Employee e-mail, termination of employment contract and GDPR
Issues related to personal data of employees have intensely concerned us in our previous articles. We have dealt, inter alia, with the use of visual recording systems in the workplace; teleworking and respect for the personal data of employees who work remotely; with the permissibility or not of the monitoring of the professional e-mail of the employees and the conflict of the employer-employee rights. However, all of these relate to issues that arise during the employment relationship. What happens during (and after) its dissolution? And, in this case, what is the fate of the professional e-mail address of an employee who leaves their job?
The position of the Belgian Authority for the Protection of Personal Data
The fate of the professional e-mail of an employer after they left their job occupied the Belgian Data Protection Authority (The Litigation Chamber of the Belgian DPA). Relatively recently (19.9.2020) its decision No. 64/2020 was issued. An important decision that has already caused concern and headaches in both Belgium and Europe. Of course, in our country as well.
The facts of the case
The case that the Belgian Data Protection Authority (“BDPA”) was called upon to handle regarded an (initially) family business. This business, several years after its founding, in November 2016, suddenly fired its CEO and the son of its founder. Subsequently, the employment relations of other members of the founder’s family who worked in it were terminated.
In March 2019, three years after the first dismissal, it was found that the professional email addresses of the executives and employees who were fired were still in use. It should be noted here that the specific email addresses consisted of the name of the employees (as usual) and the name of the business.
The former CEO demanded that the business stopped using their email addresses. The case was initially handled by the BDPA mediation division. In the relevant procedure (which, however, was unsuccessful) the business noted that these addresses had been deactivated, the incoming messages, however, were forwarded to a third email address of the business. The purpose of the above practice was, according to the business, to prevent the loss of important third-party e-mails, given the important position held by those who left (CEO and other executives).
The conclusion of the above case was the decision of the judicial department of the BDPA, which imposed a fine of €15,000 on the specific business. But a fine that was not insignificant, given the business’s small size. The latter employed only thirteen employees.
However, the significance of this decision lies in the directions it provides, scattered throughout its body, regarding the treatment of such cases.
The guidelines of BDPA Decision No. 64/2020
The directions provided by the BDPA with its specific decision, can be divided into two categories. The first refers to the management of the specific issue (: management of a professional e-mail of an employee) before the termination of the employment relationship. The second refers to the period after the dissolution of said relationship.
Before the termination of the employment relationship
Every employment relationship (like life, after all) will – inevitably -end at some point. An end that depends on the voluntary departure of the employee (: resignation), retirement, dismissal or death. In any case, the business must have taken care in advance (among other things) the fate of the professional e-mail of any employee. Therefore, according to the BDPA, each business should inform its employees about how it is going to manage their specific emails in case of the termination of the employment relationship. This information (entailed the relevant Policy), should state in detail the steps to be followed.
Based on the above (: no. 64/2020) decision, during the phase of the (imminent) departure of the employee (of course, when it does not take place suddenly):
(a) The employee should be able to collect or delete their private electronic communications. At the same time, however, if a part of their professional correspondence is necessary for the smooth operation of the business and must be recovered, this is required to be done before the employee leaves. Of course, in the employee’s presence.
(b) The employee should also be informed of the “blocking” of their professional e-mail address. It should be noted, of course, that this decision does not require their, in a solemn way, special information. However, it does not specify whether the general information included in the Business Policy is sufficient, if any. But it would be more correct to accept that such general information is sufficient.
(c) The business should, at the same time, before blocking the professional e-mail address, create an automated response to the e-mail senders. It is interesting that this decision also determines its content. The decision mentions that the response should: (i) state that the employee in question is no longer performing their duties in the business and (ii) inform third-party senders of the contact details of the person with whom they can communicate-instead of the one employee who left. Of course, a general (eg info @ ή. Or sales @….) email can be provided, instead of a personalized / personal email address.
BDPA favors the solution of the automated reply to the sender over the “manual” forwarding of the e-mails to another address. The reason is obvious: in the case of “manual” forwarding, the one who carries it out may become aware of sensitive information and data of the former employee.
(d) The business must, at the latest by the day of the employee’s actual departure, have “blocked” their e-mail address.
After the termination of the employment relationship
The above decision gives, as already mentioned, clear directions (also) regarding the period that follows, in any way, the departure of the employee. Specifically, it points out that:
(a) The automated response should be active and sent to third party senders for a period of one month. It accepts, of course, the possibility of extending this interval. However, its extension depends on the importance of the job held by the employee. At the same time, however, it sets specific conditions on which it should depend. In particular: (i) a possible extension should not exceed three months; (ii) the need for an automated response time extension should be justified; (iii) the former employee should be informed of any extension being considered, and it would be best (but not necessary) for them to be called to give their permission.
(b) The professional e-mail address of the employee should, according to the above decision, be deleted after the expiration of the aforementioned month (or, by extension, of the three months -maximum). After the expiration of this period, neither sending nor receiving e-mails of an employee should be possible.
In other words: the decision considers as a legal reason for not deleting such an e-mail (simultaneously with the departure of the employee), the need to ensure the proper operation of the business. It considers, however, that after the expiration of the time set for the sending of an automated response (1-3 months), this reason is no longer valid.
The above decision of the Belgian Authority is of particular value as it is the first, at European level – as far as we know, with this subject. Also, because it comes to interpret, in this difficult matter, the European Regulation 679/2016 on personal data (better known as GDPR). This interpretation will be, without a doubt, “precedent” for the other European Authorities – of course for the Greek one as well.
It is a given that this decision excessively (in the writer’s view) restricts business freedom. Especially with regard to the maximum period (: month or, at most, three months) that it evaluates as sufficient for informing the senders-third parties (eg customers and partners) of the business / employer. And how could one argue that such a horizontal arrangement would be just as adequate for a neighborhood retail store and a multinational one? For an employee and a CEO? And, furthermore, how harmful would this horizontal regulation be for a European business (which falls under the GDPR), as opposed to another (competitor) operating in a country not under the GDPR?
In any case: the specific decision of the Belgian Authority is already a given. It is a fact – with whatever legal value it may have at a pan-European level. Let us hope, however, that it is reviewed by the respective Authorities of the individual EU Member States, which will certainly be called upon to deal with similar issues.
Until then, the only encouragement to Greek companies (among others) can be: Hurry up!
P.S. A brief version of this article has been published in MAKEDONIA Newspaper (April 18, 2021).
Disclaimer: the information provided in this article is not (and is not intended to) constitute legal advice. Legal advice can only be offered by a competent attorney and after the latter takes into consideration all the relevant to your case data that you will provide them with. See here for more details.