Out with a bang, but with controversial positions? The latest fines of the Belgian DPA represent the last from Hielke Hijmans, the departing Director of the Litigation Chamber. The amounts are modest by international standards (86k, 120k & 176k EUR) but are still relatively high for the Litigation Chamber in its approach to GDPR enforcement.
The highest happens to concern one of the Litigation Chamber’s pet peeves: the maintaining of mailboxes after someone leaves an organisation (in this case, an external consultant).
I have often criticised the Belgian DPA’s very stringent conditions on this issue.
They want mailboxes to be destroyed after one month following departure, with a maximum extension of two (additional) months where properly justified, and they want an out-of-office message to be equally limited in time. They also want the former employee/consultant to be informed of various actions and even involved in them.
Business continuity is merely a sidenote in the BDPA’s reasoning in such cases, and it barely pays lip service to the issues caused by giving the former employee something to say about mailboxes in the event of dismissal for misconduct.
In this particular decision, the BDPA has a range of criticisms for the company in question.
– The setting of out-of-office replies after departure? Not possible to delegate that to the departing employee, says the BDPA – it’s up to the company to do that itself.
– No verification that the out-of-office is active? That’s a problem, says the BDPA.
– Is the out-of-office by the departing employee *before* departure? That’s a problem too, because there is then a lack of information vis-à-vis the departing employee about the legitimate interest that the out-of-office message serves.
– Is the mailbox deactivated (and therefore unreachable & inaccessible) but not yet destroyed? Again, that’s a problem, because restricting access to personal data isn’t the same as erasing it. [Hello archiving issues then?]
There are a range of other considerations in this 60-page decision (in Dutch), notably regarding the importance of informing departing employees about the processing of their personal data subsequently to departure. Like this is the thing everyone wants to do after someone announces they are leaving or they are being dismissed – “here are the purposes for which we will continue to process your personal data”. Why can a clear policy not be sufficient?
I expect at least some of these fines to be appealed – and I really hope this particular case gets appealed. Perhaps we will then get an appellate decision with some pragmatism re the conditions under which processing of mailboxes can still be permitted.
I believe many angles are underexploited in such cases, notably on the very core issue of confidentiality of correspondence.
Some filtering should take place, but not everything has to be destroyed.
A case to watch, if appealed!
Link (NL): https://lnkd.in/eX-nKpcB
Data protection privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