What happens to your e-mails when you (voluntarily or involuntarily) leave your job?
In its decision of September 29, 2020, the Belgian Data Protection Authority (BDPA) examined the complaint of a managing director who found fault with the undertaking that employed him for failing to shut down his e-mail address after leaving the company.
The BDPA considered that, in order to comply with the various applicable principles of the European General Data Protection Regulation (GDPR), the company concerned should have (i) blocked his e-mail no later than the day of effective departure, (ii) after having warned the person concerned in advance, and (iii) after having had an automatic message inserted. This automatic message should have warned any subsequent correspondent of the fact that the person concerned no longer performs his duties within the company. It should have provided the contact details of the person (or the generic email address) that one should henceforth contact and this, for a "reasonable" period of time, a priori 1 month. A longer period (not exceeding in principle 3 months) could nevertheless be justified depending on the context and, in particular, the degree of responsibility exercised by the person concerned, provided that the latter has given his agreement to this extension, or (at the very least) that he or she was informed.
The BDPA considers that the e-mail of the person concerned should be deleted at the end of this period.
This way of proceeding is preferred by the authority over the practice of automatically forwarding emails to another company email address because, in the latter case, there is no control over incoming e-mails. Hence, potentially sensitive private information could be disclosed without the knowledge not only of the data subject but also of the correspondent. In addition, blocking an e-mail should not be made conditional on a written request from the person concerned.
In conclusion, the BDPA insists that the scenario of resignation or dismissal (or any other form of cessation of activity) and its consequences should be properly documented in an internal company policy on the use of IT tools. In this case, as there were several e-mail addresses concerned and these were not deleted until two and a half, or even three years, after the cessation of the data subject's activities with the company, the BDPA considered that the latter had committed several breaches of the GDPR, which justified not only a reprimand but also an administrative fine of 15,000 euro. The obligation for the company to warn the person concerned of the blocking of his or her electronic mail is also intended to allow the data subject to sort out and transfer any private messages to his or her personal mailbox.
The BDPA reasons that "in the same way as it must be left to the person concerned to take back his or her personal effects, he or she should be left to resume or delete his or her private electronic communications before his or her departure."
Likewise, again according to the BDPA, if part of the content of the mailbox must be recovered to ensure the smooth running of the business, this must be done before the data subject's departure and in his or her presence. In the event of a contentious situation, the intervention of a "trusted person" is recommended.