In brief
The Belgian Data Protection Authority (DPA) has imposed two separate fines totaling approximately EUR 176,000 on a large technology company for unlawfully retaining a former employee’s mailbox. The bulk of the fine — approximately EUR 160,000 — relates to the unlawful processing of personal data, while a further EUR 16,000 concerns transparency failures.
In more detail
Unlawful retention of a former employee’s mailbox
The case concerns a situation in which a former employee discovered, six months after leaving the company, that their professional mailbox remained active. The employee subsequently requested access to the mailbox and the deletion of their personal data.
The DPA found that the continued processing of personal data in the mailbox exceeded what is permissible under the General Data Protection Regulation (GDPR). While an employer may rely on a legitimate interest to maintain a mailbox for a limited transitional period following termination (typically up to one month), this interest is inherently temporary and diminishes over time. In this case, the mailbox remained active well beyond this period, leading to unlawful processing.
Notably, the DPA identified several key shortcomings:
- The personal data contained in the mailbox were processed without a valid legal basis.
- The company failed to adequately inform both the former employee and third parties that the mailbox remained active and that their data continued to be processed.
- Insufficient technical and organizational measures were in place to ensure timely deletion of the mailbox.
- The data subject’s right of access was not properly respected.
Two distinct fines imposed
The DPA imposed two separate fines reflecting different violations:
- Approximately EUR 160,000 for the unlawful processing of personal data, as the company retained and continued to process the contents of the mailbox without a valid legal basis.
- Approximately EUR 16,000 for violations of the transparency obligations, as neither the former employee nor third parties were adequately informed that the mailbox remained active and that their data continued to be processed.
The DPA reiterated that merely restricting access to a mailbox is not equivalent to deleting it, and that any continued storage constitutes ongoing processing subject to GDPR requirements.
Relevant considerations for the determination of the fines
In determining the level of the fines — in particular the main fine of approximately EUR 160,000 — the DPA assessed several key factors:
- Fundamental nature of the breach
The infringement concerned the absence of a valid legal basis for continued processing after the permissible period. The DPA emphasized that compliance with the lawfulness principle is a cornerstone of the GDPR framework. Any processing without a legal basis directly undermines this core principle. - Duration of the infringement
The unlawful processing persisted well beyond the limited period during which a legitimate interest could be relied upon. Importantly, the data remained stored for an extended period, which increased the seriousness of the infringement. - Negligence and organizational shortcomings
Although there was no intentional misconduct, the DPA found clear negligence, notably because the company:- Was aware of the applicable rules regarding mailbox deletion.
- Relied on manual processes without sufficient safeguards.
- Failed to apply existing control mechanisms that could have prevented or detected the error.
- Scope of the affected data
Although the case concerned a single mailbox, it included not only the personal data of the former employee but also those of numerous third-party correspondents. This broadened the impact of the infringement beyond a purely internal matter.
The DPA also took into account that the company failed to properly facilitate the data subject’s right of access and lacked adequate technical and organizational measures to ensure compliance.
Conclusion
he decision sends a clear signal that the retention of employee mailboxes must be strictly limited in time and carefully managed. Employers must ensure not only a valid legal basis for any continued processing, but also full transparency, proper access rights, and robust deletion mechanisms. Failure to do so may result in significant fines, even in the absence of intentional wrongdoing.