As an employer, how do you handle ex-employees' mailboxes?

When an employee leaves the employer's organisation, the employer naturally wants to ensure continuity of service by not leaving emails sent by third parties to the ex-employee's account without consequence. As a data controller, the employer must be able to prove retrospectively that the General Data Protection Regulation (GDPR) was complied with in the process.

The data protection authority (GBA) has delineated the rules on retention, access and use of ex- employees' email account in a few decisions (64/2020 of 29 September 2020, 126/2021 of 19 November 2021, 133/2021 of 2 December 2021, GBA 135/2023 of 21 September 2023).

Employers who want to act in line with that advice should best proceed as follows when closing the mailbox:

1. Provide a clear email policy and privacy statement for all employees so that the way of working is known in advance by all employees.

2. If possible, anticipate departure by (if desirable) imposing on the employee to mention in the signature some time before termination of employment that the employee will soon leave the employer, with instructions to send emails to another account from a certain date. This reduces the number of messages that may be subject to discussion later.

3. Block the email address and email account no later than the last day of employment and instruct the departing employee to set up an out-of-office message with prescribed content, asking the sender to send the email message to another (active) email address.

   If the employee does not or cannot take this action himself (e.g. in the case of a departure for an urgent reason or medical force majeure), the employer shall take this action himself and inform the employee accordingly.

4. The period of retention of the closed email address, linked to the sending of the out-of- office message, is in principle one month. That period can be longer according to the GBA provided it can be justified (e.g. commercial function, board member). Until now, the GBA accepted extensions up to a maximum of 3 months.

5. Emails arriving at the closed email address after the employee's departure should not be read. Indeed, if the sender of the message wanted a follow-up to this, the sender would have re- sent the message to another, active, email address, in line with the instructions of the out-of- office message. Furthermore, of course, no more email should be sent from this closed e- mail address during that period.

Employers who want to act in line with this advice should best proceed as follows when consulting the closed email account after the employee's departure (this procedure assumes that the employer has a valid email policy):

1. The closed email account with the messages stored therein shall be locked and kept in a secure manner. Only a limited circle of designated persons obtains the authority to consult and process the stored messages if necessary.

2. The designated persons will only consult the saved email account if there is a legitimate reason to do so, e.g. for the follow-up of specific files.

3. When searching the retained email account, proportionate action is taken, e.g. by using relevant search terms.

4. The closed email account and the messages stored in it will not be kept longer than necessary in light of the purpose. E.g. if a company provides a 3-year warranty on its products, the retention period of an ex-seller's email account for that period may be justified.

When is a professional email address and/or account personal data?

The distinction between an email address and email account may be important. Briefly, the distinction:

• An email address is the address linked to a particular email account. Emails sent to an email address end up in the email account linked to it.

• An email account can be compared to a physical mailbox. This is the mailbox in which emails sent to a specific email address linked to that account enter and are kept for a certain period of time. Several email addresses can be linked to the same email account. Then emails to relevant email addresses arrive in the same email account/letterbox.

We distinguish two types of professional email addresses:

• First, there are professional email accounts to which an email address is attached that contains an employee's first and/or last name, e.g. JohnJohnson@firm.be. This is a so-called "nominative" email account. Both the email account and the email address are then personal data covered by the GDPR.

• Second, there are "functional" professional email accounts to which an email address is attached that contains the name of the employer's department or service but not an employee's name, e.g. customerservice@company.be.

In a recent ruling, the Disputes Chamber of the GBA (40/2023 of 3 April 2023) clarified in which case such a functional email account is nevertheless personal data. Two situations can be distinguished:

• If the email account is used by only one employee, who also signs the emails with his/her own name, third parties may (indirectly) identify the employee behind the email account. In that case, the email account is "personal data" within the meaning of the GDPR.

• This situation is distinct from the functional email account used by multiple employees. In that case, the employees are not individually identifiable and it is not personal data.

Professional email addresses and email accounts are therefore usually personal data and the employer will therefore have to take into account the various obligations imposed by the GDPR. Below, we go over the main principles involved.

Key GDPR principles

Failure to close an ex-employee's email address and email account, can create problems with regard to several GDPR principles. The main principles in this regard are:

• Lawfulness and purpose limitation (Art. 6 and 5.1.b GDPR) means that data may only be processed and collected for a well-defined, explicit and legitimate purpose. The organisation may not suddenly use the data for any other purpose.

• Minimum data processing (5.1.c GDPR) means that only data may be processed that is sufficient, relevant and limited to what is strictly necessary with regard to the purpose. The principle is always "need to know" and not "nice to know".

