If employers want to be compliant with GDPR, what should they do with employee’s corporate e-mail account after termination of his employment? Italian supervisory authority’s decision of 2 July 2020, against Mapei S.p.A. (“Mapei“), gives us answers to this question.
Background
A former employee of Mapei lodged a complaint before Italian supervisory authority (“Garante“) in August 2018. The complainant claimed that Mapei kept his corporate e-mail account active after termination of employment, which took place in July 2017. Mapei deactivated the complainant’s e-mail account upon receiving his request for deactivation in June 2018.
What did the employer say?
Mapei confirmed to Garante that the complainant’s e-mail account was kept active after termination of employment for incoming e-mails to be automatically redirected to the complainant’s superior. Mapei justified this practice by the need to ensure continuity of business operations in which the complainant had been involved during the employment and to guarantee the continued availability of the company to the clients with whom the complainant had been working.
With respect to the e-mails received through the complainant’s e-mail account after termination of employment, Mapei emphasized that all of them were strictly related to work, and that the company did not acquire any personal data related to the complainant’s private life.
Mapei claimed that its right to keep former employee’s e-mail account active derived from the company’s internal policy on the use of e-equipment which was in force at the moment of termination of the complainant’s employment. The policy provided that “the employee’s e-mail account is exclusive property of the company” and that the company “at any time, in case of a declared, justified and documented need, reserves the right to access any e-mail.”
Garante’s findings and conclusions
Garante found that Mapei’s practice of keeping the complainant’s e-mail account active after termination of his employment was not in line with principles of lawfulness and data minimization in GDPR. Garante noted that Mapei had indiscriminate access to all of received electronic correspondence, which included personal data related to the complainant’s private life (such as notifications related to the complainant’s LinkedIn account and advertising messages for services which are not related to the complainant’s work activities), although Mapei claimed the opposite. Mapei should have adopted technical and organizational measures which would ensure the protection of the complainant’s and third parties’ personal data while at the same time satisfying the company’s legitimate interest to access the information for the purposes of management of its business operations.
So, in order to be compliant with GDPR, what should employers do? Garante’s solution is that former employee’s e-mail account should be deactivated. At the same time, senders of emails to the departed employee should receive an automatic response about the employee’s termination of employment and an alternative e-mail addresses to which the sender can re-send the e-mail. Thus, employer can still achieve the purpose of effectively managing its business operations, but in a way which protects the employee’s and third parties’ personal data.
Garante had already taken the same position in the decision issued on 4 December 2019 dealing with a similar case. (Around the same time, Slovenian data protection authority also articulated the same position, in its guidelines on the processing of personal data in the context of employment).
In the Mapei case, Garante also concluded that the company did not inform the complainant about the possibility of keeping his e-mail account active after termination of employment. Contrary to the company’s claim in the proceedings, Mapei’s internal policy on the use of e-equipment did not contain any provision which explicitly entitled Mapei to keep the e-mail account active.
Garante ordered Mapei to pay an administrative fine in the amount of EUR 15,000.00.
Comment
Employers should keep in mind that they are obliged to protect former employee’s and third parties’ personal data, even in the event of termination of employment. Keeping former employee’s e-mail account active to redirect the received e-mails to another address does not only lead to processing of the ex-employee’s personal data, but also to processing of the sender’s personal data. Such data can easily relate to their private life. Even though the employer has legitimate interest to access the e-mails, its legitimate interest must be curbed in order not to jeopardize the fundamental right to respect for private life of the data subject (Article 8 of the European Convention on Human Rights).
Deactivating employee’s e-mail account upon termination of employment and giving the sender an option to re-send the e-mail to another address within the company seems to be a simple solution protecting the interests and right of all those involved. The employer may continue its business operations with little or no disruption, while the right to protection of personal data and to respect for private life of the data subjects remains protected.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]