07/10/20

What to do with ex-employee mailboxes?

Belgian DPA fines post-dismissal use of e-mails

When a person leaves your organisation, how should you handle e-mail sent to their professional e-mail address? In a decision of 29 September published yesterday, the Belgian Data Protection Authority (BDPA) has taken a very practical and strict stance on how to manage mailboxes of former personnel (in this case: the former CEO) – and chances are, many organisations will have to rethink their processes as a result.

This new decision by the BDPA covers questions such as:

Should you forward e-mails to a new recipient, or display an automated response to say the person no longer works within your organisation?
Should the (former) member of personnel be permitted to review e-mails to collect or delete private ones, and if so, when?
Under which circumstances is an organisation allowed to access the professional mailbox of a member of personnel after dismissal or departure?

The decision is not without criticism and contains assertions that could be disputed – but at least it offers clarity on the BDPA's position.

A. The facts and procedure

In the case examined by the BDPA, the organisation in question was once a family-run company. The company abruptly dismissed its CEO, the son of the founder, in November 2016, after which some other members of the founding family appear to have left the company. In March 2019, however, many professional e-mail addresses of those family members (in the format firstname@company.com) were still in use. As a result, the former CEO demanded a halt to the use of those e-mail addresses.

After a failed mediation attempt, the BDPA's First-Line Service transferred the case over to the Litigation Chamber, which in turn requested an investigation by the Inspection Service.

[Did you know? Not every request by a data subject to the BDPA is a "complaint"; instead, data subjects can choose to request a "mediation", where the BDPA's First-Line Service acts as an intermediary, trying to see whether its intervention can help resolve certain data protection issues. If a mediation attempt fails, the First-Line Service transforms the mediation request into a complaint, which then gets handled by the BDPA's Litigation Chamber. In turn, if the Litigation Chamber considers that an investigation is required before the parties are invited to file submissions in adversarial proceedings, it can request the intervention of the Inspection Service. That is what happened in this case.]

After the Inspection Service noted that certain e-mail addresses remained active, the company closed those mailboxes but stated that "at the time of departure of the individuals in question, these mailboxes had already been deactivated with the creation of a redirection for the simple purpose of not losing important e-mails of [various third parties], as these individuals held key positions (Manager, Quality Manager, …)" in the company.

In its report, the Inspection Service set out its own position:

"[…] it is recommended for employers to block the mailbox of an employee who has left his position as soon as possible and after inserting an automatic message informing all future senders of the fact that the employee has left his position, and this during a reasonable period of time (typically 1 month). Beyond this time, the mailbox will ideally be deleted. Under no circumstances can the professional e-mail address in the name of a former employee be used. The fact that these mailboxes still exist without any notification to senders for these three recipients that these individuals are no longer the users of these e-mail addresses is moreover of a nature to enable the potential collection and use of personal data without the knowledge of the senders."

B. The Litigation Chamber's decision

The Litigation Chamber – which took its decision after the rest of the procedure was followed – appears to have taken note of this recommendation of the Inspection Service. It states that due to the principles of purpose limitation, data minimisation and storage limitation, any controller must block the mailbox of a person who has left his/her position – and must do so "at the latest on the day of their actual departure".

It sets out various additional requirements throughout its decision, which we have tried to group together based on actions and timing:

1. Prior to dismissal / departure:
a. Have an IT policy that covers all of the elements hereunder

The litigation Chamber states explicitly that "the case of departure or dismissal and the consequences thereof should be dealt with in an internal policy relating to the use of IT resources". While this quote specifically relates to the sorting of private and professional e-mails (see below), it is important to have an IT policy covering all the points set out hereunder, as it can also be an imporant means of informing data subjects of all aspects of the process.

b. Sort private & professional e-mails

Before a person leaves an organisation, "[i]n the same way that the person in question must be allowed to collect his/her personal belongings, he/she must also be allowed to collect or delete his/her private electronic communications prior to his/her departure".

Similarly, "if a part of the content of the mailbox must be recovered to ensure the good functioning of the organisation […] this must take place before his/her departure and in his/her presence", and in case of any dispute, "the intervention of a trusted person is recommended". Interestingly, in a footnote, the Litigation Chamber refers to guidance offered by its predecessor, the Belgian Privacy Commission. However, this guidance is no longer available online since the BDPA changed its website in July 2020 – suggesting that no one within the Litigation Chamber has looked at that footnote since the website was adapted.

c. Provide information on the blocking of the mailbox

Prior to the blocking of the mailbox, the person in question must be informed thereof. The decision does not explicitly state if this information can be provided through an IT policy, but it does appear to be an implicit possibility.

d. Activate an automatic response

Prior to the blocking of the mailbox, the organisation must activate an automatic response, which must (i) indicate that the person in question no longer exercises his/her role in the organisation and (ii) inform senders of the contact details of the person (or generic e-mail address) to contact instead.

The Litigation Chamber states that this is preferable to a simple forwarding of e-mails because in the case of mere forwarding, senders are not informed and moreover the new recipient might become aware of potentially sensitive private information without the knowledge of either the sender or the person in question. 

Duration: see below ("After dismissal/departure").

e. Block the mailbox

"[A]t the latest on the day of their actual departure", block the mailbox of the person in question – i.e. make it unavailable.

2. After dismissal / departure:
a. Maintain the automatic response for a limited time

The automatic response must be active during a "reasonable period (typically 1 month)". That timeframe can be extended depending on the context and the "degree of responsibility" of the person in question, provided that (i) the duration is "ideally" no longer than 3 months, (ii) a justification is provided for the extension and (iii) the person must at least be informed of this extension (though the Litigation Chamber would clearly prefer it if the person agrees to the extension and is not just informed thereof).

b. Delete the mailbox 

Once the (maximum) timeframe for the automatic response has run out, the mailbox "must be deleted". 

In support of these requirements, the Litigation Chamber quotes principle 14.5 and recital 122 of the Council of Europe's Recommendation CM/Rec(2015)5 of the Committee of Ministers to member States on the processing of personal data in the context of employment (which notably advocates recovering business-relevant e-mails prior to the departure of the employee in question and ideally in his/her presence, but also blocking of access after departure), stating that this recommendation "illustrates the way in which the principles of purpose limitation, data minimisation and proportionate retention […] must be applied".

Finally, the Litigation Chamber states that the legal ground for the continued use of the e-mail address could be the organisation's "legitimate interest in ensuring the good functioning of the organisation and the continuity of its work" . However, beyond the maximum timeframe it sets out for the automatic response, "no legal ground allows the processing to continue".

In this particular case, the Litigation Chamber imposed a fine of 15.000 EUR on the company in question – likely a significant amount given the small size of the company (13 people work for the company).

C. Closing comments

The decision, available in French, is not without its faults. Its many assertions are prescriptive and limit organisations' freedom, but they appear to be rapid conclusions on the precise implications of the data protection principles. Certain comments are made on the basis of recommendations that are not statutory law, and it is sometimes unclear whether a "must" was intended to be "should" – or vice-versa.

Still, this decision (and the amount of the fine relative to the organisation's size) will serve as an important reminder that well thought-out, properly documented and strictly observed procedures can be of great support in matters of compliance. If you are unsure of whether your approach meets the BDPA's expectations, do feel free to reach out – it's best to check in advance rather than await a data subject complaint (or mediation request).

dotted_texture