GDPR Fines

Fine for use of email account of ex-employee.

 

When an employee leaves, be aware of how you treat their email accounts!

What do you do when an employee is leaving your company? The employee will probably have a corporate email account issued by the firm, but equally accounts on any of the company tools in use e.g. the CRM tool, the HR tool etc.

Can you just delete or take over these accounts? Taking into account GDPR and good privacy practices, do you have to be more careful?
A Norwegian company made some mistakes handling an email account transfer from a former employee that cost them 14.700€ in fines. Let’s see what happened and what you can learn from it.

GDPR Fines – example

An employee from a Norwegian business ended its employment with the company. The employer had changed the password and taken over the work email account during their notice (resignation) period, without letting the individual know, thus not giving them the opportunity to delete personal content. Further, the email account was not deleted after they left the company.

The former employer ignored the request to delete the email account and only set a vacation note. In his reply to the Norwegian DPA, the former employer argued that it was necessary to keep the inbox to uphold customer relations and ensure they received necessary operational information until the former employee had been replaced.

The DPA found violations of various provisions of the GDPR. It held that the former employer violated GDPR when accessing the employee’s email account and emails. Moreover, the former employer did not inform the employee and thereby violated Article 13 GDPR. The DPA found another breach of GDPR, as the former employer did not discontinue the employee’s email. For these breaches the former employer was fined 14.700€.

 

Taking into account the above ruling and other similar cases we advise the below best practice around the email and other accounts of your employees:

  1. Make sure you have an employee privacy policy in place that covers the use and access of mail accounts and other accounts.
  2. Document your company’s internal processes on how you handle accounts and the handover of accounts in the event of a termination of employment.
  3. Never terminate a personal work email account e.g. Firstname.lastname@yourcompany.eu without prior notice.
  4. Always terminate a personal work email accounts e.g. Firstname.lastname@yourcompany.eu once the employee has left the company
  5. Do not solely rely on personal work email accounts e.g. Firstname.lastname@yourcompany.eu for any of the functions within the firm. Make sure to have more generic emails such as sales@yourcompany.eu or info@yourcompany.eu to ensure you can advise your customers to use this address when an employee is leaving.

Link to original ruling: https://www.datatilsynet.no/regelverk-og-verktoy/lover-og-regler/avgjorelser-fra-datatilsynet/2021/virksomhet-far-gebyr-for-innsyn-i-tidligere-ansatts-e-postkasse-og-manglende-avslutning-av-e-postkassen/

Are you lacking a Staff Privacy Policy? Join GDPRWise now and generate your Staff Privacy Policy in no time!