Is your former employer permitted to access your professional email account after your departure?

The termination of an employment or management relationship often raises practical questions, especially in a digital age. One of the most common and thorny issues is the management of the departed person's professional mailbox. Recent decisions by the Data Protection Authority (DPA) create clarity: an employer may not keep the mailbox active indefinitely, and its contents are not freely accessible company archives.

The general rule is that the mailbox must be blocked and eventually deleted after a short, reasonable period of time. Access to the contents is allowed only in very specific and exceptional circumstances.

The facts: two practice cases before the DPA

Two recent rulings by the DPA's Dispute Chamber illustrate the risks for companies that fail to comply with the rules surrounding the management of former employee mailboxes.

In the first case (Decision 134/2025 of 21 August 2025) a commercial dispute arose after the departure of a CEO. The company left its professional mailbox active, longer than the recommended period. The reason cited by the company was that the mailbox might contain evidence for a pending arbitration proceeding. The former CEO filed a complaint with the DPA, not only about keeping the mailbox active, but also because his request for a full copy (right of access) of the mailbox was denied.

In the second case (Decision 113/2025 of 1 July 2025), a departed director of a company found that his professional e-mail account was still active almost two years after the end of the partnership. Indeed, the new director had allowed himself access to the mailbox and had even forwarded an e-mail addressed to the departed director.

In both cases, the DPA ruled that the companies were at fault, resulting in a reprimand and a warning.

Data Protection Authority (DPA) decision

The DPA relies on the fundamental principles of the General Data Protection Regulation (GDPR). The Dispute Chamber's analysis in these cases provides a clear roadmap for each employer.

The principle: blocking and setting an absence message

The DPA reiterates its established case law: the mailbox of a departed employee or director must be managed as soon as possible. The correct procedure is as follows:

1. Inform: The employer must inform the departing person, no later than the day of his departure, of the measures that will be taken.
2. Automatic message: An automatic response (out-of-office) should be set up immediately. This message reports that the person is no longer employed within the company and provides contact information for a replacement or a general email address.
3. Reasonable term: This automatic message should only remain active for a "reasonable period of time." The DPA sets this to one one monthby default. Depending on the responsibilities of the departed person, this period may be extended to a maximum of three months, provided that the person concerned is notified of this or agrees to it..
4. Blocking and erasing: After this period, the mailbox must be blocked and eventually deleted. After all, the data are no longer needed for the original purpose (professional communication by the employee).

In both cases, this deadline was greatly exceeded, violating the principles of purpose limitation and minimum data processing (Articles 5.1.b and 5.1.c GDPR).

Mailbox access: a strict ban

The DPA is very clear: active access to the contents of the mailbox after the employee's departure is basically not allowed. Indeed, the legal basis for processing emails (the performance of the employment contract) expires upon its termination.

As the second case showed, forwarding emails from an ex-director's mailbox is a clear violation of Article 6.1 GDPRbecause there was no valid legal basis for this processing.

The exception: the legitimate interest

One important exception is possible: the legitimate interest (Article 6.1.f GDPR). A company can keep the mailbox longer (but not just actively use it) if this is necessary for the protection of its legitimate interests, such as the filing or substantiation of a legal claim.

However, the DPA applies a rigorous three-part test here:

1. Target test: Is the interest legitimate? The defense in legal proceedings is accepted as legitimate.
2. Necessity test: Is the preservation of the complete mailbox necessary to achieve that goal? In the first case, this was the case because the CEO himself had requested a copy of the mailbox in the arbitration proceedings.
3. Balancing test: Do the company's interests outweigh the privacy rights of the data subject? This is where things went wrong for the company in the first case. Although the interest was legitimate, the company had the ex-CEO uninformed about this new purpose (retention for arbitration proceedings). This went against the CEO's reasonable expectation that his mailbox would be deleted, so the balancing of interests went in his favor.

The conclusion is that even a claim of legitimate interest fails if the company does not transparently communicate why the continued retention is necessary.

