In several cases, the employers, by invoking business continuity reasons, tend to keep the mailboxes of their ex-employees active for a considerable period of time.
More than two years after the EU General Data Protection Regulation’s (GDPR) entry into force, employer’s access to an ex-employee mailbox has received somewhat less attention compared to other employment issues with a privacy dimension. However, the last year has marked a turning point in this regard since the issue at question has been under the scrutiny of several regulatory entities around Europe with the most important decision being the one adopted by the Belgian Data Protection Authority on September 29th, 2020.
Below you may find a snapshot of the main guiding rules for avoiding high fines and ensuring that your company’s approach during the termination process of an employment relationship is compliant with the GDPR standards when it comes to the way it handles the professional mailbox of an ex- employee.
- Establishment of an internal Information and Communications Technology (ICT) Policy setting out whether and for how long the employee mailboxes should be kept and the exact conditions of the access of the employees’ mailboxes upon the termination of the employment relationship. The importance of such policy is even greater considering that it may qualify as means of informing the data subjects on all aspects of the process followed by the employer.
- Before the departure, the employer should allow the employee to sort, collect and/or delete his/her private e-mails. Similarly, in case that the employer needs to recover the contents of an employee’s account, this must take place before his/her departure and in his/her presence.
- Activation of an automatic message informing the recipient (i) that the person in question has left the company and (ii) on the contact details of the person to contact instead. Such automatic message should be kept active during a reasonable period and may be extended depending on the degree of responsibility of the ex-employee. Any extension is subject to the prior approval or at least to the notification of the person concerned and should be duly documented.
- Deactivation of the mailbox once the timeframe for the automatic response has run out.
EY Law Team can assist you with the drafting or reviewing of your ICT Policy embedding the internal rules on the way you manage the professional mailbox of your ex - employees.