The Data Protection Authority (DPA) recently decided to impose an administrative fine of EUR 15,000 on a company that only closed e-mail addresses linked to departed employees (surname and first name) after 2.5 years. According to the DPA, non-closure of these e-mail addresses constitutes a violation of the fundamental principles of the GDPR, in particular the lawfulness, purpose limitation, data minimisation and the reasonable retention of personal data over time (storage limitation).
The former managing director of an SME, active in the medical sector and founded by his father, submitted a request for mediation to the DPA, since the SME had not responded to his explicit request to close the e‑mail addresses and associated e-mail accounts linked to him, his wife, his brother and his father within 7 days after his departure. It concerned e-mail addresses with the surname and first name as well as e‑mail addresses with only the first name of the persons mentioned above.
Mediation by the First Line Service of the DPA
After submitting his request, the DPA First Line Service intervened. Since the mediation did not achieve the desired result, the procedure was continued in the form of a complaint.
Investigation by the inspection service
In the framework of the investigation by the inspection service, two investigation reports were drawn up:
- The first research report mentioned the fact that the 3 e-mail addresses were still active 2.5 years after the persons’ departures without informing the recipients of the e-mails that the three senders were no longer the users of the e-mail addresses, which could give rise to the collection and potential use of personal data without the knowledge of the recipients.
The inspection service states that it is appropriate for the employer to deactivate the e-mail account of a former employee within the shortest period of time after an automatic message has been set up indicating for a reasonable period of time (a priori 1 month) that the employee is no longer employed. Ideally, the e-mail account should be closed after this period. Under no circumstances may the professional e-mail address of the departed employee still be used.
- The second research report mentions the fact that the 3 e-mail addresses could no longer be reached. The SME reported that the e-mail accounts had already been deactivated on the date of departure of the persons involved and the e-mails were automatically forwarded to another e-mail address of the company, as these persons all had important functions within the SME and did not want to lose important e-mails.
Decision of the Dispute Chamber of the DPA
The DPA states that the SME has failed to comply with the principles of purpose limitation, lawfulness, data minimisation and storage limitation by not blocking the e-mail addresses. According to the DPA, the fact that the SME had retained the e-mail addresses in order not to lose important professional messages, given the functions of the departed persons and the lack of transfer of ongoing files, did not constitute a sufficient reason to retain the e-mail addresses.
In its decision, the DPA gives a number of clear guidelines for employers to follow when their employees leave:
- the controller should block the e-mail accounts of ex-employees at the latest at the time of their effective departure;
- the ex-employee must have been informed of this and there must be an automatic message informing the recipient that the person he was trying to contact has left the organisation;
- after a reasonable period of time (a priori one month), the mailbox – and the automatic message – must be deleted. The DPA notes that, taking into account the context and the level of responsibility of the ex-employee, a longer period for the automatic message can be foreseen, but ideally not longer than 3 months. This extension of the period should be justified and should be done in mutual agreement with the ex-employee. At least, the ex-employee should be notified of the extension. Keeping the mailbox active for a limited period of time can be based on the legitimate interest of the company, in particular ensuring continuity of performance and proper functioning;
- prior to deactivation, the employee who leaves and any third parties must be informed, in order to allow the employee to sort his private e-mails and forward them to his private e-mail address prior to his actual departure.
- in order to avoid the company still needing to have access to the e-mail account of the ex-employee after his departure, e-mails from the e-mail account of the employee concerned that are essential to ensure the proper functioning of the company must be recovered before the employee’s departure and in his presence.
Taking into account the principle of accountability, it is up to the employer when employees leave to be able to demonstrate that the above steps were correctly followed.
Finally, the DPA emphasises the importance of a properly detailed procedure in the event of an employee's departure, which must be included in the company ICT Policy.
In its decision, the DPA clearly assumes that the mailbox of the ex-employees concerned could also be used for private correspondence. However, it is possible to prohibit the private use of the professional mailbox, provided that employees are given the possibility to consult a private mailbox (e.g., Gmail, Hotmail) online during the working day. Indeed, a Cybersurveillance recommendation of 2 May 2012 from the former Privacy Commission (converted into the DPA) confirms that professional and private information should be separated as much as possible and that separate accounts can be used. In the event of a clear separation between professional and private use, a less strict departure policy may therefore be envisaged.
In the above-mentioned Cybersurveillance recommendation of 2012, the former Privacy Commission already stressed the importance of operational rules in case of absence (e.g., holidays, illness) and departure of an employee from the company. On the basis of this recommendation, limited access to the employee’s e-mail account after his or her departure was still permitted, but the Privacy Commission recommended appointing a “confidential adviser” for this purpose. However, based on this recent decision of the DPA, access to the e-mail account after the employee's departure seems in principle to be no longer allowed.
Check that your ICT policy correctly describes the procedure in the case of an employee departing. Make sure this procedure is strictly followed by your IT department.