APD/GBA (Belgium) - 64/2020: Difference between revisions

From GDPRhub
(The link to the fine was wrong.)
 
(3 intermediate revisions by 2 users not shown)
Line 7: Line 7:
|DPA_With_Country=APD/GBA (Belgium)
|DPA_With_Country=APD/GBA (Belgium)


|Case_Number_Name=DOS-2019-02481
|Case_Number_Name=64/2020
|ECLI=
|ECLI=


Line 90: Line 90:
*Maintain the automatic response for a "reasonable period", e.g. 1 month. The timeframe can be extended provided that:
*Maintain the automatic response for a "reasonable period", e.g. 1 month. The timeframe can be extended provided that:
**the duration is no longer than 3 months (ideally);
**the duration is no longer than 3 months (ideally);
**a justification is given; and
**a justification is given;  
**the person is informed of this extension.
**the person agreed to this or at least is informed of this extension; and
**an alternate solution must be sought, without waiting for the deadline to expire.
*Beyond the (maximum) timeframe for the automatic response, the mailbox must be deleted.
*Beyond the (maximum) timeframe for the automatic response, the mailbox must be deleted.
The Litigation Chamber is of the opinion that this working method is preferable to the automatic forwarding of e-mails to another e-mail address of the company as set up by the suspect. In the case of automatic transmission, a fortiori without informing the sender of the message, there is in fact no control over incoming or "in" e-mails. Moreover, in this case, potentially sensitive private information would be revealed without the knowledge of the person concerned. but also of the correspondent.


The Litigation Chamber also states that the legal ground for use of the e-mail address beyond termination of the relationship with the person can be its "legitimate interest in ensuring the good functioning of the organisation and the continuity of its work", although that disappears after the aforementioned maximum timeframe for the automatic response (3 months).
The Litigation Chamber also states that the legal ground for use of the e-mail address beyond termination of the relationship with the person can be its "legitimate interest in ensuring the good functioning of the organisation and the continuity of its work", although that disappears after the aforementioned maximum timeframe for the automatic response (3 months).

Latest revision as of 17:00, 12 December 2023

APD/GBA - 64/2020
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1) GDPR
Article 6 GDPR
Article 12(3) GDPR
Article 17(1)(a) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 29.09.2020
Published: 06.10.2020
Fine: 15000 EUR
Parties: n/a
National Case Number/Name: 64/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Belgian Data Protection Authority (in FR)
Initial Contributor: n/a

The Litigation Chamber of the Belgian DPA (APD/GBA) published its position on how to manage mailboxes of former personnel. It fined a small-sized company for keeping alive and continuing to use the professional e-mail address of its former CEO.

English Summary

Facts

A family-run company dismissed its CEO, the son of the founder, in November 2016. Following this event, some other members of the founding family left the company. However, it appeared in March 2019 that many professional e-mail addresses of those family members were still in use, which led the former CEO to request a halt to the use of those e-mail addresses.

There had been a mediation attempt, where the First-Line Service of the APD/GBA acted as an intermediary to help resolve the issue. After the failure of the mediation attempt, the case was transferred to the Litigation Chamber, which requested an investigation by the Inspection Service.

Dispute

  • Should you forward e-mails to a new recipient, or display an automated response to say the person no longer works within your organization?
  • Should the (former) member of personnel be permitted to review e-mails to collect or delete private ones, and if so, when?
  • Under which circumstances is an organization allowed to access the professional mailbox of a member of personnel after his/her dismissal or departure?

Holding

In its report, the Inspection Service noted that certain e-mail addresses had remained active and recommended for employers to block the mailbox of a former employee as soon as possible while inserting during a reasonable period of time (e.g. 1 month) an automatic message, informing future senders of the fact that the employee left his position/the company. The mailbox should afterwards be deleted. The Litigation Chamber seems to have followed this position, stating that a controller (here, the employer) must block the mailbox of a person who has left his/her position "at the latest on the day of their actual departure".

The Litigation Chamber enumerates various additional requirements throughout its decision: [grouped together based on the analysis in the comment linked to below]

1. Prior to dismissal / departure (of the employee) :

  • IT policy: "the case of departure or dismissal and the consequences thereof should be dealt with in an internal policy relating to the use of IT resources". [likely also relevant for the other points below]
  • The controller must distinguish personal from professional e-mails, thus allowing the person to "collect or delete his/her private electronic communications prior to his/her departure". Should some of the content of the mailbox need be recovered for the proper functioning of the organisation, this must take place before the departure/dismissal of the employee and in his/her presence.
  • Information on the blocking of the mailbox must be provided to the employee in advance [not explicit, but likely that the IT policy can help here too]
  • An automatic response must be activated prior to the blocking of the mailbox. Such response must :
    • indicate that the person no longer exercises his/her role in the organization; and
    • give contact details of the relevant person to contact instead.
  • The controller must block the mailbox [i.e. make it unavailable], at the latest "on the day of their actual departure".

2. After dismissal / departure (of the employee):

  • Maintain the automatic response for a "reasonable period", e.g. 1 month. The timeframe can be extended provided that:
    • the duration is no longer than 3 months (ideally);
    • a justification is given;
    • the person agreed to this or at least is informed of this extension; and
    • an alternate solution must be sought, without waiting for the deadline to expire.
  • Beyond the (maximum) timeframe for the automatic response, the mailbox must be deleted.

The Litigation Chamber is of the opinion that this working method is preferable to the automatic forwarding of e-mails to another e-mail address of the company as set up by the suspect. In the case of automatic transmission, a fortiori without informing the sender of the message, there is in fact no control over incoming or "in" e-mails. Moreover, in this case, potentially sensitive private information would be revealed without the knowledge of the person concerned. but also of the correspondent.

The Litigation Chamber also states that the legal ground for use of the e-mail address beyond termination of the relationship with the person can be its "legitimate interest in ensuring the good functioning of the organisation and the continuity of its work", although that disappears after the aforementioned maximum timeframe for the automatic response (3 months).

[The Litigation Chamber refers to principle 14.5 and recital 122 of the Council of Europe's Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment to illustrate how the principles of purpose limitation, data minimization and proportionate retention must be applied. That Recommendation states that the recovery of e-mails must take place before the departure of the employee and in his/her presence as well as blocking access to his/her mailbox after his/her departure.]

Outcome: a fine of 15.000 EUR was imposed on the company in question. It is a significant amount, given the small size of the company (13 people).

Comment

Other in-depth commentaries and analyses can be found here:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.