Header image overlay

What do you do with a personal mailbox of an employee leaving the company?

It is never nice when an employee decides to leave your company, but there is no way around it. Every company has an employee who chooses another challenge from time to time. Now, what do you then do with that employee's personal mailbox? And more importantly, what are you legally allowed to do or not do?

Block and close mailbox

To get right to the point: actually, you should have a personal mailbox lock and delete on the day the employee leaves. After all, a mailbox, whether in the employee's personal name or not, which may also be used by the employer for private purposes, contains personal data and thus belongs to the employee's privacy. Therefore, the contents of a mailbox that is also used privately may not simply be checked.

So, according to GDPR, you are not allowed to keep a personal mailbox, which is in the employee's name, open when they leave, let alone view it. No later than 1 month after the departure date of the employee, the mailbox must be permanently closed. This extra month still gives you a chance to notify customers, for example via an out-of-office.

In contrast, a functional or general mailbox, e.g. info@..., should not be closed.

However, what you should always do immediately is block the mailbox for the employee on the day of his/her departure. This way, you will prevent abuse. But blocking a mailbox is not the same as closing it permanently. You still have to give the employee the option of deleting or transferring his/her private e-mails. This is best done in consultation.

Duty to inform

A very important point in this story: a company has a duty of information for the control of personal data. That is, everything that happens around this when an employee leaves must be communicated to the employee beforehand via a policy. Or, if there is no policy, the employee must at least be informed upon departure via a letter of the steps the employer intends to take with the mailbox.

Transparency is very important. As soon as you try to keep things hidden, people get suspicious and will more easily invoke a breach of privacy.

What about the mails in that mailbox?

Closing a mailbox is all well and good, but there are probably quite a few mails left in that mailbox. What do you do with those? Are you still allowed to look at them? The answer depends on the situation.

As long as the mailbox is still open, in theory you can still enter it. Yet it is better not to do so. If it is a mailbox that the employee was also allowed to use privately, it will undoubtedly contain private e-mails. And according to privacy laws, you are not allowed to look at them. For this reason, you cannot just go rummaging through a mailbox.

Still, do you need an important mail that you know is in the mailbox, such as an order form? Then it is about the economic interest of the company and you are allowed to go and find it. But beware, not just anyone is allowed to do that. You have to appoint a confidential person and only that person is allowed to look in the mailbox. This rule also exists to prevent abuse. But even this person is not allowed to look at private emails.

Who that confidant is should also be put in a policy and communicated to employees.

The importance of those emails also depends on the degree of responsibility of the employee. Someone who had a managerial position and was employed at the company for a long time probably has important info in his/her mailbox. If so, that extra month could be extended to a maximum of 3 months. However, the employee should be informed of this.

Can you set a forward to another person?

In principle, this would be allowed during the period the mailbox is still open, as long as the mails are sent to the confidant and as long as only professional mails are forwarded. Since it is not always easy to indicate which mails are professional, this working method is not preferred.

However, linking or passing on the ex-employee's personal mailbox to another user is not allowed. This is only allowed for functional mailboxes (e.g. boekhouding@eurosys.be), which, as mentioned above, should also never be closed when an employee leaves.

One solution: the out-of-office

Setting an out-of-office for the personal mailbox is a good idea, though. That way, as a company, you don't make the mistake of facing any private emails. It is certainly advisable to include the possible successor in the message. Then there is less chance of emails being lost in the future.

Of course, you may only set this out-of-office for as long as the period the mailbox is still online. So one or at most 3 months depending on the situation. During that period, you should contact all customers to inform them of the departure.

As soon as the mailbox is actually closed, the sender of any mails will receive a notification from the mail server that the mailbox no longer exists. You should then send a test mail to that closed mailbox so that you can print that notification as proof.

Do try to disconnect this out-of-office from control. Use the month you still have the out-of-office only to reach your customers and not to check the mailbox. If you do check, then again it should be through the trustee and you should have updated your policy accordingly.

What if dismissed with immediate effect?

In the case of dismissal without notice, you are still allowed to look in the personal mailbox. This concerns the legitimate interest of the company (e.g. continuity). The employee has then not been able to clean up his mailbox himself.

The personal mailbox is also still a professional mailbox, so you may assume that it contains professional mails. But you are not allowed to check every mail just yet. Mails that you can tell at first glance are private mail should definitely not be opened. The exercise should also be limited in time. Depending on the context and in the context of a legal dispute, there might be another reason to go and check the mailbox.

Can a company view which emails were still sent or deleted?

Only if there is a suspicion of illegitimate interest or abuse, may a company go and check which emails the employee still sent or deleted during his notice period. Think competition, for example. But going to screen without question is not allowed. And under no circumstances may you take note of the content of private e-mails.

The ideal situation

We have briefly gone over what you may and may not do with a personal mailbox when an employee leaves, but there is a simple way to avoid all these problems. And that is to sit down with the employee before departure and going through the mailbox together. The employee takes out his/her private emails and important work emails are put in a folder or in the ERP system. This way, even before the employee's last working day, you know that no important mails are lost in the mailbox.

Besides, as a company, it is better to avoid having a lot in a mailbox. If important e-mails during employment always have to be put in a folder or in the system immediately, e-mails can be deleted more quickly. Thus, the mailbox becomes much less important and you actually go back to the essence for which a mailbox serves: a communication tool.

If that does not work, you can also avoid problems by keeping the mailboxes purely professional (this must be stated in the policy) or by working with functional mailboxes that may not be used for private purposes. Another possibility is that you oblige the employee who is allowed to use a mailbox privately to work with separate folders for private and professional mail, so that any necessary follow-up of the mailbox, for instance in case of illness of the employee, can be done in the interest of the continuity of the company while respecting the employee's privacy.

An employee's agreement can also have significant value, but that agreement must be given after the dismissal.

The applicant claims that the Court should

The main elements in this story are:

The personal mailbox may still 1 month remain online after the employee's departure.
You should transparent communicate any follow-up or control of the mailbox on departure: a well-developed IT policy is a must!
You have to look at the interests, both economically for the entrepreneur and the privacy of the employee. Sometimes privacy can and may be violated, but that is a balancing of interests and it is not absolute. So caution remains imperative at all times.

This article was produced in collaboration with Odigo Lawyers.

"The importance of those emails also depends on the level of responsibility of the employee."

share this post:

Need help or inspiration?
Schedule a visit to our Inspiration Centre in Geel, at one of our events, trainings or workshops. Ask your questions and discover where VanRoey can support your organisation.
Proper licence management can save your organisation considerable costs. Hence, don't miss this workshop on 28/01 in Geel!
Since 18 October, NIS-2 is officially in force! Together with our partners, we are organising a Cybersecurity Workshop on 30/01 to share practical insights and tools that you can apply immediately to protect your organisation and become NIS-2-compliant.