You’ve got mail – applying GDPR principles to leavers’ inboxes (EU)

When an employee leaves, it is often a first step for the business that his personal access to their professional mailbox is cancelled as soon as possible (often even during the exit meeting). But most often that mailbox will remain open for quite some time after the termination, as there is a genuine business concern that e-mails may still come in after the termination that are of entirely legitimate interest to the company, such as in relation to orders or ongoing matters requiring to be picked up by someone else.

An increasing number of employees appear to be concerned by this practice, and request that their former professional e-mail address be cancelled immediately. Such requests are noted by the employer but (deliberately or otherwise) aren’t always followed up too diligently, as demonstrated by a couple of recent decisions of the Litigation Chamber of the Belgian Data Protection Authority (DPA). These cases have allowed the DPA to refine its position on the matter and its conclusions and resulting guidelines, as summarised below, should be of interest to all companies with employees and consultants in Belgium.

With respect to the e-mail address and mailbox of a former employee or consultant, the Belgian DPA considers the following:

The DPA accepts that an employer may invoke a legitimate interest (article 6.1 f) GDPR) to leave a professional e-mail account open for a certain period of time after the termination, as there may still be interesting e-mail coming in.
In order to comply with its obligations of data minimisation, the company should ideally install an automatic message on the day that the employee leaves the company. The employee should be informed of this message but does not have the right to block or amend it. The message informs the email sender in hopefully neutral terms that the intended recipient no longer works for the company and provides the contact details of the person who should be contacted instead. Such message should be sent for a reasonable period of time, which the DPA assesses at one month.
Depending on the context and the position and responsibilities of the employee, this period of one month may be extended to 3 months, with the approval or at least the knowledge of the former employee. During this period, an alternative approach should also be developed to address the issue of the employee’s departure and their mailbox. What those alternative arrangements should be, the DPA does not say. However, an automatic forwarding of e-mails to the named replacement is not a permitted alternative for these purposes, considers the DPA, whether the auto-reply period is extended or not.
After this period of one to three months, the e-mail account should be deleted. The DPA does not address the situation where the employee is put on garden leave: do the 1 to 3 months start then or on the actual date of termination? It seems reasonable to interpret the guidelines such that the automatic message goes up and the 1 to 3-month period starts in each case at the point when the employees loses access to their mail box, even if that is some months before the legal leaving date.
The Chamber also considers that the employee should have the right to go through his mailbox and delete his personal e-mails or forward them to a private e-mail address. Equally, any professional e-mails in the mailbox that the company may need to ensure its proper functioning should also be dispatched to a colleague. This sifting of the mailbox should, according to the Chamber, be done in the presence of the employee, before his departure. If the exit is contentious, the intervention of a “person of trust” is recommended. A procedure to this purpose should be included in the company’s IT policy.

In the cases brought before the Litigation Chamber, the Chamber ruled that the principles of the GDPR, as translated in the above guidelines, had manifestly not been complied with. The sanctions applied by the Chamber however remain relatively lenient: a reprimand, combined in one case with an administrative fine of 15,000 EUR. This may be because, with due respect to the DPA, some of these points are perhaps a counsel of perfection, viable in theory but unlikely to survive their first encounter with the reality of a contentious exit of a resentful or antagonised senior executive or large scale terminations. There must be some flexibility in the sanction to reflect the presence or absence of actual harm to the ex-employee, any mitigating concerns the employer may have around competition, the administrative burden which weeding through multiple mailboxes will impose, the difficulties of doing that weeding pre-termination in a case where the dismissal or resignation is with immediate effect, and what happens when the departing employee refuses to trust (perhaps with good reason) the person of trust. It must be hoped that the key for an employer will be to be seen to do its best – these procedures are guidelines, not law, and so breaches of them may add substance to claims for breaches of individual rights but should not amount to free-standing claims by themselves.

The decisions of the Chamber emphasize the importance of a dedicated section in the IT policy on the fate of the work mailbox after an employee leaves the company. While they are still in service, employees should be informed why their employer may want to have access to their mailbox after they have left the company, how long their mailbox will remain open after their departure, what message will be communicated to correspondents, and who will be the “person of trust” sifting through their e-mails. The level of information received will determine the employee’s reasonable expectations of privacy and ensures compliance with the GDPR’s information obligation towards data subjects. On the basis of the guidance in these decisions, some companies will also have to rethink their policies around data retention and keeping mailboxes open without limitation. The development of a uniform policy in this respect will require consideration also of the views of the other EU national data protection authorities, as they aren’t yet fully aligned on the topic. It is expected that attention to this matter will grow, both from the authorities and data subjects. In other words, it may not be possible to develop a single EU-wide policy on this.

As an outro, the decisions of the Chamber remind us that in privacy matters, people in glass houses should not throw stones. One case had come before the Chamber following a complaint from an individual who had unsubscribed from a commercial mailing list but continued to receive unwanted newsletters. The inspection service of the DPA discovered that he received these e-mails not as an original recipient, but because the newsletters were being automatically forwarded to him from the mailbox of a former colleague who had left the company months before.… Snap.

The opinions expressed in this update are those of the author(s) and do not necessarily reflect the views of the Firm, its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.