What to do with the work email inboxes of terminated employees?
In this article and drawing on guidelines by the Estonian Data Protection Inspectorate, community contributor and renowned privacy expert Odia Kagan gives you a breakdown of steps to take once an employee has left your company (and advice worth implementing in general):
General rule: you need to close the inbox immediately. Emails received can be kept open in exceptional circumstances and only if 1) the employee has given prior voluntary consent, 2) there is a real need for this, and 3) it takes place for a very short time.
If the inbox is difficult to close, then rename to a position name, not a personal name.
Employer monitoring of employee inboxes is permissible only if the employee was provided advance notice (including what the monitoring will be, how often and by whom).
An employer may store and read work related emails but this has to be based on proper disclosure (in advance) and legal basis. Without this, the employee has reasonable expectation of privacy in their entire work email inbox.
A policy could (should) require the employee to upload/store important work related correspondences in an agreed upon place (e.g. a shared disk).
An employer cannot, by policy, establish restrictions or create rights for itself that violate the constitution or other laws (including data protection laws).
Personal correspondence should not be read. To facilitate this, there should be a separate folder where personal/private correspondence is stored and that the employee should delete at the end of the employment relationship.
Having policies in place reduces the employer's risk of processing employees' personal data in violation of data protection or confidentiality laws.
Join our in-house legal & privacy community
Join one of the fastest growing legal communities in Europe. Learn, share, connect and meet inspiring legal professionals, leaders and experts all for free.