Data Protection-Compliant Handling of Employee Emails in the Context of a Decision Made by the Belgian Data Protection Authority
I. INTRODUCTION
A critical topic that has been dealt with in judicature refers to the forwarding of emails from departing employees. In this regard, the following question should be constituted: When an individual who has access to a company mailbox, whether they are an employee, manager, director, or consultant, leaves the company, what is the proper protocol for managing their mailbox? In this analysis, the subject matter shall be assessed in the context of the General Data Protection Regulation and the authority's decision.
II. GDPR AND A DECISION OF THE BELGIAN DATA PROTECTION AUTHORITY[1]
The Belgian Data Protection Authority’s ruling on the matter sanctioned the inadequate handling of the case. In addition, the Authority established guidelines for forthcoming cases by pursuing responses to the subsequent inquiries[2]:
“1. Is it legitimate for the company to utilize or peruse the electronic mail correspondence of the departing employee? 2. Ought the company transfer electronic mail messages or set up an automatic response? In the affirmative, for what duration? 3. Is the departing employee entitled to collect or delete personal emails?”
In regard to the rule issued by the court, the following details are particularly noteworthy: First and foremost, mailboxes should have been closed. The email addresses were created professionally to allow holders to send and receive emails as part of their work for the company. According to the Belgian DPA, these addresses should have been closed by the day of the employee’s effective departure from the company. The second point brought up was access to the complainant’s mailbox. Although it may be legitimate for the company to access the mailbox and retain copies of some emails from the departing employee, such access can only take effect with the holder present. At this point, the relevant articles of the General Data Protection Regulation should be given careful consideration[3]:
“Article 5.1 b) purpose limitation in combination with Articles,
Article 5.1 c) data minimization and e) storage limitation,
Article 6 lawfulness of processing,
Article 17.1 a) right to erasure.”
The Litigation chamber found violations of GDPR above articles. Consequently, the company was imposed a 15.000,00 EUR fine.
What are alternative courses of action available? To commence with should be adapted the IT / Privacy policy immediately. Clear procedures for handling the mailbox and its contents upon departure should be defined and communicated to all personnel. For this purpose, prior to the departure, the shall be collected of personal items or sorted out in the mailbox. According to the Belgian DPA, an employee must be allowed to retrieve their personal belongings and must be consented to gather and/or remove personalized electronic communications before leaving. Suppose the employer needs to recover any items from the departing employee’s account for business-related purposes. In that case, it is advisable to do so prior to their departure and in their presence[4].Furthermore, the company must notify the departing employee that the mailbox will be closed and deleted after a reasonable period. The closing (making it unavailable) must occur at the latest on the day of the employee’s effective departure day. When all this is considered, email forwarding is not explicitly discouraged. It is customary to forward emails sent to the departing individual to their former colleagues for a specified time. Although this may serve legitimate objectives, the DPA disapproves of this technique due to there is no way to control entering emails, and potentially sensitive personal information may be given without the consent of both the departing person and the sender of the email (this is especially true if the is no automatic response).
III. CONCLUSION
In summary, an employer may have an overriding interest in forwarding emails after the employee has left the company. Nevertheless, if a dispute arises, these will be examined and balanced against the interests weighed against the interests of the employee. Therefore, employers should assess the need for forwarding in advance and communicate such measures to their employees transparently. Once and for all, email forwarding is not explicitly discouraged. The Judiciary criticizes this process because it is impossible to control incoming emails and confidential personal information may be disclosed without the consent of both the departing person and the email’s sender.
[1] Decision 64/2020 of September 29, 2020 https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-64-2020.pdf, date of access: 25.03.2023.
[2] The occurrence in question, which is the centrepiece of the decision, can be summarized as follows: The case presented to the Litigation Chamber concerned the resignation of the Chief Executive Officer of a company that was once family-owned (upon immediate termination). A number of email addresses of the former CEO and other family members who had previously worked for the company were still accessible to the company (for long time). The former CEO also claims and proves that a company employee gained access to his old mailbox.
[3] Personal data, as defined by the GDPR, is any information relating to an identified or identifiable natural person, which includes employee emails.
[4] In this regard, the European Data Protection Authority advises: https://edps.europa.eu/data-protection/dataprotection/reference-library/access-ecommunications-data-when-employee-absent_en), date of access: 25.03.2023.