Belgium: DPA reprimands non-profit organisation for maintaining employee email address post-termination
The Belgian Data Protection Authority ('Belgian DPA') issued, on 2 December 2021, its decision No. 133/2021 in DOS-2020-00233, in which it issued a reprimand to an unnamed non-profit organisation, following violations of Articles 5(1)(b), (c), 6(1), and 13(1)(c) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), as the organisation had kept the complainant's email address and mailbox active, leading to the ability to read received emails and respond in the complainant's name, if necessary, after the complainant's employment agreement had ended.
Background to the case
In particular, the Belgian DPA highlighted that the complaint concerned the use of the professional e-mail address, in the name of the complainant, by members of the organisation, after the termination of their employment. The decision itself concerns three defendants: the organisation itself, the first defendant, and two members of the organisation involved in the transmission of emails, the second and third defendants. Further to this, the Belgian DPA noted that the incident was discovered due to an email sent by the second defendant, in response to an email sent by a former colleague of the complainant, who was advised that the professional email address, in the name of the complainant, would cease to exist.
Findings of the Belgian DPA
The Belgian DPA found that the complainant's email address was still in the organisation's system in January 2020, despite the fact that the employment agreement with the complainant had ended in 2019. Furthermore, the Belgian DPA added that the complainant had not received information about further use of their mailbox and email address, besides being told that they no longer would have access to it. The Belgian DPA noted that, as a result, the second defendant was able to read emails addressed to the complainant and, if necessary, answer from the complainant's email address. As such, the Belgian DPA concluded that the organisation had violated Articles 5(1)(b)-(c) of the GDPR.
With regard to the management of the e-mail address and the messages in the email inbox following termination of the complainant's employment, the Belgian DPA found that this should no longer be active and used, because the employment agreement had been terminated. Further, the Belgian DPA concluded that the organisation could not demonstrate that, following termination of the employment, the complainant would have been informed of the legitimate interest in processing their personal data post-termination. In this regard, the Belgian DPA confirmed that the organisation was in violation of Article 6(1) of the GDPR, in conjunction with Article 13(1)(c) of the GDPR.
In addition, the Belgian DPA found that the second and third defendants, as members of the organisation, did not act in their own right, but on behalf of the company who acted as the data controller and determined means and purpose for the processing of personal data, and as such the violations pertain only to the organisation itself.
In conclusion, the Belgian DPA issued a reprimand to the organisation, which was concluded to be the most proportionate sanction, as it took into account the fact that the main defending organisation was a non-profit organisation.
In addition, the Belgian DPA determined that it would not have been appropriate to issue a monetary penalty in this case, but that publication of the decision would constitute a sufficient deterrent.
You can read the decision, only available in Dutch, here.