Labor LawGDPR

What may your former employer do with your professional e-mail and mobile phone after you leave?

Joris Deene
3 weeks ago
158 views
6 minutes reading time

The end of an employment contract often raises practical questions, especially in a digital world. One of the most common is: what happens to my professional e-mail account and cell phone number? The Belgian Data Protection Authority (DPA) has already issued a number of rulings on this subject (read our earlier blog). The crux of the matter is that your ex-employer may not keep not only your mailbox but also, according to a recent ruling, your cell phone number active indefinitely; it must take action immediately after you leave, establish a temporary and limited transition period and then permanently delete the data.

The facts: a fired director and an open mailbox

In a decision of 7 October 2025 (No. 158/2025), the DPA Litigation Chamber considered a complaint by a former managing director. The cooperation with his employer was terminated on February 8, 2021. More than five months later, on July 15, 2021, the director found that his professional e-mail account was still active. He had not been given any information about its continued use. His professional cell phone number also remained in use by the former employer.

The director requested that the accounts be closed and his personal messages deleted. The employer responded laconically, stating that the mailbox would be closed "soon" and that the cell phone number was company property. This lack of action led to a complaint to the DPA.

The decision of the Data Protection Authority

The DPA ruled that the employer had violated the General Data Protection Regulation (GDPR) on multiple counts. The DPA's reasoning provides a clear roadmap for any employer.

The basic principles of the GDPR are the basis for this:

  1. Purpose limitation (Art. 5.1.b GDPR): Personal data should be collected only for a specific, legitimate purpose. A professional e-mail address serves to enable the employee to perform his job. As soon as the employment ceases, this purpose disappears. Thus, keeping the account active is in principle illegal.
  2. Minimal data processing (Art. 5.1.c GDPR): Processing should be limited to what is necessary. Keeping the entire mailbox open is not minimal.
  3. Storage restriction (Art. 5.1.e GDPR): Data should not be kept longer than necessary for the original purpose.

Based on these principles, the DPA proposes a clear "golden rule."

  • No later than the day of departure, the employer must deactivate the mailbox and set up an automatic response. The employee must be informed about this in advance.
  • This message should inform the sender that the person is no longer employed and include contact information for a replacement or a general email address.
  • This measure applies for a reasonable period of time, basically one month. Depending on the responsibilities of the former employee, this may be extended to a maximum of three months, provided that the employee has been informed of this or agrees to it.
  • After this transition period, the e-mail account and its contents must be permanently deleted.

The DPA emphasized that the same principle applies to the professional cell phone number. The argument that the subscription is in the name of the company is irrelevant. The use of the number is inextricably linked to the employee's person, so all communications through that number are considered personal data.

Legal analysis and interpretation

The crux of this ruling lies in the legal basis for processing personal data, as provided in Article 6 of the GDPR. During the employment contract, the legal basis is clear: the processing is necessary for the performance of the contract (Art. 6.1.b GDPR). The moment the employee leaves, this legal basis expires.

The employer can invoke another legal basis for a short transitional period: legitimate interest (Art. 6.1.f GDPR). This interest is to ensure the continuity of the business, by ensuring that important emails are not lost. However, the DPA sets clear limits to this interest. Setting up an automatic reply is a proportionate measure that serves this interest. Keeping the mailbox completely open and potentially reading all incoming (and old) emails is absolutely not.

In this case, the employer no longer had any valid legal basis following the director's departure. Moreover, he did not give appropriate follow-up to the data erasure request (the "right to be forgotten" from Article 17 GDPR). The final sanction was a reprimand. The DPA did not impose a fine because the company in question was no longer conducting operational activities and was in liquidation, so a fine would defeat its purpose.

What this specifically means

For the employer:

  • Policy is crucial: Develop a standard offboarding procedure that follows DPA rules. Establish who is responsible for deactivating accounts.
  • Communicate clearly: Inform the departing employee in writing of the steps you will take with his/her e-mail and cell phone.
  • Act immediately: On the last working day, configure the automatic reply and block access for the ex-employee (unless otherwise agreed for a transfer).
  • Respect the deadline: Keep the period with the automatic response as short as possible (one month is the norm) and then delete the account permanently. Document the date of deletion.

For the employee:

  • Know your rights: Your former employer may not just leave your mailbox open. You have the right to deactivation and eventual deletion.
  • Be proactive: Discuss transferring your mailbox and activating an automatic response during your exit interview.
  • Set in default: If you notice that your account remains unlawfully active, send a registered letter to your former employer referencing your rights under the GDPR and asking for immediate action.
  • File complaint: If you do not receive a response, then, like the complainant in this case, you may file a complaint with the Data Protection Authority.

FAQ (frequently asked questions)

How long may the automatic e-mail remain set?
The standard period is one month. Only in specific cases, for example in a high position with many external contacts, it can be extended to a maximum of three months, provided you have been informed or have given your consent.

May my former employer read my old emails?
This is a very sensitive issue. The recommendation is that the employer, if necessary to ensure continuity, recover the contents of the mailbox before the employee's departure and preferably in the employee's presence. Unlimited access after departure is a severe invasion of privacy.

What about the cell phone number registered in the company's name?
According to the DPA, it does not matter who owns the subscription. Once the number is structurally used by you, it is personal data and enjoys the protection of the GDPRG. Again, the use must be stopped immediately after you leave.

Conclusion

The rules governing the management of professional communication tools after dismissal are clear and strict. An employer must act transparently and proactively to respect the privacy of its former employees. Leaving a mailbox or cell phone number unattended is a clear violation of the GDPR, with all the potential penalties that could result. Both employers and employees would do well to be aware of these rules to avoid discussions and legal proceedings.

Are you facing a complex workplace privacy or GDPR compliance case? Our attorneys specializing in privacy and employment law are ready to analyze your case. Feel free to contact us for an initial advice.

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics