Misuse of customer data – termination of the IT employee without notice justified

von Désirée

The labor court in Siegburg confirmed the immediate dismissal of an IT employee due to misuse of customer data from his own company.

The termination without notice of an IT employee can be justified if he exploits security gaps and misuses customer data – so the Siegburg Labor Court ruled with its judgment of January 15, 2020 (Az .: 3 Ca 1793/19).

An IT employee had sued his employer. The court dismissed the lawsuit.

Violation of the duty to consider the interests of the employer

In the present case, the IT employee violated the employer’s obligation to be considerate and put the customer relationship at risk.

The labor court determined that it was not permissible to misuse sensitive customer data even to uncover security gaps. Even if the aim of the employee was to inform the customer about the security gap, his approach significantly disrupted the customer’s trust in the employer. The customer expects the defendant employer to protect his sensitive data. The employer should also expect his employees not to exploit these security gaps, but to inform the employer about them. IT employees in particular are obliged to protect sensitive data. In the present case, the IT employee’s termination without notice was therefore justified.

IT employees saw themselves as “whistleblowers”

The plaintiff had already been working as a SAP consultant for the defendant employer since 2011. Instead of informing his employer about the security gaps he found, he had misused the customer’s data to place orders, pay by direct debit and send them to the customer’s board of directors. He wanted to make the customer aware of the vulnerability. The employee wanted to be understood as a “whistleblower” in court.

Specifically, the employee had downloaded data from the customer’s encrypted computer onto a stick. The data included names, addresses and bank details of customers of the customer. He used the computer in a casino to order headache pills for members of the customer’s board of directors and sent them to them with the message that they could see from this example how quickly data was being misused and that the tablets sent with them were intended to alleviate the resulting headaches.

The judgment shows that the misuse of data is not permitted even for a supposedly good cause and that IT employees in particular are obliged to protect sensitive data. If you violate this obligation, you must expect extraordinary termination and the assertion of claims for damages.

Would you like to sensitize your employees to data protection and IT security? We offer eLearnings on these topics! Just ask us about it. Call us on 08505 919 27-0 or fill out our contact form.


Die Diplomjuristin Désirée studierte Rechtswissenschaften an der Universität Passau und war mehrere Jahre in Berlin in einem landeseigenen Unternehmen für Immobilienprojekte als Projektmanagerin Recht und Datenschutzbeauftragte tätig. Désirée bereichert das Team nicht nur mit ihrem juristischen Know-How sondern ist auch im Bereich der Organisation und Dokumentation, sowie im Rahmen der immer wichtiger werdenden DIN-ISO Normen und für Zertifizierungsprozesse erste Ansprechpartnerin. „Für das Wohl unserer Kunden sind mir offene Kommunikation sowie eine strukturierte, effiziente und gründliche Arbeitsweise wichtig.“