Official employee email accounts form part of an organisation’s core business infrastructure and frequently contain information essential to business continuity, client communication, and internal operations. When an employee leaves, the employer must promptly protect its legitimate business interests while simultaneously ensuring compliance with personal data protection requirements. In recent years, European supervisory authorities have imposed significant fines for the improper handling of former employees’ email accounts. Their decisions have established a clear compliance standard that employers should carefully consider when managing business email accounts following the termination of employment.

Practical Challenges

The most significant compliance risks typically arise in the period immediately before and after the termination of employment. On the one hand, the company must preserve business-critical information and ensure continuity in client communications. On the other hand, it must not keep the employee’s email account active longer than strictly necessary (particularly since an email address will generally contain the former employee’s personal data) nor access its contents in a manner that could infringe the individual’s right to privacy.

Supervisory authorities have consistently taken the view that automatic forwarding of incoming messages, or the prolonged maintenance of an active mailbox without a clearly defined and documented internal procedure, constitutes an overly intrusive and disproportionate measure. Such practices regularly trigger regulatory scrutiny and, in many cases, administrative fines.

Standards of European Supervisory Authorities

Supervisory authorities across several EU Member States have adopted largely consistent positions on this issue. As a general rule, an employee’s email account should be deactivated on the effective date of termination. The employee should be informed of the deactivation to ensure awareness that access has ceased and that new messages will no longer be received.

On the same day, an automatic reply should be activated, informing senders that the individual is no longer employed, specifying the date of deactivation, and providing the contact details of the person responsible for further communication.

Prior to deleting the mailbox, the employer should enable the separation of business-critical messages from any potentially private correspondence. As a matter of best practice, this should be carried out while the employee is still employed or at the time of departure, thereby avoiding the need for subsequent access once the legal basis for processing has ceased.

The entire process, including deletion of the email address and mailbox, should, in principle, be completed within one month. By way of exception, this period may be extended to a maximum of three months in the case of employees holding positions of heightened responsibility, where such extension is objectively necessary to ensure an orderly transition. Any extension should be duly justified, documented, and agreed with the departing employee.

Croatian Practice (AZOP) and Alignment with EU Standards

The Croatian Personal Data Protection Agency (AZOP) has concluded that an employer is not required to grant a former employee access to their official email mailbox after the termination of employment. In the case at hand, the employee requested access only after the employment relationship had already ended. AZOP determined that, at that stage, no valid legal basis existed to allow such access.

At the same time, AZOP confirmed that a company may retain a former employee’s mailbox only for as long as necessary to extract business-relevant content. In the specific circumstances of the case, a three-month period to complete the process was considered reasonable.

This position is consistent with broader European supervisory practice. European data protection authorities emphasise that employees must be given the opportunity to separate private messages from business correspondence; however, this step must be facilitated while the employment relationship is ongoing or at the time of departure. Once the employment relationship has formally ended, continued access to the mailbox should no longer be permitted, as the legal basis for processing ceases to exist.

Croatian practice therefore aligns with the prevailing European compliance standard.

Instead of a Conclusion: Practical Checklist

1. On the effective date of termination, the employer blocks the employee’s mailbox, notifies the employee of the deactivation, and activates an automatic reply informing senders that the individual is no longer employed. The message should clearly indicate the date of deactivation and provide alternative contact details.
2. Prior to departure, the employer and employee jointly identify and extract business-critical messages that the company has a legitimate interest in retaining. At the same time, the employee should be given the opportunity to separate and retrieve any private correspondence, thereby avoiding the need to access the mailbox after termination.
3. Following the extraction of business-related content, the mailbox and email address should be permanently deleted within one month. Only in exceptional circumstances (for example, where the employee held a role with an exceptionally broad scope of responsibility and a longer period is strictly necessary to ensure an orderly handover) may this deadline be extended. In any event, the extension should not exceed three months and must be clearly justified and agreed with the former employee.
4. Advance transparency is essential. Employees should be informed of this procedural framework through internal policies and, in any event, prior to the termination of employment.