Anders Etgen Reitz and Julie Lindberg, IUNO
Danish Data Protection Agency issues guidelines on access to e-mails of former employees The Danish Data Protection Agency has recently published guidelines on how long an employer may keep the e-mail account of a former employee open, on who should have access to the account and for what purposes the account may be used.
As a result of several cases brought before the Danish Data Protection Agency concerning the employer's handling of the e-mail account of a former employee, the Agency has drawn up some guidelines on the subject. The guidelines apply where there is no specific agreement between the employer and the employee and provide among other things that:
1) The e-mail account of a former employee may only be kept open for as short a period as possible, and this period may not exceed twelve months. The twelve-month period begins to run from the time when the employee ceases to work regardless of whether the company pays salary to the employee for a period after the end of employment.
2) As soon as the employee has left the workplace and no longer has access to his or her e-mail account, the employer is required to set up an auto-reply stating that the employee no longer works for the employer.
3) The e-mail account may be used only to receive e-mails. Any personal e-mails sent to the e-mail account may, however, be forwarded to the employee's personal e-mail account.
4) Only one or very few trusted employees should have access to the e-mail account of the former employee.
5) Information on the employee's e-mail address must as soon as possible be deleted from the company's website and other information sites open to the general public.
6) In cases where the company keeps the e-mail account of a former employee open, it must comply with the rules of the Danish Data Protection Act, including the rules governing the duty of disclosure, access, etc. As to the duty of disclosure, it may be incorporated in the company's IT policy, and the Data Protection Agency also recommends that the company draws up guidelines on the handling of the e-mail accounts of former employees.
It should be emphasized that the Danish Data Protection Agency does not provide any directions as to whether the employer may read the former employee's personal e-mails as this issue is governed by the Danish Criminal Code. However, the general rule is clearly that the employer is not allowed to do so.