When employment ends, data duties remain: Guidance on email management from the Maltese data protection authority   

Author: Erika Criscione

The end of an employment relationship does not mark the end of employers’ data protection obligations, especially when it comes to handling the former employee’s email account. From a GDPR standpoint, this post-departure phase presents a number of legal and operational challenges that require careful attention to avoid compliance risks and potential breaches.

To assist employers in addressing these challenges, the Maltese Information and Data Protection Commissioner (IDPC) has published a set of Frequently Asked Questions (FAQs) on the Management of Employee Email Accounts (Post-Departure).

The IDPC’s approach aligns with that of its European counterparts, such as the French, Belgian and Italian data protection authorities, in recognising that, while the protection of business continuity constitutes a legitimate interest for employers, such interest must be carefully balanced against the fundamental rights to data protection and privacy of employees and former employees.

This article analyses the key considerations highlighted in the IDPC’s FAQs and explores how employers can build GDPR-compliant practices within their organizations.

Automatic e-mail forwarding: a no-go

The IDPC has clarified that the setting of an automatic forwarding email rule from a former employee’s account to another individual mail account within the organization, is generally not compliant with the GDPR.

Why?

Because even with strict policies in place requiring that work emails are for professional use only, personal content may still be exchanged through corporate email systems. Forwarding those emails by default to someone else in the organisation, can amount to an unauthorised disclosure of personal data: a GDPR red flag.

The IDPC pointed out that such emails are not considered the property of the employer and therefore their processing must be GDPR compliant.

Setting the right automatic reply: a simple and smart move

Instead of automatic forwarding, the IDPC strongly recommends the use of automatic reply messages upon an employee’s departure.

An effective auto-reply should:

• Clearly state that the employee is no longer with the organisation;
• Provide the contact details of an alternative person or department within the organisation;
• Specify how long the auto-reply will remain active following which, emails sent to that email address will no longer be deliverable.

The IDPC suggests a one-month timeframe as a standard “reasonable period” for the auto-replay to remain active. However, a slightly longer period can be justified where necessary, for example, if the employee held a critical role. In this case, organisations must be able to demonstrate that any extended period is necessary and proportionate.

What are the best practises for GDPR email management?

Keep internal records justifying the automatic reply duration, even if it’s not mandatory. Such records may also be critical in the event of inquiries from authorities or data subjects.

Planning ahead for GDPR-complaint employee email management

Organisations should properly manage employees mail inbox before their departure.

The IDPC recommends that while the employment relationship is ongoing, employers should:

• Adopt a clear internal policy on email account management;
• Make sure employees read, understand and acknowledge the policy (read-and-sign procedure);
• Encourage staff to separate personal and work emails (e.g., by using separate folders).

On the day of the employee’s departure: handle with care

When the employee has to leave, the employer should:

• Give the departing employee the opportunity to take a copy of and delete any personal or private emails in the mailbox;
• Set the recommended automatic reply immediately;
• Considering whether the contents of the mailbox should be archived to preserve important business information. The decision on the archiving should take into account factors such as the nature of the employee’s role and the organisation’s operational needs;
• Give the opportunity to the departing employee to retrieve or delete any personal emails in the inbox, if this has not been done on the last day of work.

After the employee’s departure: what not to do

 Certain practices are strongly discouraged once an employee has left, including:

• Granting access to the former employee’s mailbox to other staff members;
• Impersonating former employees by sending emails from their account;
• Setting up automatic email forwarding rule;
• Failing to uphold data protection principles after the employment relationship ends.

Each of these actions could easily breach GDPR’s principles of data minimisation, purpose limitation and respect for individual privacy.

Conclusion: keeping the balance right

The IDPC’s underscores the delicate balance between an employer’s legitimate interests to ensure business continuity and the fundamental data protection principles enshrined in the GDPR.

In practise, this requires that organisations:

• Establish internal protocols governing mailbox access, monitoring and archiving;
• Document legal basis; and
• Ensure that data is only retained for as long as necessary.

Ultimately, post-employment email management is about handling the post employment transition in a manner that upholds accountability, proportionality and respect for individual rights.