Removal of a Works Council Member for Forwarding Personal Employee Data to a Private Email Account

Hesse Regional Labor Court decision of March 10, 2025 – 16 TaBV 109/24 (appeal filed under case number 7 ABR 21/25)

In its decision of March 10, 2025 (Ref. 16 TaBV 109/24, n.rkr.), the Regional Labor Court (LAG) of Hesse ruled that the forwarding of personal employee data by a works council member to his private email address constitutes a gross breach of duty under Section 23 (1) 1 BetrVG and thus justifies removal from the works council.

Facts

The case concerns a hospital operator with around 390 employees and a nine-member works council.

In the fall of 2023, the employer discovered that an automatic forwarding rule had been configured in the works council chairperson's official email account, which forwarded all incoming emails to his private email address. Despite a warning from the employer, the works council chairperson continued this practice. Among the forwarded emails was a complete list of employees containing sensitive information including the names of all employees, their position in the company, working hours, pay scale, level, basic salary, pay scale progression, pay scale entry date, classification, and comparative data on classification within the group and basic salaries within the group. The works council chairperson had initially emailed this Excel file to his private email address, edited it at home, and then forwarded it back to the works council.

The employer then applied for the removal of the works council chairperson from the works council pursuant to Section 23 (1) BetrVG, arguing that his conduct constituted a serious violation of data protection obligations. According to Section 23 (1) BetrVG, the employer may demand the removal of a member from the works council for gross violation of their statutory duties; these duties also include compliance with data protection regulations. Depending on the severity of the violation, this may justify removal from the works council. The works council and its chairperson argued that the private forwarding was only done so that the table could be edited efficiently at home on a larger screen. After editing, all data was completely deleted.

The Wiesbaden Labor Court upheld the employer's request on May 23, 2024. The works council chair and the works council lodged an appeal against this decision.

Decision of the Hesse Regional Labor Court

The LAG Hessen dismissed the appeal and upheld the removal of the chairperson from the works council due to a gross breach of data protection obligations under Section 23 (1) BetrVG.

The court stated that the forwarding of personal data to the works council chairperson’s private email account constituted an unlawful act. According to Section 26 (1) of the Federal Data Protection Act (BDSG), employee data may only be processed if this is necessary for the performance of the employment relationship. Such a necessity did not exist in this case, as the works council chairperson had access to a company-provided computer for carrying out his works council duties. The LAG Hessen also considered that the conditions for permission under Art. 6 (1) (a) to (f) GDPR were not met, without providing detailed reasoning.

In addition, the court also found a breach of the transparency obligation: the employees concerned were not informed that their sensitive data was forwarded to a private email account and processed there. Additionally, the principle of data minimization was violated, as there was no need to process the data outside the protected work infrastructure.

The Hesse Regional Labor Court also classified this breach of data protection obligations as "gross" within the meaning of Section 23 (1) of the Works Constitution Act (BetrVG). The fact that the information forwarded concerned the amount of remuneration of each individual employee was particularly serious. It should have been evident to the chairperson that the handling of this data required the utmost sensitivity. In addition, the works council chairperson continued this conduct despite having previously received a formal warning. The court described him as "incorrigible" and accused him of deliberately acting against the regulations that the employer had issued to protect employee data.

The works council chairperson's argument that his private PC was protected by a password and a security program ("Bitdefender Total Security") was not accepted by the court. Such measures, the court held, cannot guarantee absolute data security. For this very reason, the provisions of the GDPR must be strictly adhered to, in order to rule out avoidable risks.

The urgency of preparing a works agreement cited by the works council chairperson, did not justify the data protection violation in the court's view.

The appeal to the Federal Labor Court was admitted due to its fundamental significance and is now pending under file number 7 ABR 21/25.

Conclusion

The decision of the Hesse Regional Labor Court once again underscores the stringent requirements for data protection-compliant handling of personal data. Works councils regularly have access to highly sensitive employee data, for example in the context of compensation negotiations, transfers, classification, or social plans. This responsibility entails a heightened duty of confidentiality and data security (see Section 79a (1) BetrVG). The forwarding of such data to private email accounts poses a high risk under data protection law and may constitute a gross breach of duty within the meaning of Section 23 (1) BetrVG.

The decision of the LAG Hessen comes as no surprise. In a similar case, the OLG Munich ruled that members of the executive board of an AG who forward sensitive company data or personal information from work emails to their private email accounts may, under certain circumstances, provide "good cause" within the meaning of Section 626 BGB for extraordinary termination (OLG Munich, judgment of July 31, 2024 – 7 U 351/23). In the case underlying the Munich Higher Regional Court's ruling, a member of the executive board of a corporation had forwarded several emails containing internal business and personnel data to his private email account in order, according to his own statements, to "work more efficiently from home." The court pointed out that trust in integrity and confidentiality when handling sensitive data is crucial. Even if no disclosure to third parties takes place, the mere potential risk to data protection is sufficient grounds for dismissal.

The rulings of both courts show that data protection violations can have serious consequences under labor and industrial relations law.

Recommendations

In view of their liability as data controllers, companies are well advised to proactively prevent such breaches of duty from occurring. Companies should take clear technical and organizational measures to prevent sensitive data from being forwarded to private email accounts, for example by using secure IT systems for the works council and restrictive handling of automatic forwarding. Regular training courses enhance awareness and establish clear rules for handling personal data. In the interests of trustful cooperation, the company and the works council should jointly regulate compliance with data protection when data is processed by the works council in a formal agreement. In addition, data protection violations should be consistently punished and closely coordinated with the company's data protection officer. It is particularly important to provide works councils with suitable work equipment to enable them to carry out their tasks in a manner compliant with data protection regulations.