Can companies “snoop” in former employees’ e-mail accounts?
Can companies access their former employees’ e-mail accounts after termination? And for how long can e-mail accounts be kept open after termination? There are strict rules in place in Norway and in a recent decision, the Norwegian Data Protection Authority considered these restrictions in a case where a company had kept a former employee’s e-mail account open for five months after termination of employment.
After termination of employment, a company had changed the password of a former employee’s e-mail account. Over a six-week period, the company’s CEO logged into the e-mail account on a daily basis. The company kept the e-mail account open for five months, ensuring access to the e-mail account for nearly half a year after the employee had left the company.
As a result, the employee submitted a complaint to the Norwegian Data Protection Authority, which then had to consider whether the company had breached the applicable data protection rules.
E-mail accounts must as a main rule be closed immediately
Companies can only retain e-mails from former employees’ e-mail accounts for a reasonable period of time and for no more than six months. However, retention is conditioned upon that keeping the e-mails is necessary for the day-to-day operations and that the company has specific reasons for not deleting the data.
According to the Data Protection Authority, the company had therefore clearly breached the statutory rules on the employer’s access to e-mail accounts and other electronical material, and applicable data protection rules by having kept the e-mail account open.
Pursuant to Norwegian law, e-mail accounts must as a main rule be closed upon termination of employment, unless keeping the account open is due to the company’s special needs. However, even in that case, keeping the e-mail account open can only occur for a short period of time. By having kept the e-mail account open for such a long period of time, the company had therefore breached its obligations. Consequently, the company had to establish internal control and routines to ensure compliance going forward and pay a fee of NOK 150,000.
According to the general guidance from the Data Protection Authority, companies can limit the risk of such a breach the rules, when accessing a former – or current – employee’s e-mail account, by:
- Checking that the access is lawful under the rules on control measures
- Informing the employee on the internal routines and guidelines on company access
- Considering if access is necessary, or if a less invasive measures can be applied
- Assessing whether the company has the necessary legal basis to process the data
- Considering if the company’s interest outweighs the employee’s interests
- Ensuring that accessing the e-mail account is proportionate, and
- Examining if employees must be notified before accessing the account, and other rights.
IUNO’s opinion
IUNO recommends that companies carefully assess the use of access to both current and former employees’ e-mail accounts. Access to the employees’ e-mail accounts is a control measure and can be invasive for employees.
IUNO therefore recommends that companies establish fixed routines and procedures both in relation to access to employees’ e-mail accounts and other electronic devices are to be handled upon the end of employment. As a control measure, it is important that companies familiarize themselves and comply with the national legislation, that may vary from country to country, as well as the rights and duties that follow from the GDPR.
[The Norwegian Data Protection Authority’s decision 20/02274 as of 7 June 2021]
After termination of employment, a company had changed the password of a former employee’s e-mail account. Over a six-week period, the company’s CEO logged into the e-mail account on a daily basis. The company kept the e-mail account open for five months, ensuring access to the e-mail account for nearly half a year after the employee had left the company.
As a result, the employee submitted a complaint to the Norwegian Data Protection Authority, which then had to consider whether the company had breached the applicable data protection rules.
E-mail accounts must as a main rule be closed immediately
Companies can only retain e-mails from former employees’ e-mail accounts for a reasonable period of time and for no more than six months. However, retention is conditioned upon that keeping the e-mails is necessary for the day-to-day operations and that the company has specific reasons for not deleting the data.
According to the Data Protection Authority, the company had therefore clearly breached the statutory rules on the employer’s access to e-mail accounts and other electronical material, and applicable data protection rules by having kept the e-mail account open.
Pursuant to Norwegian law, e-mail accounts must as a main rule be closed upon termination of employment, unless keeping the account open is due to the company’s special needs. However, even in that case, keeping the e-mail account open can only occur for a short period of time. By having kept the e-mail account open for such a long period of time, the company had therefore breached its obligations. Consequently, the company had to establish internal control and routines to ensure compliance going forward and pay a fee of NOK 150,000.
According to the general guidance from the Data Protection Authority, companies can limit the risk of such a breach the rules, when accessing a former – or current – employee’s e-mail account, by:
- Checking that the access is lawful under the rules on control measures
- Informing the employee on the internal routines and guidelines on company access
- Considering if access is necessary, or if a less invasive measures can be applied
- Assessing whether the company has the necessary legal basis to process the data
- Considering if the company’s interest outweighs the employee’s interests
- Ensuring that accessing the e-mail account is proportionate, and
- Examining if employees must be notified before accessing the account, and other rights.
IUNO’s opinion
IUNO recommends that companies carefully assess the use of access to both current and former employees’ e-mail accounts. Access to the employees’ e-mail accounts is a control measure and can be invasive for employees.
IUNO therefore recommends that companies establish fixed routines and procedures both in relation to access to employees’ e-mail accounts and other electronic devices are to be handled upon the end of employment. As a control measure, it is important that companies familiarize themselves and comply with the national legislation, that may vary from country to country, as well as the rights and duties that follow from the GDPR.
[The Norwegian Data Protection Authority’s decision 20/02274 as of 7 June 2021]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing