When an employee leaves, whatever the reason for his departure, it is advisable to quickly close his mailbox according to precise conditions, otherwise he may be exposed to heavy sanctions, as the Belgian Data Protection Authority's Litigation Chamber reminds us...
In a decision of September 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority condemned a company that had kept the e-mail addresses of one of its former executives for more than two years.
The former director, who was dismissed immediately, had asked that his email addresses be closed because it created confusion and raised fears of illegal use of the emails found on this account or that arrived after his departure.
In fact, his email address with his name and another address with his initials were automatically redirected to a member of staff who had access to all old messages without any notice to the people who had sent messages.
The litigation chamber examines the file and in particular the elements evoked by the company to justify having kept the e-mail addresses open for such a long time.
Indeed, the company defends that, given the "abrupt" departure of the director, no transition could be organized, and that the maintenance of the addresses made it possible to ensure the resumption of the management of the company.
It also mentioned the risk of seeing important information lost and the fact that it needed certification and that a change of email address could have led to an interruption in its business.
In addition, she admitted that she thought the RGDP did not apply to the e-mail address consisting of the initials of the director.
In a well-reasoned decision, the Litigation Chamber recalls the applicable principles, namely:
1. an e-mail address is personal data, whether it includes the name or the initials;
2. the processing of this data must have a purpose (5.1 b) RGDP) which ends in any case at the end of the relationship;
3. this processing must also be lawful (6 RGDP), which is no longer the case after a short period of time after the end of the relationship;
4. this processing must be minimized (5.1 c)) and proportional to the purpose pursued;
5. therefore, an employee's e-mail address should be closed immediately, even if it can be tolerated as a "legitimate interest" for a short period of time of one month up to three months for a person with important responsibilities and still ideally with his or her agreement to a continuation beyond one month; and
6. on condition that third parties are informed and via an automatic message communicating in particular the departure but also the new contact details of the employee who has left.
It should also be noted that the Court reminds that the employee should have the possibility to retrieve all his private emails.
In this case, considering the (small) size of the company, and its answers but also the very long duration of maintenance or the absence of damage established by the manager, the Litigation Chamber addresses a reprimand to the company accompanied by an obligation of regularization and a fine of 15,000 euros.
There is no doubt that many companies, even reputable ones, would do well to take this decision into account because keeping an e-mail address open in violation of the provisions of the RGDP can be punished by a maximum fine of 20 million euros or 4% of turnover.
To good ears...