• Thereby, the data must not be kept longer than necessary with regard to the purposes for which they are processed (5.1.e GDPR).

Concretization of these principles: closing an email address and an email account

When an email address or an email account falls under the description "personal data" (see above), the employer may in principle not leave the email address and email account active as soon as the employee concerned has left the organisation.

When the employment contract with an employee ends, the employer can no longer rely on the legal basis that it is 'necessary for the performance of the employment contract' to keep that ex- employee's email account active. After all, due to the termination of the cooperation, there is no longer a contract. The employer can, however, invoke the 'legitimate interest', in particular the proper functioning of the organisation and continuity of communication with third parties, to keep an employee's email account active for a limited time after departure.

On this legal basis, the GBA allows keeping the email account (including sending the automatic message) active on a limited basis for a reasonable period of basically 1 month. No later than the expiry of that period, the email account, including the automatic message, must be deleted.

However, this 1-month period can be nuanced. Depending on the context and the degree of responsibility the ex-employee exercised within the company, a longer period may be allowed. To date, the GBA has already accepted keeping an email account active for a limited period of up to 3 months (especially in the case of a former managing director within a family company).

It is thus recommended to keep the email account, for only 1 month limited active. In case the ex-employee held a high position within the organisation, an extension of the term is possible, with a maximum of 3 months.

If the organisation decides to keep the email account active for longer than initially planned, the ex-employee should be informed about the extension in advance.

Specifically, the employer may still keep the email account partially active provided the sender of messages to this email account receives an automatic message. In doing so, the correspondent learns that the person no longer holds his position within the organisation and that the message sent will therefore not be read. The out-of-office message clarifies to which email address the sender must resend the message if the sender wishes his message to be read and acted upon.

In doing so, an employer may not act clandestinely. In principle, the employer must inform the employee leaving the organisation in advance that the email account will remain partially active that way. A well-developed email policy already contains this information, so that no discussion can arise about it. In the absence of such a policy, the employee should be informed individually.

Finally, we mention that the partial closure of the email account, with the establishment of an out-of-office message, must be done no later than the last day of the employee's employment.

Knowledge of the contents of the closed email account

Separate from the cases on the limited retention of an employee's email account after leaving the employer, the content of the email account is of course also important. The GBA takes a strict stance on this.

In a remarkable decision by the GBA's Disputes Chamber (decision No 64/2020 of 29 September 2020), the GBA takes the salient position that, just as an employee should be able to take back his or her personal belongings upon termination of the employment relationship, the individual should also be able to take back or erase his or her personal private electronic communications before departure. Thus, in this opinion, the GBA recommends employers to go through the email account together before the employee's departure, recovering emails relevant to the proper functioning of the employer before the employee's departure and in his presence. This seems like the world upside down.

However, in the same opinion, the GBA also refers to an earlier GBA opinion, from 2012, on the possibility for employers to issue instructions to employees regarding the use of the employer's ICT infrastructure and email account. In that opinion, the GBA already confirmed that an employer is free to restrict the internet and email use of its employees, by introducing an internet and email policy according to the terms of national collective bargaining agreement No 81.

Thus, if an employer has a good email policy, the employer does master the situation. A good e- mail policy stipulates that the professional email account is for professional purposes only. Professional emails must be kept in a way that only authorised people can access them and in a technically secure manner. The consultation of a professional email always presupposes a legitimate purpose. Finally, retention periods must also be provided for. Proportionality and transparency are key concepts here.

Thus, an organisation that has such an email policy may assume that the professional email account contains only professional emails.

Evidently, reasonableness must then still be applied: if there would nevertheless be messages stored in the email account that manifestly have no professional connotation (e.g. because their sender is clearly a partner or family member), the employer must still refrain from reading them.

When an email account containing professional emails is closed, due to the departure of an employee, the organisation can continue to process the stored emails, but even then the basic principles of the GDPR must continue to be respected, as professional emails also contain personal data of the ex-employee. To act in line with the GDPR, the employer should act as follows:

1. The closed email account with the messages stored therein shall be locked and kept in a secure manner. Only a limited circle of designated persons obtains the authority to consult and process the stored messages if necessary.

2. The designated persons may only consult the saved email account if there is a legitimate reason to do so, e.g. for the follow-up of specific files.

3. When searching the retained email account, proportionate action is taken, e.g. by using relevant search terms.

4. The closed email account and the messages stored in it will not be kept longer than necessary in light of the purpose. E.g. if a company provides a 3-year warranty on its products, the retention period of an ex-seller's email account for that period may be justified.

Contact Hanne Gielens for more info.