How Long Can I Keep Former Employees’ Emails?

By Myles Dacres

The Outsourced DPO read an interesting article on Lexology about how to handle the email accounts of former employees.  The case in question was in Belgium and related to the former owners of a family firm being ousted by the company.  The ousted, former employees complained to the Belgian supervisory authority (BDPA) that the company continued to use their email addresses despite them no longer working for the company – in fact having left the company more than 2 years previously.

The Lexology article linked to the decision notice in French which was swiftly translated thanks (again) to the most excellent online translation engine https://www.onlinedoctranslator.com/.  Within a matter of seconds, the 20-page decision notice was available in English.  If you are not aware of this service you should check it out as it is fabulous!

Without going into the ins and outs of the case, the BDPA decided that:

  1. Organisations should have a policy and procedure to set out their approach in such situations which should be made available to data subjects (employees in this case).
  2. Before a person leaves an organisation they should have the opportunity to sort private and professional emails and either collect or delete the private ones, much as in the same way that they are entitled to collect personal effects.
  3. Email accounts should be blocked at the latest as soon as an employee exits and the employee should be notified in advance of this – potentially through an IT policy.
  4. An auto-response should be activated prior to the account being blocked to alert people sending emails to the exiting employee that they no longer work for the organisation and should operate for a limited period of time: ideally no longer than 3 months.
  5. At the end of the period in which the auto-response operates the mailbox should be deleted.

The decision notice considered a valid legitimate interest in maintaining the mailbox during the auto-response period but determined that there was no legal ground to continue processing after that period of time.

The BDPA levied a fine of €15,000 on the company: likely a significant amount for an operation of 13 people.

Whilst the decision does not apply to UK data controllers, it is interesting non-the-less to consider the BDPA’s arguments.  The DPP SAR Bureau handled several humungous subject access requests last year which involved reviewing literally hundreds of thousands of pages of emails and email attachments surfaced during a SAR information search.  There would have been a very different outcome had an approach such as that above been applied.

So what should we make of this?  Firstly do the BDPA’s suggestions seem unreasonable?  Why do we retain the mailboxes and email accounts of former employees and how often do we actually review the information contained within them?  Comfort blanket and never are the most likely answers.  Certainly, as time progresses, the usefulness of any information in those mailboxes diminishes.

What do we make of allowing employees to review their email accounts and split emails into “personal” and “professional”?  In practical terms, how long will that take?  Will employees want to spend their time doing this?  Will they be supervised?  Are all emails likely to fit this distinction?  Is it feasible to automatically or semi-automatically categorise emails into these categories in running to allow for the erasure of personal emails on departure?  Does it really matter if mailboxes are deleted anyway after 3 months?

As ever, the decision of the supervisory authorities shapes the application of the law and the thinking around it.  The decision notice is certainly worth a read and the basis of it used to challenge existing processes.

We will be discussing this and more in our next Lunchtime Takeaway Session where our Data Protection experts will take a look at the year ahead and tell you what you need to prioritise in 2021.

Date: 05.01.21
Time: 12:30-13:30
Location: Microsoft Teams 
Cost: Free 

Contact Myles Dacres for a link to join: [email protected]

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.


    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    IMPORTANT INFORMATION

    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

    Data Protection People Limited – March 2021