No, this would generally not be compliant with the Regulation. As a starting point, while employers may implement internal policies that require employees to use their organisation’s email addresses strictly for work purposes, any personal emails in the employee’s mailbox remain personal and are not considered to be the property of the employer.
Therefore, implementing an automatic forwarding rule that sends emails received at a former employee’s company email address to another employee would not be compliant with the requirements of the Regulation, because this would lead to any private or personal emails sent to that address to be disclosed to third parties.

Yes, and this approach is strongly recommended to safeguard the data protection rights and respect the privacy of all the individuals concerned, including of both the departed employee and any individuals who may be sending emails to that address. By adopting this approach, it remains at the discretion of the sender whether to forward the email or not.

As to the contents of the message, it should clearly inform the sender that the intended recipient (i.e., the departed employee) is no longer with the company, and should provide an alternative contact for any queries the sender may have as well as details on how to contact that person. The message should also specify a timeframe within which the former employee’s email account will continue to receive emails and the date when it will be closed, following which, emails sent to that email address will no longer be deliverable.

As to the timeframe, the automatic reply message should not remain active indefinitely, but only for a reasonable period (for example, one month). The decision regarding the exact timeframe ultimately rests with the controller to be determined based on the specific circumstances, such as the nature of the employee’s departure, and whether the employee had a key role within the company which might require that the email account remain active for a slightly longer period.  

While the employment relationship is ongoing:

- During the employment relationship, it is crucial that employees are well informed about the organisation’s approach on managing employee email accounts. This should be clearly outlined in an internal policy which is effectively communicated to employees, so that they fully understand and know what to expect upon departure from the company. In this regard, it is advisable that a ‘read-and-sign’ approach is adopted so that the employer can be sure that the employee has actually read the policy. Implementing such a policy is in line with the principle of transparency under the Regulation (as per recitals 39, 58, and article 12 thereof), which requires that information be provided to the data subject (i.e., the employee) in a manner that is “easily accessible and easy to understand, and that clear and plain language be used.”

- Ideally, the policy should specifically set out how employees are to organise their inboxes, so that personal emails are easily distinguishable from work emails – for example by creating a separate folder within the inbox for personal emails. This would significantly facilitate the retrieval of personal emails in the event of an employee’s departure from the organisation. 

On the day of the employee’s departure:

- On the last day of work, the company should give the employee the opportunity to take a copy of and delete any personal or private emails, and should set up an automatic reply rule for any incoming emails that may continue to be sent to the employee’s email address.

- Depending on certain factors, including but not limited to, the nature of the business activity and the role which the former employee used to occupy, the organisation should determine whether for the purpose of business continuity the contents of the employee’s mailbox should be archived.

- Finally, as a best practice that fully respects the employee’s data protection rights under the Regulation, the departing employee should still be given the opportunity to retrieve or delete any personal emails in the inbox if this has not been done on the last day of work, especially if in practice the organisation permits limited personal use on the work email accounts.

Following the employee’s departure:

- The organisation must not allow other employees to access the mailbox of the former employee – this includes, but is not limited to, sending emails from this mailbox as if they are originating directly from the former employee. Such an approach would be considered invasive and intrusive and would result in the excessive processing of personal data – which is not in line with the principle of data minimisation (under article 5(1)(c) of the Regulation), since this requires that the processing of personal data should be limited only to what is strictly necessary to fulfil the intended purpose.

- As explained in the first question, the company should not implement an automatic forwarding rule for emails sent to the former employee’s email address, even if the forwarding is to another email address of the same organisation. Implementing such a practice would risk the unauthorised disclosure of potentially sensitive personal information relating to the former employee and/or other individuals that may be contained in the emails. This would likewise go against the principle of data minimization, since automatic forwarding involves indiscriminately transferring all incoming emails, regardless of whether the content of each of those emails is relevant and necessary for work-related purposes.