Awareness Lessons
2 days ago
Belgian Company Fined €177K for Failing to Deactivate Contractor Email Account
A Belgian tech company was fined €176,946.61 for maintaining an active email account of an independent contractor for over a month after their collaboration ended in May 2023. The company violated GDPR's lawfulness, purpose limitation, and data minimization principles by continuing to process personal data without a valid legal basis. This case highlights the critical importance of timely access revocation and proper data handling when business relationships end, as regulatory authorities will impose significant financial penalties for non-compliance.
Tactical Insight
Immediate actions
- Implement automated account deactivation workflows triggered by contract end dates
- Conduct audit of all active contractor and former employee accounts
- Review and update data retention policies to specify maximum timeframes for account maintenance
Long-term improvements
- Establish formal offboarding procedures that include data processing cessation timelines
- Implement regular access reviews to identify and remediate orphaned accounts
- Create GDPR compliance checklists for contract terminations and employee departures
Monitoring measures
- Set up alerts for accounts that remain active beyond contract end dates
- Implement quarterly reviews of contractor access permissions and data processing activities