EU GDPR and employee mailboxes

When an employee leaves, it is often a first step for the company that his personal access to his professional email is canceled as soon as possible (often even during the exit meeting). But more often than not, that mailbox will remain open for some time after termination, because there is a genuine business concern that emails may still arrive after termination that are of very legitimate business interest, for example with regard to orders. or open issues that need to be retrieved by someone else.

More and more employees seem concerned by this practice and are asking for the immediate deletion of their old professional e-mail address. Such requests are noted by the employer but (deliberately or not) are not always followed up with too much diligence, as evidenced by some recent decisions of the Litigation Chamber of the Belgian Data Protection Authority (DPA). These cases have enabled the DPA to refine its position on the matter and its conclusions and resulting guidelines, summarized below, should be of interest to all companies with employees and consultants in Belgium.

With regard to the e-mail address and mailbox of a former employee or consultant, the Belgian DPA considers the following:

• The DPA accepts that an employer can invoke a legitimate interest (Article 6.1 f) GDPR) to leave a work email account open for a period of time after termination, as there may still be interesting emails coming in.

• In order to meet its data minimization obligations, the company should ideally set up an automatic message on the day the employee leaves the company. The employee must be informed of this message but does not have the right to block or modify it. The message informs the sender of the email in hopefully neutral terms that the intended recipient no longer works for the company and provides contact information instead. This message must be sent for a reasonable period of time, which the DPA estimates at one month.

• Depending on the context and the function and responsibilities of the employee, this one-month period may be extended to 3 months, with the agreement or at least with the knowledge of the former employee. During this period, an alternative approach should also be developed to address the issue of the departure of the employee and his mailbox. What those alternative arrangements should be, the DPA does not say. However, an automatic forwarding of emails to the designated alternate is not a permitted alternative for these purposes, the DPA considers, whether or not the auto-reply period is extended.

• After this period of one to three months, the e-mail account must be deleted. The DPA does not address the situation where the employee is put on gardening leave: do the 1 to 3 months begin then or on the effective date of termination? It seems reasonable to interpret the guidelines such that the auto-message goes up and the 1-3 month period begins in each case the moment employees lose access to their mailbox, even if this is within a few months before the legal date of departure.

• The Chamber also considers that the employee should have the right to consult his mailbox and delete his personal e-mails or forward them to a private e-mail address. Likewise, work emails from the mailbox that the business might need to keep it running smoothly should also be forwarded to a colleague. This screening of the mailbox should, according to the Chamber, be done in the presence of the employee, before his departure. If the exit is disputed, the intervention of a “person of trust” is recommended. A procedure to this effect should be included in the company’s IT policy.

In the cases brought before the Litigation Chamber, the Chamber has ruled that the principles of the GDPR, as reflected in the guidelines above, had manifestly not been respected. However, the sanctions applied by the Chamber remain relatively lenient: a reprimand, in one case accompanied by an administrative fine of EUR 15,000. This may be because, with all due respect to the DPA, some of these points may be advice of perfection, viable in theory but unlikely to survive their first encounter with the reality of a controversial exit from a resentful or upset or large-scale executive. terminations. There must be some flexibility in the penalty to reflect the presence or absence of actual harm to the ex-employee, any mitigating concerns the employer may have regarding competition, the administrative burden that the weeding through multiple mailboxes, the difficulties of doing that pre-termination weeding in the event that the termination or resignation is effective immediately, and what happens when the departing employee refuses to be trusted ( perhaps with good reason) to the trusted person. Hopefully the key for an employer will be to be seen to be doing their best – these procedures are guidelines, not laws, and so breaches of these can add substance to claims of breach of rights individual but should not constitute a freedom. standing claims by themselves.

House rulings underscore the importance of a dedicated section in the IT policy on the fate of the professional mailbox after the departure of an employee from the company. While still on duty, employees should be told why their employer wants access to their mailbox after they leave the company, how long their mailbox will remain open after they leave the company, what message will be communicated to correspondents and who will be the “trusted person” who will screen their e-mails. The level of information received will determine the employee’s reasonable expectation of privacy and ensure compliance with the GDPR information obligation to data subjects. Based on the guidance in these rulings, some companies will also need to rethink their policies around data retention and keeping mailboxes open without limitation. Developing a uniform policy in this regard will also require taking into account the views of other national data protection authorities in the EU, as they are not yet fully aligned on the subject. Attention to this issue is expected to increase, both from the authorities and from those affected. In other words, it may not be possible to develop a single EU-wide policy on this.

By way of conclusion, the Chamber’s decisions remind us that when it comes to privacy, people living in glass houses must not throw stones. A case came to the House following a complaint by an individual who had unsubscribed from a commercial mailing list but continued to receive unwanted newsletters. The DPA inspection service discovered that he was receiving these emails not as the original recipient, but because the newsletters were automatically delivered to him from the mailbox of a former colleague who had left the company months before.… Snap.