The Belgian Data Protection Authority (DPA) recently decided to impose an administrative fine of EUR 15,000 on a company that only closed email addresses linked to employees (surname and first name) who had left the company after 2.5 years. According to the DPA, non-closure of these email addresses constitutes a violation of the fundamental principles of the GDPR, in particular the lawfulness, purpose limitation, data minimisation and the reasonable retention of personal data over time (storage limitation).
Facts
The former managing director of an SME (active in the medical sector and founded by his father) submitted a request for mediation to the DPA, since the SME had not responded to his explicit request to close the email addresses and associated email accounts linked to him, his wife, his brother and his father within seven days after his departure. It concerned email addresses with the surname and first name as well as email addresses with only the first name of the individuals mentioned above.
Mediation by the DPA First Line Service
After submitting his request, the DPA First Line Service intervened. Since the mediation did not achieve the desired result, the procedure was continued in the form of a complaint.
Investigation by the inspection service
In the framework of the investigation by the inspection service, two investigation reports were drawn up.
The first research report mentioned the fact that the three email addresses were still active 2.5 years after the individuals’ departures without informing the recipients of the emails that the three senders were no longer the users of the email addresses, which could give rise to the collection and potential use of personal data without the knowledge of the recipients.
The inspection service stated that it is appropriate for the employer to deactivate a former employee’s email account within the shortest period of time after an automatic message has been set up indicating for a reasonable period of time (a priori one month) that the employee is no longer employed. Ideally, the email account should be closed after this period. Under no circumstances may the departed employee’s professional email address still be used.
The second research report mentioned the fact that the three email addresses could no longer be reached. The SME reported that the email accounts had already been deactivated on the date of departure of the individuals involved and emails were automatically forwarded to another company email address, as these individuals all had important functions within the SME and it did not want to lose important emails.
Decision of the Dispute Chamber of the DPA
The DPA stated that the SME has failed to comply with the principles of purpose limitation, lawfulness, data minimisation and storage limitation by not blocking the email addresses. According to the DPA, the fact that the SME had retained the email addresses in order not to lose important professional messages, given the functions of the departed individuals and the lack of transfer of ongoing files, did not constitute a sufficient reason to retain the email addresses.
In its decision, the DPA gave a number of clear guidelines for employers to follow when their employees leave:
Taking into account the principle of accountability, it is up to the employer when employees leave to be able to demonstrate that the above steps were correctly followed.
Finally, the DPA emphasised the importance of a properly detailed procedure in the event of an employee’s departure, which must be included in the company ICT Policy.
In its decision, the DPA clearly assumes that the mailbox of the ex-employees concerned could also be used for private correspondence. However, it is possible to prohibit the private use of a professional mailbox, provided that employees are given the possibility to consult a private mailbox (e.g., Gmail, Hotmail) online during the working day. Indeed, a Cybersurveillance recommendation of 2 May 2012 from the former Privacy Commission (which became the DPA) confirms that professional and private information should be separated as much as possible and that separate accounts can be used. In the event there is a clear separation between professional and private use, a less strict departure policy may therefore be envisaged.
In the Cybersurveillance recommendation of 2012 mentioned above, the former Privacy Commission already stressed the importance of operational rules in cases of absence (e.g., holidays, illness) and departure of an employee from the company. On the basis of this recommendation, limited access to the employee’s email account after his or her departure was still permitted, but the Privacy Commission recommended appointing a ‘confidential adviser’ for this purpose. However, based on this recent decision of the DPA, access to the email account after the employee’s departure seems in principle to be no longer allowed.