The Management of Email Accounts of Former Employees
Introduction
Typically, when an employee departs, their corporate email account remains active and accessible to the employer for a period of time. During this time, the email archive and new incoming messages are forwarded to the employee's manager or another colleague. This is done to ensure the smooth contiunation of ongoing work and projects in the workplace and to prevent the loss of important emails even after the employee has left. However, employers often overlook the fact that they continue to process the employee's personal data in this way even after the employment relationship has ended. Employees may also use their corporate email accounts for personal purposes, or receive emails sent to that address containing personal data of the sender. Moreover, email addresses containing the personal information such as first and last names are considered personal data on their own.
Therefore, this practice carries the risk of violating the employee's right to privacy and protection of private life.In fact, data protection authorities, who are aware of this risk, have also addressed this issue, and consider it a a violation of the right to personal data protection. In this article, the decision[1] of the Personal Data Protection Board ("Board") dated 3 August 2023, and numbered 2023/1321, as well as the decision[2] of the Belgian Data Protection Authority ("Authority") dated 29 September 2020, and numbered 64/2020, are discussed.
Board Decision
Incident Leading to the Board Decision
In the incident subject to the decision, the affected data subject submitted a complaint to the Board, claiming that he left the company where he had previously been a partner, but stated that his email address used during the partnership was kept active, allowing the company to read emails sent to this address. The individual claimed that his application to the data controller regarding this matter was unsuccessful. The data controller company, in its defense, stated that the email account was closed and usage was blocked after the individual left the company. They mentioned that emails sent to the email address with the company extension were redirected to administrators as "undefined mail" in line with company practices, and there was no personal data in the emails contrary to the claims.
The Board's Findings and Evaluations
Upon investigation, the Board found that an email from an old customer, unaware that the individual had left the partnership, was responded to. Additionally, a response was sent to an email mistakenly sent to the wrong address by personnel working with the individual.
The decision recognizes that e-mail messages are personal data and states that the employer, as the data controller, processes personal data without complying with the legal grounds established by Law No. 6989 on the Protection of Personal Data. In other words, it was determined that the employer had no legal basis for accessing the e-mail accounts of former employees and that this practice was unlawful. Accordingly, the Board decided to impose an administrative fine of 50,000.00 TL on the employer. Another noteworthy aspect of the decision is that the employer was ordered to take corrective measures to stop processing the personal data of the departing employees and to destroy the personal data that was the subject of the complaint.
As a result, the Board finds it unlawful for employers to redirect departing employees' e-mail accounts within the company and access their e-mail messages. The Board's decision indicates that companies should cease such practices and implement a different system.
Authority Decision
Incident Leading to the Authority Decision
In a similar case, the individual had served as the manager of a family business for a long period, playing a key role in the general operation of the company and in various commercial, regulatory, and managerial areas. The individual's position in the company was abruptly terminated in 2016 without any agreement. Nevertheless, the company continued to use two email addresses containing the data subject’s first and last name. When the data subject became aware of this situation, he applied to the data controller in 2019, requesting that the use of these addresses be stopped, but his application was unsuccessful.
The employer, in its defense, provided the following reasons:
- All emails reaching the email archive and received after the termination date were directed to the management assistant and were not used for responding to messages. Messages sent to the individual's account were answered through the management assistant's email address.
- The email archive was examined only within the scope of the business relationship. Access to the individual's emails was never intended.
- The email account was kept active due to the individual's significant role as a company executive in terms of company activities and workflow. The company aimed to ensure that no important information or communication related to business management was lost.
The Authority's Findings and Evaluations
Similar to the Board, the Authority acknowledges that email addresses belonging to employees are considered personal data. Additionally, the Authority recognizes that personal data of third parties who send emails to former employees and are unaware of the current situation are being unlawfully processed.
According to the Authority, keeping email accounts of former employees active for extended periods and redirecting these accounts to third parties within the company contradicts the fundamental principles of the General Data Protection Regulation ("GDPR") (violation of the lawfulness principle, purpose limitation, data minimization, and data retention). In this specific case, the data controller was fined 15,000.00 Euros.
As explained below, the Authority emphasized that the former employee’s email account should be kept active for a short period of time and an automatic response system should be set up for emails that may be sent to that account. Accordingly, third parties should be informed about the current situation and be redirect to a different contact.
Management of Email Accounts of Departing Employees
As briefly mentioned earlier, both the Board and the Authority consider it unlawful for employers to keep the email accounts of former employees active and to forward them to a another employee within the company. Analyzing the reasoning of both data protection authorities, it can be said that the best system that employers can set up regarding the management of departing employees’ email accounts may be as follows:
- Employees should be informed about the fate of the email account assigned by the employer prior to the termination of the employment relationship. In regard to this information, internal policies and procedures must explain the management process of email accounts and be available to employees.
- Employees should be given the opportunity to forward their personal emails to their personal accounts and delete them from the workplace computer before leaving employment.
- Access to the email account should be blocked no later than the day the employee leaves the company.
- An automatic response system should be established for emails that may be sent to the blocked email account. The automatic response should contain information that the account owner no longer works for the company and provide contact information for the person to be contacted instead.
- This procedure should be in place for a reasonable period of time. The Authority suggests that a reasonable period is approximately 1 (one) month but can be extended based on the specific situation and the level of responsibility assumed by the individual. However, it is recommended that this period should not exceed 3 (three) months in any case.. If the period is extended, it should be justified, the consent of the individual should be obtained, or at least the individual should be informed. The employer should seek and implement an alternative solution as soon as possible before the extension period expires.
- The email account should be deleted after the automatic response period ends.
- To avoid any disruptions in the workplace, important emails in the email archive can be forwarded to another employee before the employee leaves the office and, if possible, in the employee’s presence. If there is a dispute between parties, intervention by a reliable person is recommended.
Conclusion
Regarding the management of departing employees’ email accounts, neither data protection authority recognized the employer's interest in ensuring workflow within the company as legitimate. Instead, they prioritized the right to protect the personal data of the employee. Therefore, keeping employees' email accounts active and forwarding them to a different employee within the company was considered a violation of data protection legislation. As a result of this approach, it may be considered that employers should reconsider their current practices and choose the method that interferes the least with the personal data of departing employees, in line with data protection principles.
The Authority's preferred method is to direct the senders of emails to a different employee and inform former employees of this procedure. However, the decisions of the Authority and the Board are a guide for the necessary steps. Accordingly, each company should take the appropriate steps for its own operation within the limits set by the data protection authorities and establish a system that complies with data protection principles.
- Summary of the Decision of the Personal Data Protection Board dated 03.08.2023 and numbered 2023/1321, https://kvkk.gov.tr/Icerik/7776/2023-1321 , (Date of Access: 04.02.2024).
- Decision of the Belgian Data Protection Authority dated 29.09.2020 and numbered 64/2020, https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-64-2020.pdf , (Date of Access: 04.02.2024).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
In today's world, we now have the opportunity to purchase many products and services through e-commerce platforms with a single click from wherever we are. During these purchases, our personal data are collected and used through the websites or mobile applications of e-commerce platforms for various...
The processing of genetic data has the potential to affect not only the data subjects but also the persons with whom the data subject is genetically connected. “The Guidelines on Issues to be Considered in the Processing of Genetic Data” (“Guidelines”) published by the Personal Data Protection Authority...
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
