Does deactivating an ex-employee's mailbox suffice?

No. A deactivated mailbox that continues to exist on the employer's servers is not sufficient to comply with General Data Protection Regulation (GDPR) - the mailbox must be effectively deleted. The DPA's Litigation Chamber imposed on May 12, 2026 (No. 101/2026) a total fine of EUR 176,946.61 on a Belgian tech company because the mailbox of a departed independent consultant had been left in a so-called “backup mode.” It is also immediately the last decision of director Hielke Hijmans on mailbox management, and perpetuates an enforcement line that ICT Legal Guide has explained in detail in previous contributions.

The facts

A large Belgian tech company (annual turnover EUR 804 million; about a thousand people entering and leaving the company each year) includes among its employees an “extended workforce” of independent consultants. One of them ended her collaboration on May 1, 2023. Before her effective departure, she herself had set up two out-of-office messages: an internal one (“this e-mail address is no longer in use, please contact me at ...”) and an external variant that merely reported that she was “currently offline” with “limited access to the Internet”.

In the fall of 2023, she noted that correspondents were still trying to reach her through that professional address. In January 2024, she contacted the company's DPO. The latter confirmed that the mailbox was “indeed still active.” It was, the employer said, a “one-time human error”: the mailbox had been deactivated when she left, but never manually deleted, and had since been in a “backup mode” in which access could only be granted through an approval process.

The consultant requested access to the emails that had reached her in the interim. The DPO offered only filtered inspection: only emails from after her departure, only from external senders and only at the company's offices under the supervision of an undefined “neutral person.” The consultant filed a complaint with the DPA on April 23, 2024.

The decision

The Litigation Chamber identifies five separate violations of the GDPR.

First, it finds that the employer continued to unlawfully process the personal data of the complainant and her contacts after June 1, 2023. From the time of departure, the employer did have a legitimate interest within the meaning of Art. 6.1.f GDPR to keep the mailbox active, but that interest was doubly limited - in duration (one month, possibly extendable to three subject to reasoned balancing of interests) and in purpose (informing the contacts via a correct out-of-office message). Decisively, the Litigation Chamber explicitly does not equate the deactivation of a mailbox with its erasure: as long as the personal data are still retained and remain accessible (even if limited), they are still processed within the meaning of Art. 4.2 GDPR and the controller must be able to demonstrate a legal basis for doing so.

In addition, the employer is violating its duty of transparency under Articles 12 and 13 GDPR. The crucial information to third parties - namely that the employee had permanently left the organization - was not given: the out-of-office message for external correspondents only suggested a temporary absence. The fact that the employer had delegated the drafting of those automatic messages to the departing employee does not relieve it of its own responsibility to ensure transparency.

Furthermore, the Litigation Chamber finds a violation of Art. 24 GDPR. The process of closing and deleting mailboxes was entirely manual, despite an annual turnover of about a thousand employees and clearly available technical means to automate or at least consistently control it. The existing management processes from 2016 did provide for a control measure (the return of the list of effectively deleted mailboxes), but this was not followed in practice.

On top of that, the right of access was violated (art. 12 and 15 GDPR). The proposed filtering went too far: the fact that a proper out-of-office for internal colleagues had been set up is not a valid criterion for refusing access of mails from internal colleagues, and the filtering out of trade secrets should have been done on the basis of the employer's existing classification (public/restricted/confidential/strictly confidential), not as a general refusal.

Finally, the Litigation Chamber finds that the principle of confidentiality and integrity (Art. 5.1.f in conjunction with Art. 5.2 GDPR) was violated. The complainant pointed to a specific e-mail that, according to the activity logs, would have been “opened” at the time of receipt. The employer attributed this to automatic security scans, but did not submit log files of the relevant period and thus could not prove that the confidentiality and integrity of the mailbox was ensured - even though it was obliged to do so under its accountability obligation.

The Litigation Chamber orders the employer to take the necessary technical and organizational measures as yet, to provide the complainant with access within 30 days, to subsequently delete the mailbox and to transfer the access logs. In addition, two separate administrative fines are imposed. Based on extenuating circumstances (quick response from the DPO, ongoing automation process, absence of previous complaints and no demonstrable benefit), the Litigation Chamber reduces the original starting amounts by 95%. This results in a final fine of EUR 160,860.55 for the legality violation and EUR 16,086.06 for the transparency violation.

Legal analysis and interpretation

Deactivation is not erasure - a line that hardens

The doctrine that an ex-employee's mailbox must disappear permanently after three months at the latest is not in itself new. The Litigation Chamber itself refers to its previous decisions 64/2020, 133/2021, 138/2024, 134/2025 and 1/2026. On ICT Legal Guide those last three were already commented on at length: see May your former employer keep your mailbox after you leave?, What may your former employer do with your professional e-mail and mobile phone after you leave? and How long may an employer keep your e-mail address after you leave?.

What is new in decision 101/2026 is the monetary severity of the verdict. Whereas in decision 1/2026 a reprimand was still sufficient - with explicit reference to the ECJ's Deutsche Wohnen ruling - the Litigation Chamber now opts for a substantial fine. The message is clear: a purely technical “isolation” of the mailbox is not enough, and the excuse of “one-time human error” does not hold water with an organization that itself admits to processing about a thousand outflows per year. Anyone who does not take advantage of the state of the art to automate or at least systematically control this process is negligent, according to the Litigation Chamber.

