In a decision dated 10 March 2025, the Hessian Regional Labour Court ruled that the unauthorised forwarding of professional content to a private email account can lead to exclusion from the works council.(Hessisches LAG, judgement of 10 March 2025, Ref.: 16 TaBV 109/24).
Background
The chairman of the works council of a clinic with around 400 employees repeatedly forwarded personal data from his work email address to his private email address.
In September 2023, the clinic discovered that the works council chairman had set up a rule in his work email inbox whereby all incoming emails were forwarded to his private email address. As the clinic saw this as a breach of data protection, it issued the works council chairman with a warning.
In October 2023, the clinic then realised that the warning had obviously had no effect on the works council chairman, as he was now forwarding information to a newly set up private email address. The data sent included a complete list of all employees with details of their position in the company, pay scale group, remuneration, classification and other sensitive personal information.
The works council chairman justified the forwarding by stating that he needed to analyse the data on his private device with a larger screen in order to properly prepare a works agreement.
The employer considered this behaviour to be a serious breach of data protection regulations and filed an application with the Wiesbaden Labour Court pursuant to Section 23 (1) BetrVG to exclude the works council member.
The works council and the chairman of the works council lodged an appeal against the decision of the Wiesbaden Labour Court, which granted the application.
The decision
The Hessian Higher Labour Court ruled that the exclusion was justified: In principle, an employer can demand the exclusion of a member from the works council for gross violation of their statutory duties in accordance with Section 23 (1) sentence 1 BetrVG. Such obligations arise, for example, from Section 79a sentence 1 BetrVG, according to which the works council is obliged to comply with data protection regulations when processing personal data. Depending on the severity of the breach, a violation may constitute grounds for exclusion pursuant to Section 23 (1) BetrVG.
In the opinion of the court, by forwarding personal data to his private email address, the chairman of the works council breached the duties incumbent upon him pursuant to Section 79a sentence 1 BetrVG.
The Regional Labour Court denied that the data processing was necessary: the forwarding of the data initially constituted a breach of the transparency requirement, as the employees concerned had not been informed of the processing. In addition, it had been possible for the chairman to carry out the data processing via the work computer made available to him for works council activities.
The court did not accept the argument that he needed a larger screen for the processing. He could have easily requested the necessary technical equipment from the employer’s IT department. The urgency cited by the works council chairman in connection with the remuneration negotiations was also not suitable to justify the forwarding.
Furthermore, there was a breach of the principle of data minimisation, as there was no actual necessity for the forwarding. Finally, Art. 6 para. 1 GDPR was also violated, as none of the permissions standardised therein were fulfilled.
The breach of duty was also “gross” within the meaning of Section 23 (1) BetrVG. The court initially found that the breach was serious due to the nature of the data and that it was readily recognisable to the works council chairman that the handling of this data required “the utmost sensitivity”.
Added to this was the fact that there had already been disputes in the past over the same issue. The LAG therefore assumed that the chairman of the works council acted with knowledge of his employer’s data protection concerns and by deliberately circumventing technical protective measures. The court categorised the works council chairman as “unteachable” and accused him of having deliberately acted contrary to his employer’s instructions.
Practical tip
The forwarding of data to private mailboxes poses a high risk under data protection law. It is therefore essential for employers to establish internal technical measures to prevent the forwarding of data to private mailboxes. These measures must be strictly enforced and violations must be penalised appropriately.