GDPR / Data privacy: What to do with mailboxes of departing personnel?
An employee, manager, director or even a consultant with a company mailbox is leaving the company. How to handle their mailbox?
A decision of the Belgian DPA (Decision 64/2020 of September 29, 2020) sanctioned an inadequate handling of the matter and provided guidance for future cases. The following questions are concerned:
- Can the company use, or even read, the emails of the departing staff member?
- Should the company forward emails or display an automated reply? If so, for how long?
- Does the leaving staff member have a right to collect or delete personal emails?
The decision
Facts
The case referred to the Litigation Chamber concerned the departure of the CEO of a formerly family-owned company (upon immediate dismissal).
A certain number of email addresses of the former CEO and other family members formerly working for the company were still used by the company (long) after their departures. Those emails addresses were personal to those persons and used their first names either alone or in combination with their family names (firstname@companyname.be or firstname.familyname@companyname.be).
The former CEO also claims and proves that an employee of the company accessed his old mailbox.
During the inspection leading to this decision, the company also acknowledged having created a redirection of those email addresses with the goal of not losing important emails (having regard to the key positions formerly held by the concerned persons, such as Quality Manager and Director).
Ruling of the Litigation Chamber
- Mailboxes should have been closed
The email addresses were created in a professional setting for the purpose of allowing their holders to send and receive emails in the framework of their activity for the company. The Belgian DPA states that these addresses should have been closed at the latest on the day of effective departure of the staff member from the company.
- Access to the complainant’s mailbox
Although it may be legitimate for the company to access the mailbox and keep copies of some emails from the departing personnel, such access can only occur with the holder present.
The Litigation chamber found violations of GDPR Article 5.1 b) purpose limitation in combination with Articles 5.1 c) data minimization and e) storage limitation, Article 6 lawfulness of processing and Article 17.1 a) right to erasure. The company was imposed a 15.000,00 EUR fine (in consideration of its limited size – 13 people working for the company).
What should you do?
Immediately
- Adapt your IT / Privacy policy
Clear processes on how the mailbox and its content are handled upon departure should be defined and made known to all personnel. According to this decision, these processes should, at least, address the elements described below.
Prior to the departure
- Collection of personal items / sorting out the mailbox
The Belgian DPA states that, just as a staff member must be allowed to retrieve their personal belongings, they must be allowed to collect and/or delete personal electronic communications before leaving. If the employer needs to recover elements from the leaving staff member’s account for organization business reasons, then that should be done before their departure and in their presence. In delicate and conflictuous situations, the presence of a person of confidence is recommended.
In this regard, the European Data Protection Board advises, during the whole collaboration, “to ensure that relevant correspondence is stored in places that are accessible to those persons who need it such as case management systems, case files or provided in handover notes” (an advise also valid to avoid problems in cases of long term absence of a staff member).
- Closing of the mailbox and information thereof
The company must inform the departing staff member in advance that the mailbox will be closed and, after an appropriate period of time, deleted. The closing (making it unavailable) must occur at the latest on the day of effective departure of the staff member in question.
- Automatic reply
Prior to closing the mailbox, an automatic response must be activated that informs senders:
- that the concerned person has ceased to work at/for the company; and
- of relevant other contact information (person to be contacted instead or a general company email address).
Upon and after the departure
- After a certain period, deletion of the mailbox
The automatic response must remain active for an appropriate period of time (in principle 1 month). This period may be extended, depending on the context and on the degree of responsibility of the concerned person (but should not exceed 3 months in any case). It is warranted that this extension should occur with the person’s agreement or, at least, knowledge. After this period, the mailbox must be deleted, not kept.
Email forward: explicitly discouraged
A common practice is to forward the emails sent to the departing person to their former colleagues for a certain period. While this may meet legitimate purposes (i.e. allowing a smooth transition), the DPA disapproves of this method because there is no possibility of control on entering emails, and personal information of a potentially sensitive nature may be given without the consent not only of the departing person but also of the sender of the email (this is especially true if the is no automatic response).
Conclusion
This decision provides useful guidelines and insights for companies with regard to the handling of mailboxes (some of which were already given in Recommendation CM/Rec (2015)5 of the Committee of Ministers to member States of the Council of Europe on the processing of personal data in the context of employment).
One big takeaway is already that these guidelines apply to the handling of mailboxes of all data subjects, and not only to those working within the confines of an employment agreement.
Furthermore, it is important to note that the decision does not, however, go so far as to create an obligation for the concerned company to communicate the departing staff member’s new contact details (e.g. in an automatic response). This hence remains open for the parties to agree upon, and it is therefore all the more recommended that the company draft clear guidelines in that regard in its IT policy, which would be accepted at the start of the relationship.
Indeed, as the decision is very clear regarding the need for adequate internal policies with regard to mailboxes and their handling within the company, it is now more important than ever to create/update such policies and have them accepted in due form.
Please do not hesitate to contact us should you require further information, advice and/or assistance on the issues discussed in this note, or on any other matter in our expertise areas.