Also noteworthy: this doctrine applies equally to independent consultants as it does to employees under employment contracts. Thus, the individual's employment status is irrelevant to the GDPR assessment of mailbox management.

The out-of-office as an employer's responsibility

A second salient element is the strict position against delegating the out-of-office message. The employer argues quite convincingly that, for an organization with a thousand outflows per year, it is factually impossible to prepare a personalized message for every departing employee himself - if only because it is the departing employee who knows best to which specific contact person his pending files should be addressed. The Litigation Chamber rejects this argument: the out-of-office is an implementation modality of the duty of transparency incumbent on the data controller, and one cannot pass that duty on to the data subject.

From a purely legal point of view, this is defensible - Articles 12 and 13 GDPR explicitly place the obligation to inform on the controller. From a practical point of view, the reasoning is more difficult to reconcile with the operational reality of large organizations, especially in the case of a dismissal for an urgent reason or in a conflictual departure situation in which there will be little cooperative cooperation. In this decision - as in previous ones - the Litigation Chamber appears to give relatively little weight to business continuity as a legitimate consideration. The Market Court may need to refine this theme on appeal.

No log files, no evidence: the sharp effect of Art. 5.2 GDPR

A third, often underestimated aspect is how the Litigation Chamber uses Article 5.2 GDPR (the accountability requirement) to infer a breach of confidentiality. The employer claimed that no access to the mailbox had taken place, but submitted only log files for a short period in 2024. The Litigation Chamber concluded: those who cannot prove their confidentiality guarantee, while they are technically capable of doing so, violate Art. 5.1.f GDPR.

For practitioners, this is a warning with significant implications. The DPO who states in a complaint procedure that “the mailbox was not consulted,” but does not substantiate this with log files, will not see that assertion accepted. Burden of proof here follows the logic of an ascending presumption rule rather than the civil division: as soon as the data subject provides a credible indication (in this case: an e-mail that, according to the activity logs, was “open” at the time of receipt), it is up to the data controller to rebut fully and documented.

Specifically, what does this mean?

For employers and DPOs. A GDPR-compliant offboarding policy is no longer a nice-to-have. Four elements deserve immediate attention. Automate the erasure process: manual account removal procedures do not hold up in the face of increased employee turnover. Establish a conclusive control measure that automatically compares the list of mailboxes to be deleted with the list of effectively deleted mailboxes, with an alarm function in case of discrepancy. Set up (or automate) the out-of-office message yourself and verify that it works correctly - a delegation to the departing employee is not a full-fledged implementation of the transparency obligation. And keep log files of access to mailboxes for sufficient time to prove the absence of unauthorized access in the event of a subsequent complaint.

In addition, it is appropriate to organize the classification of business information in such a way that, in the event of a request for access from an ex-employee, selective filtering is technically possible, without the right to access in block can be denied. And finally, any “legitimate interest” to maintain the mailbox for imminent or ongoing litigation must be justified to the data subject in advance and transparently; showing up afterwards with that legal basis will not suffice.

For (former) employees and independent consultants. You have the right to have your professional mailbox permanently deleted after a reasonable period of time - in principle one month, exceptionally three. If you find that your old mail address is still active, you may send a written request for erasure and for access to the employer, who must reply within 30 days. A blanket refusal of the right of inspection on the grounds of “trade secrets” is not permitted; the employer must specify specifically what third-party rights or what business-sensitive information would be affected, and preferably strike a balance through anonymization. If no action is taken, you can complain to the GDPR.

Frequently asked questions (FAQ)

When should an ex-employee's mailbox be permanently deleted?
In principle, one month after departure. This period can be extended to a maximum of three months subject to a reasoned consideration of interests, of which the employee concerned will be informed in advance. After that, the mailbox must effectively disappear: merely deactivating it or “putting it in backup” is not enough. Deactivating a license or restricting access does not change the fact that the data is still stored and thus processed.

May the employer have the out-of-office message set by the departing employee himself?
Better not. The duty of transparency under Articles 12 and 13 GDPR rests on the employer as the data controller. Anyone who completely delegates the drafting of the notice to the leaver - and does not check afterwards whether the notice correctly states that the collaboration has ended and who the replacement contact person is - risks a finding of breach, even if the leaver himself is at fault.

Is an ex-employee entitled to a full copy of their old mailbox?
Article 15 GDPRs right of access concerns the personal data of the data subject and does not automatically extend to every e-mail in its entirety. An employer may protect trade secrets and the privacy of third parties, but must do so concretely and documented - not through a blanket refusal. Anonymization, targeted filtering based on an existing classification or supervised inspection are proportional intermediate solutions. A refusal in principle or filtering based on arbitrary criteria (such as: “only mails from external senders” because an out-of-office was set up for internal mails) is not allowed.

Conclusion

Decision 101/2026 refines and tightens an enforcement line that the Belgian DPA has consistently followed for years: a departed employee's mailbox is not a company archive, deactivation is not erasure, and the absence of log files plays into the employer's hands. The hefty fine makes it clear that the days of mere reprimands are over, especially for organizations with significant employee turnover. Therefore, a well-documented, automated and monitored offboarding policy is not a luxury, but a legal necessity.