Can I just take over a departing employee's email account?

Not without care. A named work email such as firstname.lastname@yourcompany.eu contains the employee's personal data, so accessing or taking it over is processing under the GDPR. You must inform the employee, give them the opportunity to remove personal content, and have a lawful basis. A Norwegian company that changed the password and took over an account during the notice period, without telling the employee, was fined 14,700 EUR.

Can I keep a former employee's email active to catch incoming customer mail?

No, not indefinitely. The Norwegian DPA found that keeping the inbox running after the employee left was a breach of the GDPR. The correct approach is to close the personal account and steer customers to a generic address such as info@ or sales@, optionally with a temporary auto-reply pointing to the new contact. The Italian Garante said the compliant alternative is precisely an auto-reply that points senders to other addresses, without reading the incoming mail.

Is deactivating the mailbox enough, or do I have to delete it?

Deactivating is not the same as deleting. In 2026 the Belgian DPA fined a company around 176,000 EUR partly because a former employee's mailbox kept existing on its servers. As long as the mailbox exists, you are still processing that person's personal data. A short transitional period of roughly a month can be justified, after which you should delete the mailbox.

What should I do before an employee leaves?

Have an employee privacy policy that covers email and account use, document your offboarding process, and give the employee a clear opportunity to delete personal content from their mailbox and other tools before their access ends.

Why should I avoid relying on personal work email addresses?

If a function depends on firstname.lastname@yourcompany.eu, you are tempted to keep that account alive after the person leaves, which is exactly what gets companies fined. Generic addresses like sales@ or info@ let you close personal accounts cleanly without losing business continuity.

Employee Leaving? How to Handle Their Work Email (GDPR)

When someone leaves your company, you cannot simply take over or delete their work email account. A Norwegian firm learned this the hard way with a 14,700 EUR fine. Here is how to handle departing employees' accounts under the GDPR.

When an employee leaves your company, what do you do with their accounts? They will probably have a corporate email account issued by the firm, plus accounts on the tools you use day to day: the CRM, the HR system, and so on.

Can you just delete or take over these accounts? Taking the GDPR and good privacy practice into account, you have to be more careful than you might expect.

A 14,700 EUR lesson from Norway

A Norwegian company made several mistakes handling the email account of a former employee, and it cost them 14,700 EUR in fines. It is worth understanding what went wrong.

An employee ended their employment with the company. During the notice period, the employer changed the password and took over the work email account, without letting the individual know, and therefore without giving them the opportunity to delete personal content. On top of that, the account was not closed after the employee left.

The former employer ignored the request to delete the email account and only set a vacation note. Asked to explain, the company argued that it needed to keep the inbox running to maintain customer relations and receive operational information until the employee had been replaced.

The Norwegian data protection authority found several breaches of the GDPR:

Accessing the employee’s email account and emails was unlawful.
The employer failed to inform the employee, breaching Article 13.
The employer did not discontinue the employee’s email account.

For these breaches, the company was fined 14,700 EUR.

This is not a one-off

Norway is not an outlier. Data protection authorities across Europe keep fining employers for exactly this, and the rulings are getting firmer.

Italy, 2023. The Italian authority (Garante) fined a company 5,000 EUR after it kept a departed collaborator’s mailbox active, read the incoming mail, and set up automatic forwarding to another employee. The employer argued it needed the account to defend itself in court. The Garante rejected that outright: the interest in defending a legal claim cannot override someone’s right to data protection. It also spelled out the correct alternative, which is to set an automatic reply that points senders to other addresses, without reading the incoming mail.

Belgium, 2026. The Belgian DPA fined a company roughly 176,000 EUR for keeping a former employee’s mailbox active for about six months after departure. The key lesson: deactivating a mailbox is not the same as deleting it. As long as the mailbox keeps existing on your servers, you are still processing that person’s personal data. A short transitional period (typically around one month) can be justified, but after that the mailbox has to go.

Why a work email is personal data

A named work email such as firstname.lastname@yourcompany.eu identifies a specific person. That makes it the personal data of that employee. Keeping the account active after they leave, reading the mail that arrives, or taking it over without notice are all forms of processing, and each needs a lawful basis and proper transparency.

This is the part many businesses miss. Closing the account feels like an IT housekeeping task, but under the GDPR it is a processing decision about someone’s personal data.

Best practice for departing employees’ accounts

Based on the Norwegian ruling and similar cases, we recommend the following:

1. Put an employee privacy policy in place

Make sure you have an employee privacy policy that covers the use and access of mail accounts and other accounts, so staff know in advance how their accounts are handled.

2. Document your internal process

Write down how your company handles accounts and the handover of accounts when employment ends. A clear, repeatable offboarding process is your best protection.

3. Never take over a personal work email without notice

Do not change the password on, or take over, a personal work email account such as firstname.lastname@yourcompany.eu without informing the employee first. Give them the opportunity to remove their personal content.

4. Close the account, and actually delete it

Always discontinue a personal work email account such as firstname.lastname@yourcompany.eu once the employee has left the company. Do not keep it running indefinitely to catch incoming mail. Remember the Belgian lesson: deactivating is not deleting. After a short transitional period (around a month), delete the mailbox for good.

5. Use an auto-reply instead of reading the inbox

If you need a window to redirect contacts, set an automatic reply that points senders to a generic address, without opening or forwarding the incoming mail. This is exactly the approach the Italian authority described as the compliant alternative.

6. Do not depend on personal work emails for business functions

Do not rely solely on personal work email accounts for any function within the firm. Set up generic addresses such as sales@yourcompany.eu or info@yourcompany.eu, and ask customers to use these. That way you can close a personal account cleanly when someone leaves, without losing continuity.

References

Norwegian DPA ruling (2021, 14,700 EUR): Virksomhet får gebyr for innsyn i tidligere ansatts e-postkasse
Italian Garante decision (2023, 5,000 EUR): Company email: the employer’s right of defence in court cannot limit the worker’s right to data protection
Belgian DPA fine (2026, ~176,000 EUR): Belgium: unlawful mailbox retention leads to EUR 176,000 fine

auto_awesome Document your offboarding process

GDPRWise helps you put an employee privacy policy and clear internal processes in place, so you handle departing employees' accounts the right way.

Start your free scan

When an Employee Leaves: How to Handle Their Email Account