Ex-employee mailbox: €176,000 fine and a short-lived legitimate interest

Overview — On 12 May 2026, the Belgian DPA (APD/GBA) imposed a €176,000 fine (Decision 101/2026) for keeping an ex‑employee’s mailbox active for over a year. Takeaway: legitimate interest may justify a very short redirection, not prolonged retention. See the official press release “La Chambre Contentieuse inflige 3 amendes” and the full decision: Decision 101/2026 (PDF) and official summary.

The case

The Litigation Chamber of the Belgian DPA sanctioned a large technology company for failing to properly close an ex‑employee’s mailbox. The DPA found unlawful processing beyond a short post‑departure period, lack of transparency, insufficient organisational measures to ensure timely deletion, and failure to honour access rights. The fine comprised a bit over €160,000 for unlawful processing + ~€16,000 for lack of transparency, with corrective orders (Decision 101/2026). Official summary and full text.

Key point: legitimate interest (Article 6(1)(f) GDPR) may justify message redirection for “about one month” to ensure business continuity, but not keeping the mailbox active for a year; purpose and necessity fade over time. Source: APD.

Legal reasoning

• GDPR legal basis. Temporarily keeping a named mailbox can, in the short term, rely on Article 6(1)(f) GDPR (legitimate interest), subject to the three‑part test: real/current interest, necessity, and a favourable balancing. Beyond a short period, necessity fails and the legal basis collapses; continuing the processing becomes unlawful (Articles 5(1)(a) and 6(1) GDPR). Decision 101/2026.
• Purpose limitation, minimisation and storage limitation. Prolonged retention also breaches storage limitation (Art. 5(1)(e)) and data minimisation (Art. 5(1)(c)). The Luxembourg DPA (CNPD) stresses you cannot “retain just in case”; define a necessary, documented period, supported by a valid basis (often 6(1)(f) after a balancing test). CNPD — storage limitation.
• Transparency and rights. The APD also sanctioned lack of information (Arts. 12–13) and failure to meet access rights (Art. 15). The CNIL advises: notify the employee, set an out‑of‑office message, disable named access and arrange a time‑limited redirection. CNIL — mailbox precautions and access to professional emails.
• EU framework on legitimate interest. On 26 March 2026, the EDPB issued a One‑Stop‑Shop case digest on Article 6(1)(f), confirming the three‑part test and the need for documentation (LIA), with many cases failing on duration/necessity. In employment, consent is rarely “freely given” (Guidelines 05/2020). EDPB — 6(1)(f) case digest and EDPB — Consent 05/2020.

What this changes in practice (Luxembourg, BE/FR/DE)

• Named accounts on exits/entries. Set an out‑of‑office message and redirect to a generic address or the replacement for a very short period (e.g., ≤ 1 month) under legitimate interest. After that, close/delete the mailbox; otherwise, processing turns unlawful. APD position (12 May 2026).
• Expected documentation. Legal basis and GDPR-compliant retention periods in the records (Art. 30), up‑to‑date LIA for 6(1)(f), and clear information (Art. 13) describing the mailbox’s fate upon departure. CNPD guidance bans “just in case” retention. To steer registers, LIAs and procedures, a certified DPO mandate can own and maintain the framework.
• Data subject rights. Provide a channel for access requests (Art. 15), with filtering/masking to protect trade secrets and third‑party data. CNIL method.
• HR/IT — offboarding. Include: (1) standard out‑of‑office; (2) time‑limited redirection; (3) selective extraction to business systems/archives; (4) technical closure; (5) deletion per your retention schedule.

Operational decision tree (Article 6 GDPR)

1. Post‑departure purpose
   — Immediate service continuity: legitimate interest possible if necessary and transitory; written LIA; out‑of‑office; no content access beyond strict necessity. EDPB.
   — Other objectives (marketing, monitoring, generic future evidence): no — new purpose → specific basis required; legitimate interest fails necessity/proportionality. APD 101/2026.
2. Strictly necessary duration
   — Yes, short period (specified and recorded) → OK with LIA + info.
   — No, beyond ~1 month, close/delete; for specific evidentiary needs, extract the relevant item to an archive system with a dedicated basis and period. CNPD outlaws “just in case” retention. CNPD.
3. Is consent an alternative?
   In employment, consent is rarely “freely given”; avoid relying on consent for redirection/access; prefer a bounded, documented 6(1)(f). EDPB 05/2020.
4. Transparency and rights
   Inform ex ante (HR/IT charter) of the mailbox’s fate; handle access requests with filtering/masking. CNIL.

Common pitfalls seen in audits

• Endless redirection: no end date → breach of Arts. 5(1)(e) and 6(1). APD 101/2026 penalises this drift. Decision.
• Confusing case archives with a personal mailbox: extract relevant items into business systems/archives with defined periods; a named mailbox is not an archive vault. CNPD.
• Illusory HR consent: in employment, consent is presumed not free; it does not cure disproportionate retention. EDPB 05/2020.
• Forgetting information and access rights: at minimum: out‑of‑office, internal HR/IT notice, and clear rights procedures with filtering/masking. CNIL.
• No LIA: the EDPB’s 2026 OSS digest shows that a missing documented balancing test often sinks 6(1)(f). EDPB.

Official sources

• APD/GBA — Decision 101/2026 (12 May 2026, PDF)
• APD/GBA — Press release (12/05/2026)
• EDPB — One‑Stop‑Shop Case Digest on 6(1)(f)
• EDPB — Guidelines 05/2020 (Consent)
• CNPD Luxembourg — Storage limitation
• CNIL France — Mailbox precautions
• CNIL France — Access to professional emails

Need to formalise your offboarding procedures and mailbox LIA in Luxembourg? Contact us.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.