23/10/20

How to handle your ex-employees’ mailboxes? The Belgian Data Protection Authority provides guidelines and a EUR 15,000 fine

An employee is leaving a company. It happens all the time. But what do we do about their MS Outlook 365 account? The Litigation Chamber of the Belgian Data Protection Authority reminds us of the practical steps to follow with a named e-mail address after an employee has left/is dismissed. If you don’t make it clear whether and for how long their mailboxes will be kept, it can be very costly. Is it time to review your employee information security policy?

When someone is leaving your organisation, vast amounts of information are often left behind in their e-mail correspondence. For continuity purposes, your company may wish to deal with emails that continue to arrive at that address after the employee has left. But for how long can you retain the mailbox? Recently, the Belgian Data Protection Authority (“BDPA”) imposed a heavy fine on an SME for keeping it (way) too long.

What happened in the SME case?

The plaintiff was the CEO of an SME (13 FTE) in the medical device sector, who had been removed from that position in November 2016. As CEO, he played a key role in the company created by his father with respect to its general operation and its commercial, regulatory and management aspects. The plaintiff's role in the company was terminated abruptly and without agreement. By registered letter of 26 March 2019, the plaintiff asked the defendant to stop using his named e-mail address, without success.

The analysis of the BDPA’s Inspection Service showed that, despite the departure of the CEO and other members from the company, the named e-mail addresses were only deleted 2.5 years after his departure. The mailboxes were maintained without notifying the senders that the employees were no longer users of those e-mail addresses. The Litigation Chamber considered such practice to be a breach of the founding principles of the GDPR (violation of the lawfulness principle, purpose limitation, data minimisation and data retention). It therefore imposed a fine of EUR 15,000.

As an employer, what are the practical steps I should take to avoid such a fine?

By taking proactive steps during the employment relationship and acting quickly when an employee departs, you can reduce the risk of a fine as follows:

By taking proactive steps during the employment relationship and acting quickly when an employee departs, you can reduce the risk of a fine as follows:

During the employment relationship

  • Establish a clear and transparent IT policy regarding the management of mailboxes upon the departure of an employee. This IT policy should explain, among other things, how to sort private and professional messages, and the consequences in the event of resignation or dismissal; and should include the information below.
  • Before the departure, allow your employee to collect or delete his/her private emails eventually under the control of the employer. Likewise, if part of the content of his/her email account must be retrieved for business continuity purposes, this must be done before his/her departure and in his/her presence. In the event of a disputed situation, see below.

On termination day

  • Block the mailbox of the employee “at the latest on the day of their actual departure” (if termination takes immediate effect, during the meeting at which the termination is notified).
  • Inform your employee about the mailbox blocking (e.g. via the IT policy or an e-mail).
  • Add an automatic message in the mailbox for subsequent correspondents. This message should (i) explain that the employee is no longer performing his/her duties within the company; (ii) give the date of when the mailbox was blocked; and (iii) provide alternative contact details of the person (or a generic e-mail address) for a reasonable period (see below).
  • Do not create a rule in MS Outlook to automatically forward e-mails of your (former) employee to another e-mail address of the company. The Litigation Chamber considers that there is no control over incoming or “in” e-mails. Moreover, in this case, potentially sensitive private information could be disclosed without the knowledge of either the person concerned or the sender.

After the departure

  • Delete the mailbox once the timeframe for the automatic response has run out (one to three months; see below).

How long can I keep the automatic message in the mailbox for subsequent correspondents?

A reasonable period. According to the Litigation Chamber: one month.

However, depending on the context and, in particular, on the degree of responsibility exercised by the person concerned (e.g. executive-level managers), a longer period may be allowed, ideally not exceeding three months. Note that this extension must be (i) justified (documented), and (ii) with the agreement of the person concerned or, at least, after having informed him/her of the extension. 

What to do in the event of disagreement (dispute)?

In order to avoid any dispute, it is strongly recommended that you enter into a settlement agreement with the employee and dedicate an article to this topic. If such an agreement is not possible, we suggest keeping evidence that your company has followed the above guidelines in case of any court action. 

Thomas Dubuisson, Associate, Brussels

Bertrand Simonart, Associate, Brussels

dotted_texture