APD/GBA - 64/2020
|APD/GBA - DOS-2019-02481|
|Relevant Law:||Article 5(1) GDPR|
Article 6 GDPR
Article 12(3) GDPR
Article 17(1)(a) GDPR
|National Case Number/Name:||DOS-2019-02481|
|European Case Law Identifier:||n/a|
|Original Source:||Belgian Data Protection Authority (in FR)|
The Litigation Chamber of the APD/GBA (the Belgian DPA) published its position on how to manage mailboxes of former personnel. It fined a small-sized company for keeping alive and continuing to use the professional e-mail address of its former CEO.
A family-run company dismissed its CEO, the son of the founder, in November 2016. Following this event, some other members of the founding family left the company. However, it appeared in March 2019 that many professional e-mail addresses of those family members were still in use, which led the former CEO to request a halt to the use of those e-mail addresses.
There had been a mediation attempt, where the First-Line Service of the APD/GBA acted as an intermediary to help resolve the issue. After the failure of the mediation attempt, the case was transferred to the Litigation Chamber, which requested an investigation by the Inspection Service.
- Should you forward e-mails to a new recipient, or display an automated response to say the person no longer works within your organization?
- Should the (former) member of personnel be permitted to review e-mails to collect or delete private ones, and if so, when?
- Under which circumstances is an organization allowed to access the professional mailbox of a member of personnel after his/her dismissal or departure?
In its report, the Inspection Service noted that certain e-mail addresses had remained active and recommended for employers to block the mailbox of a former employee as soon as possible while inserting during a reasonable period of time (e.g. 1 month) an automatic message, informing future senders of the fact that the employee left his position/the company. The mailbox should afterwards be deleted. The Litigation Chamber seems to have followed this position, stating that a controller (here, the employer) must block the mailbox of a person who has left his/her position "at the latest on the day of their actual departure".
The Litigation Chamber enumerates various additional requirements throughout its decision: [grouped together based on the analysis in the comment linked to below]
1. Prior to dismissal / departure (of the employee) :
- IT policy: "the case of departure or dismissal and the consequences thereof should be dealt with in an internal policy relating to the use of IT resources". [likely also relevant for the other points below]
- The controller must distinguish personal from professional e-mails, thus allowing the person to "collect or delete his/her private electronic communications prior to his/her departure". Should some of the content of the mailbox need be recovered for the proper functioning of the organisation, this must take place before the departure/dismissal of the employee and in his/her presence.
- Information on the blocking of the mailbox must be provided to the employee in advance [not explicit, but likely that the IT policy can help here too]
- An automatic response must be activated prior to the blocking of the mailbox. Such response must :
- indicate that the person no longer exercises his/her role in the organization; and
- give contact details of the relevant person to contact instead.
- The controller must block the mailbox [i.e. make it unavailable], at the latest "on the day of their actual departure".
2. After dismissal / departure (of the employee):
- Maintain the automatic response for a "reasonable period", e.g. 1 month. The timeframe can be extended provided that:
- the duration is no longer than 3 months (ideally);
- a justification is given; and
- the person is informed of this extension.
- Beyond the (maximum) timeframe for the automatic response, the mailbox must be deleted.
The Litigation Chamber also states that the legal ground for use of the e-mail address beyond termination of the relationship with the person can be its "legitimate interest in ensuring the good functioning of the organisation and the continuity of its work", although that disappears after the aforementioned maximum timeframe for the automatic response (3 months).
[The Litigation Chamber refers to principle 14.5 and recital 122 of the Council of Europe's Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment to illustrate how the principles of purpose limitation, data minimization and proportionate retention must be applied. That Recommendation states that the recovery of e-mails must take place before the departure of the employee and in his/her presence as well as blocking access to his/her mailbox after his/her departure.]
Outcome: a fine of 15.000 EUR was imposed on the company in question. It is a significant amount, given the small size of the company (13 people).
Other in-depth commentaries and analyses can be found here:
- What to do with ex-employee mailboxes? Belgian DPA fines post-dismissal use of e-mails (7 October 2020).
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.