Table of Contents
When an employment relationship ends, there are many tasks to handle, ranging from administrative duties to ensuring privacy and business continuity.
One key aspect that is often overlooked is the management of the departing employee’s mailbox.
- Can a business still use the mailbox?
- Can the employee retrieve personal affairs?
- What does the General Data Protection Regulation (GDPR) say about this?
- And what are the risks of not complying with the regulations?
In this blogpost, we will go over the main points and provide you with tips & tricks to tackle this issue.
Importance of managing the mailbox of departing employees properly
Both the employer and the employee have an interest in the content of the mailbox, albeit for different reasons.
The employee’s mailbox often contains personal data (even if strictly forbidden to be used for such matters), which, after the employee leaves, is no longer relevant or justifiable to retain. Employees may wish to send some of these mails to their personal mailbox.
On the other hand, a company can have a legitimate interest to keep the mailbox active for a reasonable time since there might be business sensitive mails in the mailbox or coming in after the employee leaves.
However, the GDPR mandates that you cannot retain personal data for longer than necessary and this includes the mailbox of a leaving employee.
What does GDPR say about mailboxes after an employee’s departure?
GDPR puts the responsibility for the processing of personal data with the controller (the employer). This means that the employer must ensure it has a legal ground for not deleting the mailbox. The GDPR mandates the employer to assess and motivate whether it wants to keep the mailbox active, in which way, and for how long.
Key GDPR principles
Purpose limitation: mailboxes should only be used for the purpose for which they were originally set up. Once an employee leaves, that purpose is no longer valid. This mean the mailbox cannot be actively used.
Data minimisation: only the necessary data should be retained. The mailbox of the departed employee should not remain active longer than necessary.
Legal basis: after the departure of an employee, the legal basis for processing their mailbox expires, unless there is another legitimate reason, such as transferring ongoing projects. The employer can ask consent from the ex-employee to keep the mailbox active for up to a month, or the employer can do a legitimate interest assessment and balance its legitimate interest against the rights and freedoms of the ex-employee. Note that adequately motivating and informing the ex-employee of the decision is mandatory according to the Belgian DPA.
Even if the mailbox is kept open/accessible, this does not grant the employer the right to use it to send e-mails!
TL;DR | Do’s and don’ts
When someone leaves your company, their mailbox doesn’t disappear, but your legal obligations kick in immediately. Here are the do’s and don’t’s.
✅ DO:
Redirect or auto-reply clearly that the person no longer works at your organisation.
Set a short transition period (typically 1 month) before closing the mailbox.
Involve your DPO when setting mailbox retention policies.
❌ DON’T:
Pretend the person still works there.
Access or forward personal messages without a legal basis.
Keep the mailbox active for months “just in case”.
The rule of thumb? Necessity and proportionality. If you don’t need the data, don’t keep it.
What should you do with the mailbox of a departed employee?
Block the email account asap
As soon as an employee leaves, access the mailbox should be revoked immediately. Only the IT department should be able to access it. And of course, the access is logged adequately.
Set up an out-of-office autoresponder
Set an automatic reply message informing senders that the employee no longer works at the company and providing an alternative contact for queries.
This message can remain active for one month, but in exceptional cases (for example, if the employee held a key role or was at the company for a long time), it can be extended.
The Belgian DPA determined that three months should, in principle be sufficient, but this is not a maximum. Going beyond the three months requires thorough justification and notification of the ex-employee.
On top of that, it is recommended to proactively inform all active clients/suppliers the leaving employee was working with to avoid confusion.
Delete the email account within a reasonable timeframe
After the autoresponder has been set, the mailbox should be deleted within a set timeframe.
No automatic e-mail forwarding
It is not permitted to automatically forward emails from a departed employee’s account. This could breach the privacy of the former employee, particularly if personal or confidential emails are involved.
Inform the departing employee
It is recommended to provide the leaving employee the chance to retrieve personal e-mails from its mailbox on their final day. It is permitted that this retrieval happens with supervision.
Afterwards, the employer can retrieve business critical content from the mailbox through their IT department.
In short, plan ahead and think how you can manage the mailbox, determine which mails should be kept and delete the mailbox as soon as reasonably possible.
What are the risks of not properly managing the mailbox?
Failing to manage the email account of a departed employee properly can lead to several risks, such as:
- Data breaches: if the content of the mailbox is not deleted, it could lead to the unlawful disclosure of personal data to other employees, and thus a data breach.
- Security breaches: leaving a mailbox active poses a security risk. Malicious parties can try to gain access to your company through that mailbox.
- Fines and warnings from the regulator: the DPA and other supervisory authorities may impose fines for breaches of GDPR, such as unlawfully retaining e-mail accounts or failing to meet transparency requirements.
- Loss of trust: customers and employees expect organisations to handle personal data carefully. Failing to follow proper procedures can damage trust. On the other hand, being transparent in how you tackle these issues will build trust.
Practical tips for a good mailbox management policy
Develop a clear offboarding policy:
ensure you have an internal policy for managing mailboxes when employees leave. This policy should also include procedures for informing departing employees and how you will determine how long the mailbox will be kept active.
Ensure transparency:
inform employees about what will happen to their mailbox when they leave. This should be in line with GDPR requirements for transparency and the rights of the data subject.
Carefully weigh interests:
If it deemed necessary to keep a mailbox active for continuity or security reasons, this must be justified properly.
The consent of the ex-employee can be requested, but if the ex-employee does not provide such consent, the legitimate interest of the company can be relied upon with adequate justification and notification to the ex-employee.
Conclusion
Managing the mailbox of departing employees is an important task that involves not just administrative efficiency but also GDPR compliance.
Plan ahead by taking the right measures, such as promptly deactivating accounts, setting up autoresponders, and deleting e-mail data within a reasonable timeframe, you can protect both the privacy of former employees and your organisation’s reputation and interest.
By working in a transparent way, you can minimise the interference on your day-to-day operations whilst also building trust with external parties and your ex-employee.
Frequently asked questions
How long can I keep a terminated employee’s mailbox active under the GDPR?
Ideally as short as possible. The Belgian DPA sets 1 month as reasonable. It possible to extend this, the DPA determined that three months, in principle be sufficient, but this is not a maximum. Going beyond the three months requires thorough justification and notification of the ex-employee. Set up and autoresponder notifying the sender that this mailbox is no longer active and refer them to a different contact. Do not automatically forward the mails to another employee. Only IT should have logged access to the mailbox.
