How long may an employer keep your e-mail address after you leave?

In principle, an employer may not keep a former employee's e-mail address active for more than one month after leaving employment, with a possible extension to a maximum of three months in exceptional cases. Merely technically ‘diverting’ emails to a digital trash (such as a /dev/null measure) without deleting the address is not sufficient and constitutes a violation of the General Data Protection Regulation (GDPR).

The facts and procedure

A recent case before the Lititagtion Chamber of the Belgian Data Protection Authority (DPA) centered on a conflict between a former shareholder/employee and the company he had left.

The partnership was terminated in February 2019. Two years later, in 2021, the man discovered that his two personalized email addresses (based on his first and last name) were still active on the company's server.

The company defended itself by arguing that there was no breach of data protection law. They had in fact implemented a technical measure, a so-called /dev/null measure. This meant that incoming emails did not end up in an inbox, but were immediately and automatically deleted by the server. The company argued that this was necessary to prevent “server contamination” and error messages and that there was no processing of personal data because no one was reading the emails.

The former employee filed a complaint alleging violation of his right to data protection and failure to obtain access to his data.

The decision of the Data Protection Authority

In its Decision 01/2026 dated Jan. 6, 2026, the Litigation Chamber ruled in favor of the former employee. The DPA ruled that letting the e-mail addresses persist beyond the reasonable time limit was unlawful.

The key points of the decision are:

• E-mail address is personal data: An e-mail address with the structure voornaam.naam@bedrijf.be is itself personal data because it directly identifies. Merely allowing this address to exist is ‘processing’ under the AVG.
• Technical distractions are no excuse: That the contents of the emails were immediately deleted via the /dev/null measure is irrelevant. Log files (metadata) were still maintained that showed who was emailing to the ex-employee. Thus, the company still had access to certain data.
• No legitimate interest: The company's argument that keeping the addresses was necessary for the technical health of the servers (anti-pollution) was rejected. Other technical means exist to protect servers without processing personal data of former employees for years.

The DPA imposed a reprimand on the company and ordered the immediate cessation of processing and deletion of the data.

Legal analysis and interpretation

This decision confirms and refines the settled case law of the DPA (as previous decisions) about the “digital legacy” of employees. There are three crucial lessons here for legal professionals and DPOs:

1. The definition of ‘processing’ is broad

The defendant attempted to escape the GDPR by arguing that there was no substantive knowledge of the emails. However, the DPA applies a strict reading of Article 4.1 GDPR. The e-mail address itself links the person's name to the company. As long as that address “exists” on the server and responds (even if it is to discard data), there is processing. Moreover, the DPA confirms that metadata (logs of senders) are also personal data to which the right of inspection under Article 15 GDPR applies.

2. The necessity test for legitimate interest.

The processing failed the test of legitimate interest (Article 6.1.f GDPR). Although the purpose (server hygiene) is legitimate, the necessity test failed. The breach of data protection law was disproportionate because less intrusive alternatives exist. A “user unknown” notification or a temporary auto-reply would suffice. Keeping an address on the air for years to avoid bounces is not proportionate.

3. Sanctions policy and ‘Deutsche Wohnen’.’

Interestingly, the DPA opts for a reprimand rather than a fine. In doing so, the Litigation Chamber explicitly refers to the Deutsche Wohnen ruling of the Court of Justice. There was no evidence of intent and the company had indeed attempted to take measures to protect data protection law (the /dev/null filter), even if they were inadequate. This indicates “limited negligence”.

What this specifically means

This ruling has implications for the IT and HR policies of Belgian companies:

• For employers: Check your out of office procedure. A mailbox may remain active for a maximum of 1 month with an automatic reply (“out of office”) referring the sender to a colleague. In exceptional cases, this can be extended to 3 months, but never longer. Merely technically ‘isolating’ the mailbox is not sufficient; the account must be effectively deleted.
• For employees: You have the right to demand that your professional e-mail address be closed after you leave. If it remains active, your name will be unfairly associated with an organization where you no longer work, and you may miss out on potential private communications. You also have the right to inspect log files if you suspect your address has remained active.

Frequently Asked Questions (FAQ)

Can my employer keep my e-mail address active so as not to lose customers?
No, not indefinitely. The employer may keep the address active for a reasonable period of time (default 1 month) to set up an automatic response. That message must state that you are no longer employed and to whom the client can address. After that, the address must be deactivated.

Is it enough if the employer promises not to read my emails?
No. As this decision shows, the mere existence of the e-mail address and the processing of the incoming ‘signals’ (metadata/logs) already constitutes processing of personal data. Even if the content is immediately deleted, the e-mail address may not remain in existence for years.

What can I do if I discover my old work email is still working?
You can send a data erasure request (right to be forgotten) to your former employer. They must carry this out within 30 days. If they refuse, you can complain to the Data Protection Authority, as this is an unlawful processing.

Conclusion

Closing IT accounts is not a mere technical detail, but a legal obligation. Employers in Belgium who leave ex-employees“ e-mail addresses ”dormant" on their servers for years risk sanctions, even if they do not read the content of the e-mails. A strict exit policy of no more than 1 to 3 months is the only safe route.