Me
Contact Nuans law firm in Gent area for corporate law services
Legal experts for GDPR compliance and privacy law in the Gent area
December 16, 2024

Mailboxes and departing employees from a GDPR perspective

CBA No. 81

First, it is important to take into account the Belgian Collective Bargaining Agreement No. 81 regarding the employer’s monitoring of “online communication data.” The CBA applies to employees’ use of email but also to communication via Teams, Slack, or other platforms. The CBA regulates the employer’s monitoring of electronic communication, which is only permitted for specific purposes: preventing unauthorized actions, protecting the company’s interests, ensuring the security and proper technical functioning of IT infrastructure, and complying with internal policies.

This aspect must be included in the IT policy for employees (what use is allowed (no private use), what is prohibited, applicable rules regarding protection and security, etc.). Employees must be informed about the rules for using IT resources, rights and obligations, and any sanctions/penalties in case of non-compliance.

Only under these conditions is it possible for the employer to monitor an employee’s mailbox and potentially identify the employee if irregularities are detected. If the information procedure is not followed, there is a risk that evidence based on the mailbox will not be accepted in any subsequent legal proceedings.

Sick or absent employees

Furthermore, the question arises as to whether it is possible to access the mailbox of a sick or absent employee.

This is possible because the company’s email address is primarily professional. Messages may arrive in the mailbox that the employer needs to be aware of.

The Belgian Data Protection Authority (DPA) recommends the following guidelines:

  • All employees must be informed that their mailbox will be monitored by a colleague during their absence. This should also be included in the IT policy.
  • An out-of-office message must always be set during an absence, informing third parties that the employee in question is not available and that messages may be read by colleagues during their absence.
  • The IT policy must also specify that the out-of-office message can be set on behalf of the employee if he / she is unexpectedly absent.
  • It must always be determined in advance who will monitor the mailbox during an absence.
  • The colleague monitoring the mailbox must distinguish between personal and professional messages that do not require urgent follow-up and professional messages that do require urgent follow-up (and these can be forwarded to the person handling them during the absence).

These measures should therefore also be included in the IT policy.

What about employees leaving?

The IT policy must first address all possible scenarios (termination by the employer, resignation by the employee, termination after a period of absence, dismissal for cause). Below we give an overview of the guidelines and principles in the DPA’s decisions on this topic:

  • To the extent that circumstances allow (e.g. not in the case of dismissal for cause), the employee should be allowed to delete or forward any private messages in their professional mailbox to a personal account. At the same time, professional emails requiring further follow-up or that may still be important for the employer in the future may be forwarded to colleagues. This cleaning of the mailbox can take place in the presence of a colleague or third party to ensure that no professional data belonging to the employer is removed. In conflict situations, it is advisable to involve a trusted intermediary.
  • The employee’s mailbox must then be blocked no later than the day of his / her actual departure. The employee must be informed of this. This must also be included in the employer’s IT policy.
  • An automatic response must be set stating that the person in question is no longer employed by the employer. The response must include the contact details of the new contact person.
  • Monitoring of the former employee’s mailbox must be limited in time. Depending on the type of position and the likelihood that the mailbox will still be used by external contacts, this duration may vary.
    The DPA adopts a strict approach: the mailbox may, in principle, remain open for monitoring for one month. This can be extended to three months, provided the context and the employee’s level of responsibility and position justify it, and the employee is informed of the extension. For example, the DPA recently ruled that retaining the email address of an employee (with a C-level profile) five months after her departure was excessively long.
    Certain circumstances may justify longer periods. Therefore, the timeframes and their justification should also be explicitly included in the IT policy.
  • It is not permitted to automatically forward incoming emails to another email address of the employer.
  • Upon termination (resignation), the employee may designate a colleague to monitor his / her mailbox. If this does not occur, or if the designated person is unsuitable, the person previously appointed under the procedure will be assigned.
    The legal basis under the GDPR for temporarily keeping the mailbox open is the legitimate interest of the employer (of which the employee must be informed).
    Caution: this does not mean that the employer can still access the mailbox’s content during the one- to three-month period. For example, the DPA ruled that further use of the contents of a mailbox or sending messages to external parties constitutes a GDPR breach.
    However, the employee’s consent may provide a legal basis for limited access to the mailbox during this time.
  • After the aforementioned period of one to three months, the mailbox must be permanently deleted. Certain information that may still be required by the employer and must be retained for a longer period must therefore be retrieved before the mailbox is closed (see also the first bullet point above).
    For example, a recent decision refers to the recommendation CM/Rec of the Council of Europe’s Committee of Ministers, which states:
    “When an employee leaves his / her job, the employer must take technical and organizational measures to ensure that the employee’s email is automatically deactivated. If the content of the email needs to be retrieved for the organization’s proper functioning, the employer should take appropriate measures to retrieve the content before the employee’s departure, preferably in their presence. The explanatory memorandum to the recommendation further states (point 122) that in these situations where the employee leaves the organization, the employer should deactivate the former employee’s account so that there is no further access to the former employee’s communications after their departure. If the employer wishes to recover the contents of the employee’s account, the necessary steps should be taken before the employee’s departure, preferably in their presence. This sectoral recommendation, which complements the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108), illustrates how the principles of purpose limitation, minimal data processing, and proportional retention—confirmed in both this Convention and the GDPR—should be applied.”

 

Recent insights

Nuans intellectual property lawyer offering tailored IP services
Share via:
Facebook
X
LinkedIn
All insights

Phone

+ 32 9 310 20 85

E-mail

hello@nuans-law.be

BV NUANS LAW

Dendermondesteenweg 339
9070 Destelbergen
KBO 0783 460 783