APD/GBA (Belgium) - 101/2026
Belgian DPA fines tech company €176,946.61 for unlawfully retaining contractor email account post-departure.
Summary
Belgium's Data Protection Authority (APD/GBA) issued a €176,946.61 fine against a tech company for maintaining an active email account of a departed contractor without lawful basis and failing to meet transparency obligations under GDPR Articles 5, 12, 13, 15, and 24. The DPA found the company retained the mailbox beyond a reasonable one-month transition period, restricted data subject access rights unjustifiably, and failed to demonstrate adequate security measures or access logging. The authority ordered the company to comply with the contractor's access request, delete personal data, provide access logs, and implement systemic controls for employee/contractor offboarding.
Full text
Help APD/GBA (Belgium) - 101/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 19:23, 20 May 2026 view sourceDalja10 (talk | contribs)4 edits Tag: submission [1.0] Latest revision as of 08:38, 21 May 2026 view source Dalja10 (talk | contribs)4 editsm Tag: Visual edit Line 81: Line 81: }}}} The DPA fined a tech company a total of €176,946.61 for unlawfully keeping active the email account of a contractor after they left the company and for transparency obligation infringements. The DPA also ordered the company to comply with the access request, delete the personal data afterwards, provide access logs and take measures to ensure future compliance.The DPA fined a tech company a total of €176,946.61 for unlawfully keeping active the email account of a contractor after they left the company and for transparency obligation infringements. The DPA also ordered the company to comply with the contractor's access request, provide access logs, delete the personal data afterwards and take measures to ensure future compliance. == English Summary ==== English Summary == Line 101: Line 101: In the second phase, the DPA found that, immediately after the end of the collaboration, the controller had a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for keeping the email account active for up to one month in order to inform the data subject’s contacts of the departure from the company and to provide a new contact point.In the second phase, the DPA found that, immediately after the end of the collaboration, the controller had a legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] for keeping the email account active for up to one month in order to inform the data subject’s contacts of the departure from the company and to provide a new contact point. In addition, the DPA explained that the end of the collaboration meant, among other things, a change in the purpose and legal basis for the processing of personal data in the data subject’s mailbox, a change in the recipient of the emails and a loss of control for the data subject over the personal data in the mailbox. Since neither the data subject, not their contacts were informed about these changes, the DPA held that the controller breached [[Article 12 GDPR|Article 12 GDPR]] and [[Article 13 GDPR|Article 13 GDPR]] by failing to comply with its transparency obligations in relation to the data subject and their contacts after the data subject’s departure from the company.In addition, the DPA explained that the end of the collaboration meant, among other things, a change in the purpose and legal basis for the processing of personal data in the data subject’s mailbox, a change in the recipient of the emails and a loss of control for the data subject over the personal data in the mailbox. Since neither the data subject, not their contacts were informed about these changes, the DPA held that the controller breached [[Article 12 GDPR]] and [[Article 13 GDPR]] by failing to comply with its transparency obligations in relation to the data subject and their contacts after the data subject’s departure from the company. In the third phase, after 1 June 2023, the DPA held that the controller breached [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in conjunction with [[Article 6 GDPR#1|Article 6(1) GDPR]] by continuing to process personal data without a legal basis since the controller no longer had a legitimate interest for keeping the mailbox active. In the third phase, after 1 June 2023, the DPA held that the controller breached [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in conjunction with [[Article 6 GDPR#1|Article 6(1) GDPR]] by continuing to process personal data without a legal basis since the controller no longer had a legitimate interest for keeping the mailbox active. Line 107: Line 107: Furthermore, the DPA held that the controller also violated [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] (‘purpose limitation), [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] (‘data minimisation’) and [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] (‘storage limitation’) by continuing to process personal data after 1 June 2023. Furthermore, the DPA held that the controller also violated [[Article 5 GDPR#1b|Article 5(1)(b) GDPR]] (‘purpose limitation), [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] (‘data minimisation’) and [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] (‘storage limitation’) by continuing to process personal data after 1 June 2023. Moreover, the DPA found that the controller failed to take, or demonstrate that it had taken, sufficient technical and organizational measures to delete the data subject’s mailbox due to a lack of legal basis, thus violating [[Article 24 GDPR|Article 24 GDPR]].Moreover, the DPA found that the controller failed to take, or demonstrate that it had taken, sufficient technical and organizational measures to delete the data subject’s mailbox due to a lack of legal basis, thus violating [[Article 24 GDPR]]. In addition, the DPA held that the controller failed to take appropriate measures to facilitate the data subject’s access right and limited their right without justification to emails without an out-of-office reply, thus violating [[Article 12 GDPR|Article 12 GDPR]] and [[Article 15 GDPR|Article 15 GDPR]].In addition, the DPA held that the controller failed to take appropriate measures to facilitate the data subject’s access right and limited their right without justification to emails without an out-of-office reply, thus violating [[Article 12 GDPR]] and [[Article 15 GDPR]]. Specifically, the controller only allowed access to emails received from external (non-company) contacts starting from 1 May 2023 for the protection of trade secrets and because internal contacts received out-of-office messages in reply.Specifically, the controller only allowed access to emails received from external (non-company) contacts starting from 1 May 2023 for the protection of trade secrets and because internal contacts received out-of-office messages in reply. Line 117: Line 117: Finally, the DPA found violations of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]] since the controller failed to demonstrate compliance with the principle of confidentiality and integrity. The DPA noted that the controller failed to prove that no one accessed the data subject’s mailbox after their departure from the company since the controller only presented log files for the period between 22 July 2024 and 20 August 2024.Finally, the DPA found violations of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 5 GDPR#2|Article 5(2) GDPR]] since the controller failed to demonstrate compliance with the principle of confidentiality and integrity. The DPA noted that the controller failed to prove that no one accessed the data subject’s mailbox after their departure from the company since the controller only presented log files for the period between 22 July 2024 and 20 August 2024. Therefore, the DPA fined the controller €160,860.55 for the infringement of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in conjunction with [[Article 6 GDPR#1|Article 6(1) GDPR]], €16,086.06 for the infringement of [[Article 12 GDPR|Article 12 GDPR]] and [[Article 13 GDPR|Article 13 GDPR]].Therefore, the DPA fined the controller €160,860.55 for the infringement of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in conjunction with [[Article 6 GDPR#1|Article 6(1) GDPR]] and €16,086.06 for infringing of [[Article 12 GDPR]] and [[Article 13 GDPR]]. In addition, the DPA ordered the controller to bring its processing activities in compliance in relation to the mailboxes of employees and contractors when departing from the company in light of the violation of [[Article 24 GDPR|Article 24 GDPR]].The DPA also ordered the controller to bring its processing activities in compliance in relation to the mailboxes of employees and contractors when departing from the compan