At the end of the contractual relationship, irrespective of the cause (resignation, dismissal, expiration of the term, etc.), what steps should the enterprise take to ensure compliance with the EU General Data Protection Regulation (GDPR), regarding its staff (employees or independent contractors) email account that was created and assigned to the latter for the performance of his/her professional activities within the enterprise?
In its decision 64/2020 of 29 September 2020, the Litigation Chamber of the Belgian Data Protection Authority (DPA) states that any email address that relates to an identified or identifiable individual constitutes personal data whether or not such email address is made of the name and surname of the individual that it relates to. That means that a generic email address (e.g. email@example.com) that relates to an identified (or identifiable) individual – and not to the entire administrative/secretarial/customer service department for instance – is deemed personal data.
In such case, the enterprise, as data controller, must ensure that the processing of its staff members’ professional email addresses (and the related sent/received email contents) is in accordance with the GDPR principles.
Essentially allocated to the performance of professional activities, such staff email boxes logically contain confidential and sensitive information regarding the enterprise business, clients, operations, etc. For business operation and continuity purposes, the enterprise may need to keep the leaving staff member’s email account active to retrieve the professional information.
The above-mentioned decision of the DPA provides data controllers facing such situation with directions and recommendations as to how to comply with the data protection principles set forth in the GDPR:
- Importance of the purpose of the processing: the purpose for keeping a former staff member’s email account is exclusively not to lose important/necessary business related information (pending files, business contacts, tax administration documents, etc.) that may be solely available on the email box.
- Data minimization: solely data that are adequate, relevant and limited to what is necessary in relation to the above-mentioned purpose can be processed (i.e. retained). Private emails are therefore excluded.
- Storage limitation: data cannot be kept for a period longer than necessary for the aforesaid purpose. The DPA considers a period of one month reasonable. Depending on the leaving worker’s function (e.g. direction position, high responsibilities, point of contact to third-parties), the period can be extended up to three months. This is however subject to motivation and the data subject’s consent or at least the latter’s information thereabout. Furthermore, the enterprise must actively search and implement an alternative solution as soon as possible and not wait for the three months period to expire.
- Lawfulness: the DPA implies that the enterprise’s legitimate interest could be the legal ground for such retention of leaving staff email boxes. That of course means that the GDPR conditions for valid reliance on such legal ground must be complied with (i.e. balance of interest at stake), including the fact that the storage must be for a limited period (maximum three months).
IN PRACTICE, what to do?
- Providing the mandatory information with respect to the retention of email boxes to staff members in the work agreement/regulations or in the service agreement (categories of personal data processed, purposes, legal ground, storage period, etc.).
- Encouraging staff to systematically label their private emails as “private” or “personal” in the subject field.
- Adopting a policy defining the rules and measures to delete email accounts of staff members (employees as well as independent workers) leaving the organization, containing the following direction of the DPA
- to the extent possible, the enterprise should take appropriate measures to recover content from the leaving staff member, prior to the latter’s departure and preferably in the latter’s presence;
- informing the leaving staff member that his/her email account will be blocked the day of the actual departure at the latest ,as well as the period during which the enterprise will retain the email box. This may give time to the former worker to sort out professional and private emails;
- inserting an automatic message informing any correspondent that the former member staff does no long work for the organization and referring to the person or service to contact from now on. That automatic message should be sent as long as the email account is active (so up to three months). Such automatic messages are to be privileged over automatic transfers. Indeed, in the latter case, chances are higher that a correspondent sends sensitive or personal information to a non-desired recipient.
In its decision 64/2020, the DPA imposed an administrative fine of 15.000 EUR to a small enterprise that retained former director’s (and other staff members) email accounts for almost three years.
In the context of work relationship (employees, freelancers, service providers, etc.), any personal data processed mut be in accordance with the GDPR at every step, from the pre-contractual operations to the termination. We are of course at your disposal to answer any question you may have in that respect and assist you with the implementation of retention policy and procedure.
Lawyer DNA LAW