WHAT TO DO WITH EMAIL ADDRESSES OF EX-EMPLOYEES? WHAT SAYS THE GBA ABOUT THIS?
20 January 2026

What to do with old email addresses of people who leave your organization? What does the GBA say about this? Discussion and recommendations following the first Decision of the GBA (the Data Protection Authority) of 2026: 01/2026 (January 6, 2026) (https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-1-2026.pdf )

The facts in a nutshell

After a takeover, two professional email addresses (firstname.lastname@...) belonging to a former employee remained active for more than two years. Incoming emails were technically diverted to a virtual trash can (automatic deletion). According to the acquirer, this meant that no personal data was being processed anymore.

The Data Protection Authority (GBA) did not follow this reasoning.

Why this is a GDPR violation

The GBA reiterates several fundamental principles:

  • A personalized email address is in itself personal data.
  • Allowing it to remain in existence constitutes processing, even if emails are not read.
  • Metadata and mail logs (such as senders) are also personal data.
  • A technical measure such as automatic deletion does not eliminate the processing.

Employers must block the mailbox of the departing employee no later than the day of their actual departure and may only allow email addresses to exist for a very short period after departure, usually a maximum of one month, exceptionally up to three months, and only for an automatic out-of-office message.

Consequences of the breach

The company received a reprimand and was ordered to:

  • cease processing,
  • provide access to the data still available,
  • and permanently delete all personal data.

Recommendation

For entrepreneurs and advisors, the message is clear: post-exit email management is not an IT detail but a GDPR obligation. In the event of acquisitions and exits, it must be explicitly recorded when and how email addresses are closed. Technical workarounds do not offer legal immunity.

What is permitted? (practical framework)

The GBA accepts that email addresses of departing employees may remain active for a very limited period, subject to strict conditions:

  • Email addresses must be blocked at the end of the employment contract, no later than the date of the employee's actual departure.
  • Limited duration: standard maximum of 1 month, exceptionally up to 3 months.
  • Auto-reply only: an automatic reply that neutrally states that the person is no longer employed and refers to a general point of contact.
  • No access to emails: no forwarding, no access for colleagues, no monitoring of content.
  • Clear end date: after expiry, the email address, mailbox, and any logs will be permanently deleted.
  • Documentation: this procedure must be laid down in advance (IT policy, HR exit procedure) and preferably supported by a contract. This is in line with the principle of accountability (the GBA considers it very important that you can demonstrate why you do or do not do something). If you document this properly and show that you have thought it through, the GBA will appreciate this.

Technical solutions are permitted, but only if they actually prevent personal data from being processed. A measure that merely limits visibility is not sufficient.

M&A alert: often overlooked post-closing risk

In acquisitions and restructurings, email management of departing shareholders, directors, and key figures often remains under the radar. Address this immediately and document it to ensure compliance!

If you have any questions, please contact [email protected].

Joost PEETERS is a lawyer and DPO (Data Protection Officer).

Sources: