Monthly Update – April 2026
April came with a slight delay, but here is your monthly privacy update. This month, we focus on something that affects almost every company with employees: what to do with a former staff member's email account after they leave. A recent Belgian DPA decision confirms a strict approach to ex-employee mailboxes, and several points are worth paying attention to.
We also briefly cover two other April developments: the Booking.com data breach and the EDPB's new DPIA template.
📬 That ex-employee's inbox. Have you closed it?
A recent Belgian DPA (the GBA) decision confirms a position the authority has held for some time. It fined a company €8,500 for keeping a former employee's email address active for almost two years after they left, without notifying incoming senders that the person no longer worked there.
The company argued that, as a certified accounting firm, it was bound by certain obligations, including the timely submission of tax returns and the provision of accounting advice to clients. It relied on legitimate interests as its legal basis, and its HR privacy notice described a three-year retention period for mailboxes after an employee's departure.
The GBA did not agree. Its conclusion: a breach of multiple core GDPR principles, all in one neglected inbox.
It happens more often than you would think. Someone leaves, the handover is hectic, and the email address gets quietly forgotten. This case is a useful reminder that "we'll deal with it later" is not a good solution.
What you're actually expected to do:
✅ Block or deactivate the mailbox by the employee's departure date.
✅ Set up an automated reply informing senders the person has left, with an alternative contact.
✅ Delete the mailbox after roughly one month (extendable by up to two months if it can be defended). That is the GBA's guideline for a reasonable retention period.
✅ Get the former employee's consent if you need access to information in their mailbox post-departure, and do it preferably in their presence.
A few things worth highlighting:
💠 Professional email addresses are personal data. The GBA confirmed this explicitly. An address like firstname.lastname@company.com directly identifies an individual and falls within the GDPR's scope. Not all data protection authorities take this view, as some treat professional addresses as purely business data, so the Belgian position is relatively strict. This is relevant not only at offboarding, but also for how you handle these addresses throughout the employment relationship.
💠 Ex-employees have the right to request a copy of their mailbox. Worth factoring into your offboarding process.
Tl;dr?
Align HR and IT on your offboarding process, make sure it is followed and communicated with your employees. It takes an afternoon. Not having it in place can cost considerably more.
💡 Also in April
Booking.com confirmed a data breach affecting customer reservation data, including names, contact details and booking specifics. The attack came through hotel partners rather than Booking.com's own systems, which is a useful reminder that if a vendor has access to personal data you are responsible for, their weak link is your problem too. Worth reviewing your data processing agreements and vendor assessments if you have not done so recently.
The EDPB published its first-ever standardised DPIA template, open for public consultation until 9 June 2026. A DPIA (Data Protection Impact Assessment) is required for high-risk processing activities. The template covers five structured sections and comes with a plain-language explainer. After the consultation, national DPAs are expected to align with it, either by adopting it as their standard template or by using it as a meta-template for national versions. Existing DPIAs do not need to be redone, but if you are planning a new one, it is worth aligning with this format from the start.
That's a wrap!
As always, if any of this raised questions about your own situation, you are welcome to book a free introduction call. We are happy to help you figure out where to start.
If you found this useful, feel free to forward it to a colleague navigating the same privacy landscape. 🚀
We take great care in providing information to you, but please be aware of the fact that these blogposts can not be considered a substitute for professional legal advice, nor do they create an attorney-client relationship.