APD/GBA (Belgium) - 86/2026
Belgian DPA fines employer €8,500 for unlawfully retaining former employee email and accessing private communications.
Summary
The Belgian Data Protection Authority (APD/GBA) issued a decision against an employer that systematically retained former employees' email addresses and mailboxes for up to three years, accessing private communications without legal basis. The DPA found violations of GDPR Articles 5(1)(a), 6(1), 12, 17, 24, and 25, and rejected the employer's claims of consent and legitimate interest. The DPA imposed an €8,500 fine and ordered immediate deletion of the data with proof of compliance within 30 days.
Full text
Help APD/GBA (Belgium) - 86/2026: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:29, 29 April 2026 view sourceDs (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators5 editsTag: Visual edit← Older edit Latest revision as of 10:12, 29 April 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators5 editsmTag: Visual edit Line 109: Line 109: The DPA noted that processing of a personalised professional email address is lawful as necessary for the performance of the employment contract under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] during the term of employment, but after the employment relationship is ended, this legal basis is no longer applicable.The DPA noted that processing of a personalised professional email address is lawful as necessary for the performance of the employment contract under [[Article 6 GDPR#1b|Article 6(1)(b) GDPR]] during the term of employment, but after the employment relationship is ended, this legal basis is no longer applicable. The DPA acknowledged that a controller may have a limited legitimate interest under Article 6(1)(f) in keeping a former employee’s email address active for a short period solely to send an automatic reply to correspondents to inform about the departure. Such an automatic reply may normally be maintained for one month and, if justified by additional circumstances, extended by up to two further months, with a maximum total period of three months. At the end of this limited period, both the email address and the associated mailbox must be permanently deleted. The DPA acknowledged that a controller may have a limited legitimate interest under Article 6(1)(f) GDPR in keeping a former employee’s email address active for a short period solely to send an automatic reply to correspondents to inform about the departure. Such an automatic reply may normally be maintained for one month and, if justified by additional circumstances, extended by up to two further months, with a maximum total period of three months. At the end of this limited period, both the email address and the associated mailbox must be permanently deleted. In this case, the DPA found that the email address was active until at least 19 April 2023 and that the controller occasionally had accessed the mailbox and private communications intended for the data subject, without setting an automatic reply message during that period. The DPA noted that the same creditor had contacted the old email address on 28 April 2022 and again on 20 January 2023, which suggested that the creditor had not been informed through an automatic reply. The available evidence only showed an automatic reply on 19 April 2023.In this case, the DPA found that the email address was active until at least 19 April 2023 and that the controller occasionally had accessed the mailbox and private communications intended for the data subject, without setting an automatic reply message during that period. The DPA noted that the same creditor had contacted the old email address on 28 April 2022 and again on 20 January 2023, which suggested that the creditor had not been informed through an automatic reply. The available evidence only showed an automatic reply on 19 April 2023. Line 119: Line 119: The DPA pointed out that the controller failed the necessity test too, because the data subject’s mailbox was retained for an unnecessarily long period and also during that period the controller accessed incoming private communications intended for the data subject. Therefore, the DPA ruled that the controller can’t rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]].The DPA pointed out that the controller failed the necessity test too, because the data subject’s mailbox was retained for an unnecessarily long period and also during that period the controller accessed incoming private communications intended for the data subject. Therefore, the DPA ruled that the controller can’t rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. Additionally, the DPA rejected the controller’s argument that the data subject had validly consented to the retention through the signing of the employment contract. Referring to [[Article 4 GDPR#11|Article 4(11) GDPR]], 7 GDPR and Recital 43, the DPA held that the clear power imbalance inherent in the employment relationship means that consent given at the start of employment can’t be considered freely given. Furthermore, the DPA noted that the controller’s own privacy policy mentioned legitimate interest and not consent, as the legal basis for email-related processing.Additionally, the DPA rejected the controller’s argument that the data subject had validly consented to the retention through the signing of the employment contract. Referring to [[Article 4 GDPR#11|Article 4(11) GDPR]], Article 7 GDPR and Recital 43, the DPA held that the clear power imbalance inherent in the employment relationship means that consent given at the start of employment can’t be considered freely given. Furthermore, the DPA noted that the controller’s own privacy policy mentioned legitimate interest and not consent, as the legal basis for email-related processing. The DPA accordingly found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in conjunction with [[Article 6 GDPR#1|Article 6(1) GDPR]].The DPA accordingly found a violation of [[Article 5 GDPR#1a|Article 5(1)(a) GDPR]] in conjunction with [[Article 6 GDPR#1|Article 6(1) GDPR]]. On the erasure request, the DPA found that the data subject had asked the controller to block the old email address on 20 January 2023. The DPA noted that a request under [[Article 17 GDPR]] is not subject to formal requirements and that the data subject does not need to justify why erasure is required. The controller must itself assess whether one of the grounds for erasure applies. Since the mailbox was no longer necessary and had been unlawfully processed, the data subject had a right to erasure under Article 17(1)(a) and [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. The controller also failed to facilitate the request and to inform the data subject within one month of the action taken. The DPA therefore found violations of Articles 12(2), 12(3) and 17 GDPR. On the erasure request, the DPA found that the data subject had asked the controller to block the old email address on 20 January 2023. The DPA noted that a request under [[Article 17 GDPR]] is not subject to formal requirements and that the data subject does not need to justify why erasure is required. The controller must itself assess whether one of the grounds for erasure applies. Since the mailbox was no longer necessary and had been unlawfully processed, the data subject had a right to erasure under Article 17(1)(a) GDPR and [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]]. The controller also failed to facilitate the request and to inform the data subject within one month of the action taken. The DPA therefore found violations of Article 12(2), Article 12(3) GDPR and Article 17 GDPR. The DPA found that the controller had implemented a policy under which it systematically kept former employees’ email addresses and mailboxes active for up to three years, retained their contents, and, if it deemed it necessary, accessed them without a legal basis. The controller failed to demonstrate any appropriate technical and organisational measures to ensure lawful processing or to facilitate the exercise of data subjects’ rights. Consequently, the DPA found violations of [[Article 5 GDPR#2|Article 5(2) GDPR]], 24(1) GDPR, and 25(1) GDPR.The DPA found that the controller had implemented a policy under which it systematically kept former employees’ email addresses and mailboxes active for up to three years, retained their contents, and, if it deemed it necessary, accessed them without a legal basis. The controller failed to demonstrate any app