How to manage and access the e-mail accounts of ex-employees ?

If an employee leaves the company, can the mailbox remain active for a while and does the employer have access to the e-mails therein? A recent decision of the Data Protection Authority (DPA) clarifies. In this decision, the DPA decided to impose an administrative fine of EUR 15,000 on a company that only closed e-mail addresses linked to former employees (surname and first name) after 2.5 years.

If an employee leaves the company, can the mailbox remain active for a while and does the employer have access to the e-mails therein? A recent decision of the Data Protection Authority (DPA) clarifies. In this decision, the DPA decided to impose an administrative fine of EUR 15,000 on a company that only closed e-mail addresses linked to former employees (surname and first name) after 2.5 years.

Facts

The former managing director of a company, active in the medical sector and founded by his father, submitted a request for mediation to the DPA, since the company had not responded to his explicit request to close the e‑mail addresses and associated e-mail accounts linked to him, his wife, his brother and his father within 7 days after his departure. It concerned e-mail addresses with the surname and first name as well as e‑mail addresses with only the first name of the persons mentioned above.

After submitting his request, the DPA First Line Service intervened. Since the mediation did not achieve the desired result, the procedure was continued in the form of a complaint.

According to the investigation report of the inspection service, the e-mail accounts had already been deactivated, but the e-mails were automatically forwarded to another e-mail address of the company as the persons concerned all had important functions within the company and the company did not want to lose important e-mails. The recipients of the e-mails were not informed of the fact that the three persons concerned were no longer the users of the e-mail addresses, which could give rise to the collection and potential use of personal data without the knowledge of the recipients.

Decision and guidance of the DPA

According to the DPA, the company – by not blocking the e-mail addresses - has violated several fundamental principles of the GDPR, in particular the lawfulness (lack of legal ground), purpose limitation, data minimisation and the reasonable retention of personal data over time (storage limitation).

According to the DPA, the fact that the company had retained the e-mail addresses in order not to lose important professional messages, given the functions of the departed persons and the lack of transfer of ongoing files, did not constitute a sufficient reason to retain the e-mail addresses.

The DPA imposed an administrative fine of EUR 15,000 to the company.

In its decision, the DPA gives a number of clear guidelines for employers to follow when an employee leaves the company:

  • the controller should block the e-mail account of an ex-employee at the latest at the time of his effective departure;
  • prior to deactivation, the employee who leaves the company should be informed, in order to allow the employee to sort his private e-mails and forward them to his private e-mail address prior to his actual departure;
  • installation of an automatic reply notifying the recipient that the person he was trying to contact has left the organization, and mentioning the contact details of the person (or the generic e-mail address) to be contacted instead. This should according to the DPA be preferred above the automatic forwarding of all e-mails to another mailbox of the company (as the company in the case at hand had done);
  • after a reasonable period of time (a priori one month), the e-mail address – and the automatic message – should be deactivated. The DPA notes that, taking into account the context and the level of responsibility of the ex-employee, a longer period for the automatic message can be foreseen, but ideally not longer than 3 months. This extension of the period should be justified and should be done in mutual agreement with the ex-employee. At least, the ex-employee should be notified of the extension. Keeping the e-mail address active for a limited period of time can be based on the legitimate interests of the company, in particular ensuring continuity of business and proper functioning of the company;
  • in order to avoid the company still needing to have access to the e-mail account of the ex-employee after his departure, e-mails from the e-mail account of the employee concerned that are essential to ensure the proper functioning of the company must be recovered before the employee’s departure and in his presence.

Taking into account the principle of accountability under the GDPR, it is up to the employer to be able to demonstrate that the above steps were correctly followed.

Finally, the DPA emphasizes the importance of a properly detailed procedure in the event of an employee's departure, which should be included in the company ICT Policy.

In its decision, the DPA clearly assumes that the mailbox of the ex-employees concerned could also be used for private correspondence. However, it is possible to prohibit the private use of the professional mailbox, provided that employees are given the possibility to consult a private mailbox online (e.g., Gmail, Hotmail, …) during the working day (and within reasonable limits). Indeed, a recommendation on cybersurveillance of 2 May 2012 of the former Privacy Commission (converted into the DPA) confirms that professional and private information should be separated as much as possible and that separate accounts could be used. In the event of a clear separation between professional and private use, a less strict departure policy can according to us be justified.  

In the above-mentioned recommendation on Cybersurveillance of 2012, the former Privacy Commission already stressed the importance of operational rules in case of absence (e.g., holidays, illness) and departure of an employee from the company. On the basis of this recommendation, limited access to the employee’s e-mail account after his or her departure was still permitted, but the Privacy Commission recommended appointing a “confidential advisor” for this purpose. However, in this recent decision, the DPA seems to have strengthened its position. Access to the e-mail account after the employee's departure seems in principle to be no longer allowed. 

It remains to be seen whether the DPA would maintain this strict position even in case of prohibition to use the professional mailbox for private purposes, and how jurisprudence on this topic will further develop.

Link to the decision: https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf

 

 Leen Peeters – Senior Associate Claeys & Engels

More Partner Blogs


25 november 2020

Coronavirus - Vermindering van de arbeidstijd in een privéonderneming in moeilijkheden

Geconfronteerd met de pandemie kan een onderneming in moeilijkheden haar kosten drukken door de...

Lees meer...

24 november 2020

Huisarbeid en telewerk: een essentieel verschil inzake onkostenvergoedingen

Telewerk is een belangrijke maatregel in de strijd tegen de huidige coronapandemie. Het...

Lees meer...

17 november 2020

De Europese Green Deal: Kansen voor het bedrijfsleven

Het aanpakken van de klimaatverandering en het verduurzamen van de economie zijn momenteel...

Lees meer...

05 november 2020

Competition Rules for Vertical Agreements under Review : What’s to come for distribution relationships in the digital age?

Businesses distributing goods and services in the EU rely heavily on the Vertical Block Exemption...

Lees meer...

02 november 2020

New EU framework for FDI. What are the practical implications for cross-border M&A involving non-EU investors?

Against a backdrop of increasingly protective foreign investment measures across the world, the...

Lees meer...