APD/GBA (Belgium) - 101/2026

Summary

The Belgian Data Protection Authority (APD/GBA) issued a fine of €176,946.61 against a tech company for maintaining an active email account belonging to an independent contractor after their collaboration ended in May 2023, and for failing to meet transparency obligations under GDPR Articles 12 and 13. The DPA determined that after a grace period of one month, the controller lacked a valid legal basis (Article 6 GDPR) to continue processing the personal data in the mailbox, violating the lawfulness, purpose limitation, and data minimization principles. The authority ordered the company to grant access to the account, delete personal data, provide access logs, and implement measures to ensure future compliance.

Full text

Help APD/GBA (Belgium) - 101/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 19:23, 20 May 2026 view source Dalja10 (talk | contribs)2 edits Tag: submission [1.0] (No difference) Latest revision as of 19:23, 20 May 2026 APD/GBA - 101/2026 Authority: APD/GBA (Belgium) Jurisdiction: Belgium Relevant Law: Article 5(1)(a) GDPR Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 5(1)(f) GDPR Article 5(2) GDPR Article 6(1) GDPR Article 6(1)(f) GDPR Article 12 GDPR Article 13 GDPR Article 15 GDPR Article 24 GDPR Type: Complaint Outcome: Upheld Started: Decided: 12.05.2026 Published: Fine: 176,946.61 EUR Parties: n/a National Case Number/Name: 101/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Dutch Original Source: APD (in NL) Initial Contributor: dalja10 The DPA fined a tech company a total of €176,946.61 for unlawfully keeping active the email account of a contractor after they left the company and for transparency obligation infringements. The DPA also ordered the company to comply with the access request, delete the personal data afterwards, provide access logs and take measures to ensure future compliance. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts An independent contractor (the data subject) used to be a part of the ‘extended workforce’ of a tech company (the controller) and had a professional email address on the controller’s domain. The data subject ceased collaboration with the controller in May 2023 but, in the fall of the same year found out that their professional email address was still active. The data subject contacted the controller in January 2024, informed them that the email address was still active and that the out-of-office message was misleading. Subsequently, they requested access to the emails received in the meantime. In addition, the data subject requested proof that no one accessed their mailbox after April 2023. In response, the controller offered access to the email account on its premises under supervision. The data subject filed a complaint with the DPA. Holding The DPA acknowledged that the email account may contain both personal and business data and noted that there were three successive phases regarding the processing of personal data in the mailbox. During the first phase (the collaboration), personal data were processed under Article 6(1)(b) GDPR within the framework of the agreement between the two parties. In the second phase, the DPA found that, immediately after the end of the collaboration, the controller had a legitimate interest under Article 6(1)(f) GDPR for keeping the email account active for up to one month in order to inform the data subject’s contacts of the departure from the company and to provide a new contact point. In addition, the DPA explained that the end of the collaboration meant, among other things, a change in the purpose and legal basis for the processing of personal data in the data subject’s mailbox, a change in the recipient of the emails and a loss of control for the data subject over the personal data in the mailbox. Since neither the data subject, not their contacts were informed about these changes, the DPA held that the controller breached Article 12 GDPR and Article 13 GDPR by failing to comply with its transparency obligations in relation to the data subject and their contacts after the data subject’s departure from the company. In the third phase, after 1 June 2023, the DPA held that the controller breached Article 5(1)(a) GDPR in conjunction with Article 6(1) GDPR by continuing to process personal data without a legal basis since the controller no longer had a legitimate interest for keeping the mailbox active. Furthermore, the DPA held that the controller also violated Article 5(1)(b) GDPR (‘purpose limitation), Article 5(1)(c) GDPR (‘data minimisation’) and Article 5(1)(e) GDPR (‘storage limitation’) by continuing to process personal data after 1 June 2023. Moreover, the DPA found that the controller failed to take, or demonstrate that it had taken, sufficient technical and organizational measures to delete the data subject’s mailbox due to a lack of legal basis, thus violating Article 24 GDPR. In addition, the DPA held that the controller failed to take appropriate measures to facilitate the data subject’s access right and limited their right without justification to emails without an out-of-office reply, thus violating Article 12 GDPR and Article 15 GDPR. Specifically, the controller only allowed access to emails received from external (non-company) contacts starting from 1 May 2023 for the protection of trade secrets and because internal contacts received out-of-office messages in reply. While the data subject did indeed only ask for access for the nine months after their departure, the DPA found that the limitation to external emails was unjustified since receiving an out-of-office message was not a criterion to restrict the right to access and because the controller could have filtered out sensitive business data prior to the data subject’s access. However, the DPA considered the exercise of the access right on the controller’s premises a proportionate measure due to the possible presence of trade secret in emails. Finally, the DPA found violations of Article 5(1)(f) GDPR and Article 5(2) GDPR since the controller failed to demonstrate compliance with the principle of confidentiality and integrity. The DPA noted that the controller failed to prove that no one accessed the data subject’s mailbox after their departure from the company since the controller only presented log files for the period between 22 July 2024 and 20 August 2024. Therefore, the DPA fined the controller €160,860.55 for the infringement of Article 5(1)(a) GDPR in conjunction with Article 6(1) GDPR, €16,086.06 for the infringement of Article 12 GDPR and Article 13 GDPR. In addition, the DPA ordered the controller to bring its processing activities in compliance in relation to the mailboxes of employees and contractors when departing from the company in light of the violation of Article 24 GDPR. Moreover, the DPA ordered the controller to comply with the data subject’s access request, delete their personal data afterwards and provide them with a record of access to their mailbox or demonstrate that the data is no longer available. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details. Decision on the merits 101/2026 — 2/60 I. Facts and procedure 1. The subject matter of the complaint concerns the closure of an employee's professional mailbox in non-GDPR compliance following her departure from the defendant. As an independent consultant, the complainant falls under the category of employee or collaborator of the defendant, more specifically within the category of the 2 defendant's ‘extended workforce’. 2. On 23 April 2024, the complainant lodged a complaint with the Data Protection Authority against the defendant. 3. On 26 April 2024, the complaint was declared admissible by the Primary Care Service on the basis of Articles 58 and 60 of the WOG and the complaint was transferred to the Disputes Chamber on the basis of Article 62, § 1 WOG. 4. On 21 May 2024, the Disputes Chamber decided pursuant to Article 95, § 1, 1° and Article 98 WOG that the file was ready for substantive consideration and the parties concerned were notified by registered mail of the provisions referred to in Article 95, § 2, as well as those in Article 98 WOG. They were also notified pursuant to Article 99 WOG of the time limits for submitting their defenses. The parties were requested to submit their defenses regarding the following a

Entities