On September 29, 2020, the Litigation Chamber of the Data Protection Authority (DPA) condemned a company, which had not closed the e-mail addresses of workers who had ceased their functions, to pay a fine of €15,000 and to adopt a policy resolving the issue of e-mail closure.
This decision was taken following a complaint from a Managing Director, who, after being dismissed from his position, had requested that his e-mail addresses and those of members of his family who no longer held a position within the company be closed. In the absence of follow-up from the company, he filed a complaint with the DPA.
In the course of the investigation conducted by the Authority, it was established that :
1) The e-mail addresses were still active 2.5 years after the departure of the persons concerned.
2) The recipients of the e-mails sent using these addresses had not been notified that the senders were no longer the original users, which could lead to the collection and use of personal data.
In its decision, the DPA considered that the company had violated the principles of purpose, lawfulness, minimal data processing and limited retention. It also considered that, given the functions of the persons concerned and the absence of ongoing file transfers, the retention of e-mail addresses could not be justified by the fear of loss of important business messages.
This litigation highlights guidelines for any employer faced with the departure of an employee and in particular:
– The need to implement an internal charter relating to the use of IT tools to deal with the hypothesis of resignation, dismissal or any other form of termination of activity and its consequences.
– The obligation for the data controller to block the electronic mailbox of any holder who has ceased his functions, at the latest on the day of his effective departure.
– The obligation for the data controller to notify the holder of the electronic mailbox before proceeding with the said blocking, and to ensure that an automatic message is inserted to notify any subsequent correspondents and provide them with the contact details of the person to be contacted, and all this for a reasonable period of time (between 1 and 3 months depending on the circumstances).
Given the principle of accountability, the burden of proof is on the employer who has to demonstrate that these measures have been properly put in place.
For more information on the subject, please contact Guillaume RUE (firstname.lastname@example.org).
The Cairn Legal team.