On 31 July 2024, the German Higher Regional Court of Munich (OLG München) delivered a judgment providing key insights into the repercussions board members may encounter for violating the General Data Protection Regulation (GDPR). Although the primary legal question centered around the legality of an executive’s dismissal under German corporate and employment law, the court’s decision was heavily influenced by its determination that the executive had prompted the company to engage in unlawful data processing, thereby breaching the GDPR. This blog post highlights the essential facts of the case and the court’s findings regarding the data protection issues involved.
Background
The case involved a board member of a German corporation who, over several months, systematically forwarded internal business emails to his private email account by adding his personal address in the CC field. These emails contained personal data and confidential information relating to the company and third parties, including a bank inquiry under anti-money laundering regulations, employee compensation claims, salary statements of a former board chair, plans for employee commissions, and internal disputes regarding responsibilities within the executive board.
The board member argued that he forwarded the emails for personal recordkeeping, anticipating potential use in his own legal defense. When the company discovered this practice, it immediately removed him from office and terminated his service...
The Gazette offers audio versions of articles using Instaread. Some words may be mispronounced. If their true motivations were to organize troops of angry demonstrators to wave signs, shout chants ...