Seven commandments when closing the business e-mail account
Many companies remain unaware of how to handle an e-mail account when an employee leaves. However, the problem does not only exist within the Nordics, which has prompted the Estonian Data Protection Agency to issue new guidelines. We are taking a closer look at the new seven commandments in light of the existing guidance from the Danish Data Protection Agency.
Business e-mail accounts can remain active for some time after the termination date, or the release date, for that matter. The period must be as short as possible but will vary depending on the employee’s position and tasks. As a main rule, the period should not exceed twelve months.
While the account is active, it must only be used to receive e-mails. E-mails should only be forwarded exceptionally. By way of example, private e-mails may be forwarded to the former employee’s new e-mail.
Companies should include auto-replies while the account is active. Ideally, auto-replies should provide information on the fact that the employee is no longer employed and other relevant information.
Same rules, different guidelines
The rules are the same within the EU. However, guidelines may vary from one data protection agency to another. For that reason, it is always relevant to look at guidelines from other data protection agencies, as it may assist with creating a better understanding of the rules in practice.
In this case, the seven commandments from the Estonian Data Protection Agency are interesting when companies are preparing a policy on how business e-mail accounts are handled. The seven commandments are:
- Close the e-mail account immediately
- Set up accounts for each position instead of each employee, if possible
- Provide employees with sufficient information before accessing the account
- Have guidelines for handling the account in connection with termination
- Never access private correspondence
- Ensure that e-mails are archived to avoid data loss
- Make sure that control measures are compliant
Apart from the first point, where the Danish Data Protection Agency gives companies up to twelve months, all points are relevant considerations. We have previously written about the recommendations for handling accounts in connection with termination before the GDPR entered into force here.
IUNO’s opinion
Information obligations also apply when closing business e-mail accounts in connection with termination. Companies can satisfy the information obligations by including a section in the privacy notice describing the processing activity and retention period. The rules apply regardless of whether the employee resigned, was terminated, or was released.
IUNO recommends that companies are aware that the processing carried out when handling business e-mail accounts requires a legal basis. Usually, legitimate interests can be the legal basis when handling business e-mail accounts in connection with off-boarding.
Business e-mail accounts can remain active for some time after the termination date, or the release date, for that matter. The period must be as short as possible but will vary depending on the employee’s position and tasks. As a main rule, the period should not exceed twelve months.
While the account is active, it must only be used to receive e-mails. E-mails should only be forwarded exceptionally. By way of example, private e-mails may be forwarded to the former employee’s new e-mail.
Companies should include auto-replies while the account is active. Ideally, auto-replies should provide information on the fact that the employee is no longer employed and other relevant information.
Same rules, different guidelines
The rules are the same within the EU. However, guidelines may vary from one data protection agency to another. For that reason, it is always relevant to look at guidelines from other data protection agencies, as it may assist with creating a better understanding of the rules in practice.
In this case, the seven commandments from the Estonian Data Protection Agency are interesting when companies are preparing a policy on how business e-mail accounts are handled. The seven commandments are:
- Close the e-mail account immediately
- Set up accounts for each position instead of each employee, if possible
- Provide employees with sufficient information before accessing the account
- Have guidelines for handling the account in connection with termination
- Never access private correspondence
- Ensure that e-mails are archived to avoid data loss
- Make sure that control measures are compliant
Apart from the first point, where the Danish Data Protection Agency gives companies up to twelve months, all points are relevant considerations. We have previously written about the recommendations for handling accounts in connection with termination before the GDPR entered into force here.
IUNO’s opinion
Information obligations also apply when closing business e-mail accounts in connection with termination. Companies can satisfy the information obligations by including a section in the privacy notice describing the processing activity and retention period. The rules apply regardless of whether the employee resigned, was terminated, or was released.
IUNO recommends that companies are aware that the processing carried out when handling business e-mail accounts requires a legal basis. Usually, legitimate interests can be the legal basis when handling business e-mail accounts in connection with off-boarding.
Similar
Expensive right of access requests
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing
Promises are made to be kept