By Claeys & Engels
The Belgian DPA has recently fined a company for delaying the closure of ex-employees’ email accounts.
The Belgian Data Protection Authority (DPA) recently decided to impose an administrative fine of EUR 15,000 on a company that only closed email addresses linked to employees (surname and first name) who had left the company after 2.5 years. According to the DPA, non-closure of these email addresses constitutes a violation of the fundamental principles of the GDPR, in particular the lawfulness, purpose limitation, data minimisation and the reasonable retention of personal data over time (storage limitation).
The former managing director of an SME (active in the medical sector and founded by his father) submitted a request for mediation to the DPA, since the SME had not responded to his explicit request to close the email addresses and associated email accounts linked to him, his wife, his brother and his father within seven days after his departure. It concerned email addresses with the surname and first name as well as email addresses with only the first name of the individuals mentioned above.
Mediation by the DPA First Line Service
After submitting his request, the DPA First Line Service intervened. Since the mediation did not achieve the desired result, the procedure was continued in the form of a complaint.
Investigation by the inspection service
In the framework of the investigation by the inspection service, two investigation reports were drawn up.
The first research report mentioned the fact that the three email addresses were still active 2.5 years after the individuals’ departures without informing the recipients of the emails that the three senders were no longer the users of the email addresses, which could give rise to the collection and potential use of personal data without the knowledge of the recipients.
The inspection service stated that it is appropriate for the employer to deactivate a former employee’s email account within the shortest period of time after an automatic message has been set up indicating for a reasonable period of time (a priori one month) that the employee is no longer employed. Ideally, the email account should be closed after this period. Under no circumstances may the departed employee's professional email address still be used.
The second research report mentioned the fact that the three email addresses could no longer be reached. The SME reported that the email accounts had already been deactivated on the date of departure of the individuals involved and emails were automatically forwarded to another company email address, as these individuals all had important functions within the SME and it did not want to lose important emails.
Decision of the Dispute Chamber of the DPA
The DPA stated that the SME has failed to comply with the principles of purpose limitation, lawfulness, data minimisation and storage limitation by not blocking the email addresses. According to the DPA, the fact that the SME had retained the email addresses in order not to lose important professional messages, given the functions of the departed individuals and the lack of transfer of ongoing files, did not constitute a sufficient reason to retain the email addresses.
In its decision, the DPA gave a number of clear guidelines for employers to follow when their employees leave:
- The controller should block ex-employees' email accounts at the latest at the time of their effective departure.
- The ex-employee must have been informed of this and there must be an automatic message informing the recipient that the person s/he was trying to contact has left the organisation.
- After a reasonable period of time (a priori one month), the mailbox and the automatic message must be deleted.
- The DPA notes that, taking into account the context and the level of responsibility of the ex-employee, a longer period for the automatic message can be foreseen, but ideally not longer than three months. This extension of the period should be justified and should be done in mutual agreement with the ex-employee. At a minimum, the ex-employee should be notified of the extension. Keeping the mailbox active for a limited period of time can be based on the legitimate interest of the organisation, in particular ensuring continuity of performance and proper functioning.
- Prior to deactivation, an employee who leaves and any third parties must be informed, in order to allow the employee to sort his private emails and forward them to his or her private email address prior to his or her actual departure.
- In order to avoid the organisation still needing to have access to the email account of the ex-employee after his or her departure, emails from the email account of the employee concerned that are essential to ensure the proper functioning of the company must be recovered before the employee’s departure and in his or her presence.
Taking into account the principle of accountability, it is up to the employer when employees leave to be able to demonstrate that the above steps were correctly followed.
Finally, the DPA emphasised the importance of a properly detailed procedure in the event of an employee's departure, which must be included in the company ICT Policy.
In its decision, the DPA clearly assumes that the mailbox of the ex-employees concerned could also be used for private correspondence. However, it is possible to prohibit the private use of a professional mailbox, provided that employees are given the possibility to consult a private mailbox (e.g., Gmail, Hotmail) online during the working day. Indeed, a Cybersurveillance recommendation of 2 May 2012 from the former Privacy Commission (which became the DPA) confirms that professional and private information should be separated as much as possible and that separate accounts can be used. In the event there is a clear separation between professional and private use, a less strict departure policy may therefore be envisaged.
In the Cybersurveillance recommendation of 2012 mentioned above, the former Privacy Commission already stressed the importance of operational rules in cases of absence (e.g., holidays, illness) and departure of an employee from the company. On the basis of this recommendation, limited access to the employee’s email account after his or her departure was still permitted, but the Privacy Commission recommended appointing a ‘confidential adviser’ for this purpose. However, based on this recent decision of the DPA, access to the email account after the employee's departure seems in principle to be no longer allowed.