On several occasions, the Belgian Data Protection Authority (BDPA) has issued practical guidance on dealing with departing employees or contractors.
In essence, to comply with the various applicable principles of the European General Data Protection Regulation (GDPR), the organization concerned should have (i) blocked the related electronic mailbox at the latest on the day of the actual departure, (ii) after having informed the individual concerned, and (iii) after having inserted an automatic reply.
This automatic message should warn any subsequent sender of the fact that the person concerned no longer works within the organization and should give the contact details of the person who will follow-up (or the generic e-mail address of the organization), and this during a « reasonable » period of time, normally 1 month (!). A longer period of time, in principle not exceeding 3 months, could nevertheless be justified depending on the context and, in particular, the degree of responsibility exercised by the departing person, provided that the latter has agreed to this extension, or at least has been informed thereof. Beyond this period, the BDPA finds that the electronic mailbox and email address should be deleted.
According to the BDPA, this method is to be « preferred » to the practice of automatically transferring emails to another email address within the organization because, in that case, there is no control over incoming emails since, for example, potentially sensitive private information could be disclosed without the knowledge not only of the person concerned but also of the sender.
Furthermore, the blocking of an email address should not be conditional on a written request from the employee concerned.
Moreover, the obligation for the organization to inform the person concerned of the blocking of the electronic mailbox is also intended to allow the individual concerned to sort out and transfer possible private messages to the personal mailbox because « in the same way that the person concerned must be allowed to take back his/her personal belongings, (s)he must be allowed to take back or delete his/her private electronic communications before his/her departure ». Similarly, if some of the contents of the individual’s electronic mailbox must be retrieved for the proper functioning of the organization, this must be done before the individual leaves and in his/her presence. In the event of a contentious situation, the intervention of a « trusted person » is recommended.
Finally, the BDPA stresses the fact that the hypothesis of resignation or dismissal or any other form of termination and its consequences should be addressed in an internal document on the use of IT tools.
See the decision n° 64/2020 (FR) of 29 September 2020, and more particularly §§ 26-28, 31 and §§39-40
See the decision n° 126/2021 (FR) of 19 November 2021, and more particularly §5
See the decision n° 133/2021 (NL) of 2 December 2021, and more particularly §§50-52