLG) Munich ruled on the immediate dismissal of a board member for violating the General Data Protection Regulation (GDPR). The plaintiff, a former board member of the defendant, had violated his duties by forwarding official emails to his private email account on multiple occasions.

Background of the case

The plaintiff had been a member of the board of directors of the defendant, a non-listed stock corporation that was converted into a limited liability company in 2022, since 2013. In 2021, the plaintiff forwarded business emails containing sensitive company information to his private email account on multiple occasions. These emails included, among other things, salary statements, employee commission claims, and compliance matters.

Decision of the court

The Higher Regional Court of Munich upheld the defendant's termination of the plaintiff without notice. The court found that forwarding the e-mails to the plaintiff's private account constituted processing of personal data within the meaning of the GDPR that was not covered by the consent of the data subjects (Art. 6 (1) (a) GDPR) or was in his legitimate interest (Art. 6 (1) (f) GDPR). These actions of the plaintiff were classified as a serious breach of duty because they violated data protection regulations and concerned sensitive data.

Interestingly, the court rejected a breach of the plaintiff's legal and contractual confidentiality obligations due to the lack of disclosure to third parties and based the admissibility of the extraordinary termination solely on the GDPR violation.

Important aspects of the judgment

1. No violation of confidentiality obligations: The Higher Regional Court rejected a violation of the plaintiff's legal and contractual confidentiality obligations because the plaintiff had not disclosed or made the information available to any third party. The mere storage on a free mail server is not sufficient to constitute a violation of confidentiality obligations. It is also undisputed that the plaintiff did not make use of the secrets.
2. Violation of the GDPR: The forwarding of e-mails to the plaintiff's private account was deemed to be an unlawful processing of personal data. The consent of the data subjects was not obtained, and the forwarding was also not necessary to safeguard the legitimate interests of the plaintiff.
3. Severity of the breach of duty: The court emphasized that the forwarding of e-mails containing sensitive data such as salary statements and commission claims constitutes a significant breach of confidentiality obligations. This data should not have been stored on a private server, as this does not meet the security standards of a company in the IT industry.
4. Balancing of interests: When weighing the interests of both parties, the court concluded that the defendant's interest in the immediate termination of the employment relationship prevailed. The plaintiff's systematic and repeated forwarding of sensitive data justified the termination without notice. According to the case law of the Federal Court of Justice, a prior warning is not required for board members.

Conclusion

The judgment of the Higher Regional Court of Munich underscores the importance of compliance with the GDPR in corporate structures and the consequences of violations. Companies should ensure that all employees, especially managers, are fully informed about their obligations when handling personal data and strictly comply with them. In the event of violations, companies are required to respond immediately. They should, on the one hand, examine the consequences under labor/service contracts, but also not lose sight of the data protection obligations that may result from a violation (e.g. reporting obligations).