The Office for Personal Data Protection of the Slovak Republic (DPA) has now dealt with the issue of employers keeping access to a former employee's email account, twice. The first case concerned a private sector employer; the second an employer from the public sector. What were the DPA's conclusions, and what were the consequences for the GDPR violations?

The private sector case

The proceedings were initiated by a former manager who objected that the employer had not deactivated his email account after termination of his employment and that it was still active and monitored by another manager within the company.

In its defence, the employer used the legitimate interest argument. It claimed that the reason for not deactivating the email account was protection of the employer's property, as given the former manager's past business contacts, many client responses and even requests had been sent to this email.

The argument, however, remained only at the level of the assertion as the employer failed to submit a proportionality test in relation to this legitimate interest to the DPA, and thus to prove it. In addition, the employer failed to prove that the manager was provided with relevant information on processing for this purpose, denying him the right to object to the processing and to the duration of the processing. Those were the main reasons why the DPA ruled against the employer.

In the reasoning for the ruling, the DPA also stated that legitimate interest can be a suitable legal basis for this kind of processing, however, the processing can only be carried out for a necessary period; ten months cannot be considered as necessary. Of course, this only applies if the employer properly fulfilled its other obligations arising from the GDPR during processing.