The right of access: not a blank check for the employer

The first case also dealt with the right of access (Article 15 GDPR). The ex-CEO requested a copy of his mailbox, but the company refused for all professional and mixed communications, citing trade secrets and third-party privacy.

The DPA ruled this refusal unlawful. An employer who refuses access must:

• Demonstrate concretely what rights and freedoms of others would actually be harmed. A general reference is insufficient.
• An balancing of interests .
• Consider alternative solutions , such as anonymizing or making certain information unreadable, rather than a complete refusal.

Contractual provisions stating that all documents are the property of the company cannot negate the right to access personal data.

Legal analysis and interpretation

These decisions by the Dispute Chamber confirm and refine a consistent line of enforcement of the GDPR in the workplace. The ratio decidendi is to protect the employee's reasonable expectation of privacy after the employee leaves. The professional mailbox, although owned by the employer, inevitably contains personal data. Its processing must always comply with the basic principles of the GDPR.

Crucial is the emphasis on transparency (Article 13 GDPR). The company's failure in the first case to substantiate its reliance on "legitimate interest" was not due to an invalid interest, but to the lack of communication about it with the data subject. This underlines that procedural correctness is as important as the substantive legal basis itself.

Furthermore, it links to the Electronic communications law, which sanctions intentional knowledge of communications not intended for you. This reinforces the position that the contents of a mailbox, even a professional one, enjoy a degree of confidentiality.

For legal practice, these rulings mean that an ad hoc approach to departing employees is untenable. A standardized, GDPR-compliant offboarding policy is not a luxury, but a legal necessity.

What this specifically means

For the employer

• Establish an offboarding policy: Develop a clear, written procedure for managing IT accounts when staff leave.
• Inform the leaver: Inform the employee or director of the steps you will take regarding his/her mailbox.
• Act immediately: On departure day, set an automatic response and block user access.
• Respect the deadlines: Keep a maximum period of 1 to 3 months for leaving the automatic reply active. After that, delete the mailbox.
• Document exceptions: If you need to keep the mailbox longer for a legal dispute, document your legitimate interest analysis and inform the data subject.
• Take inspection rights seriously: Do not simply refuse a request for access. Conduct a documented analysis and try to reconcile conflicting rights (e.g., through anonymization).

For the departed employee/director

• Know your rights: You should expect your professional mailbox to be closed after a short period of time. Your former employer should not be allowed to read the contents.
• Be proactive: Before you leave, sort your emails and separate strictly personal messages from professional communications.
• Request for access: You have the right to request access to the personal data your former employer processes about you, including those in your old mailbox. A refusal must be thoroughly justified.
• File complaint: If you suspect that your mailbox is being used or accessed illegally, you may file a complaint with the Data Protection Authority.

FAQ (frequently asked questions)

Exactly how long may my former employer keep my professional mailbox active?
The DPA uses a guideline of one month. In positions of high external responsibility, this can be extended to a maximum of three months. After that, the mailbox must be blocked and deleted.

Can my former boss read my old emails to "ensure continuity"?
No. Access to the contents of the mailbox is basically prohibited after you leave. For continuity, the automatic response that refers to a colleague is required. Only in very specific, legally provided exceptions, such as a judicial investigation or a documented legal dispute, may this be permitted, but not without good reason.

3. Am I entitled to a full copy of my old professional mailbox?
You have the right to a copy of your personal data (Article 15 GDPR). This does not necessarily mean a .pst file of the entire mailbox. Your former employer must process your request, but may protect the rights of others (e.g., privacy of colleagues, trade secrets), by making certain information unreadable. However, a blanket refusal is not permitted.

Conclusion

Recent decisions by the Data Protection Authority emphasize that careful and transparent management of departed employees' mailboxes is a legal duty. Ignoring these rules exposes companies to penalties and reputational damage. A proactive approach, anchored in a clear internal policy, is the only way to comply with the GDPR and avoid litigation.