Do You Have Access To A Mailbox Of An Ex-employee? It Could Cost You £13,000

Alex Franch
February 1, 2023

Table of Contents

As your company grows, people come and go. Though one thing that might not go as much as it comes is data. We often forget the vast amounts of personal data we collect and retain from employees. From our conversations with SMEs here in the UK and we've seen that companies try their best to remove personal data from past employees but they fail in one thing: removing old employee mailboxes. We get it, it's not too clear what has to be done and it's handy to have that data in case it is needed in the future. This is why we've set out this blog post so that you know what has to be done. The answer is:

You have to delete it

Just this September we have seen a 13 employee company fined €15,000 for not managing old employee mailboxes correctly.

How to manage an old employee mailbox

Before the dismissal or departure of the employee

1. Have an IT policy that specifies what has to be done when an employee leaves the company (i.e. what we are going to talk about).

2. Just how they can collect or throw away their personal belongings they can choose to collect or delete their data. So you must sort personal from professional emails so the person can choose to collect or delete their private communications before their departure. If some content has to be recovered so "business can carry on" this must occur before the dismissal or departure of the employee and must happen in their presence. This means you shouldn't be able to access and recover emails and other files after the person has left.

3. Tell the employee in advance that the mailbox will be blocked.

4. Set an automated response before blocking the mailbox in which you:

  • indicate that the person no longer exercises his/her role in the organisation; and
  • give contact details of the relevant person to contact instead.

5. Block the mailbox, before or on the day the employee leaves the organisation

After the dismissal or departure of the employee

6. Maintain the automatic response for a "reasonable period", e.g. 1 month. The time frame can be extended provided that:

  • the duration is no longer than 3 months (ideally);
  • a justification is given; and
  • the person is informed of this extension.

7. Beyond the (maximum) timeframe for the automatic response, the mailbox must be deleted.

And that's it. As always, be transparent and fair. Make sure that whenever you access the employee's data he's always there and give him/her the chance to delete or take it with him. Once he/she is gone, their data should be too. If you want to prevent data breaches, avoid fines and risk like these, book a free consultation with us here:


Alex Franch is the co-founder and CEO of Privasee. With a background in computer science and cybersecurity, it is no surprise that he is a highly analytical problem solver; now putting these skills to use within the data privacy space. Alex is passionate about GDPR, and productivity and spends a lot of time doing sports as he values the importance of having a work-life balance. He is excited to help businesses generate documentation, and become and maintain GDPR compliance through the Privasee platform.

Get Compliant in <1 Hour

Are you Fully GDPR Compliant?

Ensure your policies are always up to date with Privasee, an AI powered GDPR compliance solution that does it all.