The termination of an employee’s contract constitutes a frequent phenomenon which entails various consequences in numerous domains of a company. One of those issues is which procedure shall be followed with respect to the ex-employees’ mailboxes. The GDPR consolidation has increased companies’ awareness about the safeguarding of employees’ data integrity, nevertheless the management of ex-employees’ mailboxes continues to raise several discrepancies.
In case somebody resigns/is fired from a company, huge amounts of data are kept in their e-mail correspondence. However, the company may decide not to “shut down” the email address after the employee’s termination. In contrast, in order to have access to potential new emails, businesses may assign the mailbox management to another employee or forward the messages in another email address. The emerging question is the following: Can this data be retained for an undetermined time period? The answer is negative and was given on September from the Belgian Data Protection Authority (BDPA) which imposed a 15,000 euros fine on an SME for unsettled retention of personal data (Decision 64/2020).
The case in a nutshell
The complainant was the CEO of a SME, who was suspended from that position in 2016. As CEO, regarding its financial, regulatory and management aspects, he has a crucial position in the business founded by his father. The position of the plaintiff was ceased suddenly and without prior agreement. The Belgian Data Protection Authority stressed that the CEO’s email address was deleted 2,5 years after his termination and additionally the senders were not informed that the specific employee was no longer user of the email address. Therefore, the Belgian Authority imposed a 15,000 euros fine for violations of Article 5 & 6 of GDPR related to the lawfulness principle, purpose limitation, data minimisation and data retention.
The first step should be the placement of an internal IT Policy with respect to the management of the employees’ mailboxes after their departure which will discern private from professional messages and point out the repercussions following the departure. Furthermore, the employee shall have the right to collect/delete his private messages and the recovery of his mailbox for coherence purposes must be done in his presence and prior his departure.
On the departure day the mailbox must be blocked and the employee must be notified for this action. Moreover, an automatic message shall be placed for the senders’ accommodation stating the following: a) the employee does no longer provide his services within the company, b) date of mailbox block and substitute contacts that can be reached. Finally, the mailbox shall be deleted upon the expiration of the automatic message timespan (1-3 months). The length of this period depends on the role and position of the employee (higher the role=more lengthy period) and a potential extension of this one requires the consent or at least the notification of the latter.
In a concluding note, the implementation of the GDPR has brought into light obligations and procedures with respect to the protection of employees’ privacy and data which nobody could imagine five years ago. The aforementioned objections and indications of the Belgian Data Protection Authority can be proven significantly useful for the enrichment of all companies’ Privacy Policies. In particular, these policies should regulate the management of ex-employees’ mailboxes in a way that they will remain compliant with fundamental principles of the GDPR such as the lawfulness principle, purpose limitation, data minimization and data retention.
The editorial team