In two recent decisions (Decision 126/2021 of 19 November 2021 and Decision 133/2021 of 2 December 2021), the Dispute Resolution Chamber of the Data Protection Authority (DPA) reiterates its strict guidelines on closing the mailbox and the associated e-mail account after termination of employment (see our earlier Newsflash on this subject via this link). These guidelines must also be respected when the cooperation with a self-employed person is terminated.
In the most recent case a former self-employed service provider of a de facto association had filed a complaint with the DPA after it came to light that his e-mail address was still active within the organisation on 1 and 11 January 2020, despite the fact that the cooperation had already ended at the end of 2019. The reason for this was a reply by the national secretary of the de facto association to a private e-mail sent to the service provider in which it was reported that the professional e-mail address in the name of the service provider would cease to exist. The mailbox of the self-employed service provider had been added by the IT department to the mailbox of the national secretary.
In Decision 126/2021, a complaint was filed by a man who continued to receive newsletters from an organisation after he had unsubscribed. The investigation showed that this was because his predecessor’s mailbox had been added to his own.
Decision of the Dispute Resolution Chamber of the DPA
In both cases the DPA recalls that both the purpose limitation principle and the principle of minimum data processing have not been respected, if after the departure of the service provider, the organisation still has access to his mailbox, the professional mail address of the ex-collaborator continues to exist and is being actively used. Such processing is not based on any legal grounds.
The DPA had already stated in its earlier Decision 64/2020 of 29 September 2020 that the company must, at the latest on the day of the actual departure, deactivate the ex-collaborator’s mailbox and provide an automatic message informing the addressee that the person he tried to contact has left the organisation. The ex-collaborator must be informed of the aforementioned deactivation. These guidelines apply to both employees and self-employed persons.
After a reasonable period (a priori one month) the mailbox – and the automatic message – must be deleted. The period of one month may, taking into account the context and the degree of responsibility, be extended to a maximum of three months. This extension must be justified and preferably must take place in mutual agreement or at least with notification to the ex-collaborator.
The limited retention of the mailbox must be based on a new legal ground. After all, the initial legal basis for the effective management and use of the mailbox, namely the performance of the contract, ceased to exist when the cooperation was terminated. The DPA hereby accepts that the company may rely on its legitimate interest in ensuring continuity of performance and the proper functioning. In this decision, the DPA also adds that the person concerned may still have limited access to the mailbox, subject to the agreement of the data controller and the person concerned, for example in order to complete current files. The latter seems impossible in the case of the dismissal of an employee who cannot be expected to carry out any activities after the termination of his employment. On the other hand, it does seem conceivable that either the company or the person concerned still needs information from the mailbox and can therefore still access it temporarily for a short period of time after the dismissal. We are thinking in particular of the situation in which the employee is not present in the company at the time of termination of the cooperation.
The DPA points out that the data protection principles are violated when the mailbox of an ex-collaborator or self-employed person is added to the mailbox of a colleague who continues to manage the mailbox and can take note of e-mails addressed to the ex-collaborator. According to the DPA, this is also contrary to the Telecommunications Act.
Unlike the previous decision of the DPA, in which the company in question was sanctioned with an administrative fine (read more on this via this link), the sanction in this case was limited to a reprimand as the mail account of the service provider had meanwhile been closed down and the organisation now had a document with formal agreements on the professional mailbox.
Make sure that you, as a company, develop an internal policy in which, based on the DPA guidelines, formal agreements are made about the e-mail account during and after the termination of the cooperation. Always ensure that the internal policy is applied effectively.
The Claeys & Engels Data Protection team is ready to help with any further questions you may have about your internal policy.