Belgian Tech Firm Fined 176k for Keeping Ex-Employee Mailbox

A large Belgian tech company has received a total fine of 176,000 euro from the Belgian Data Protection Authority (GBA) for failing to delete the email mailbox of a former employee in time. The GBA announced the decision on 12 May 2026, according to Security.NL. The name of the company has not been made public.

What happened?

According to Security.NL, the former employee discovered that her old work mailbox was still active after she had left the company. She asked the company to give her access to the mailbox and to delete it. Despite her request, the company reportedly failed to act properly.

The GBA found that the company had kept the mailbox active for at least a year after the employee's departure, which the authority considered unlawful. The company reportedly argued that retaining the mailbox was justified based on the former employee's role, but the GBA did not accept this reasoning as sufficient grounds for keeping the mailbox active for such a long period.

According to Security.NL, the GBA identified several violations:

• The company unlawfully processed the personal data of the former employee by keeping her mailbox active
• The woman and her contacts were not informed that their data was still being processed, which breached the company's transparency obligation
• The company did not put in place the necessary technical and organisational measures to ensure the mailbox was deleted
• The company did not respect the former employee's right of access to her own data

The fine breaks down into two parts: 160,000 euro for the unlawful data processing and 16,000 euro for failing to meet the transparency obligation, bringing the total to 176,000 euro.

Why does this matter?

This case is a reminder that data protection rules do not only apply to customer data. They also cover the personal data of your own staff and former staff. When someone leaves your business, their data does not automatically become yours to keep indefinitely.

If you are unsure whether your business handles employee data correctly, our GDPR compliance checklist is a good place to start. You can also read more about how fines are applied to smaller businesses in our guide to GDPR fines.

What does this mean for your website?

While this case involves an internal email system rather than a website, the underlying rules apply to any personal data your business holds. If your website collects contact details, booking information or staff data, you need a clear policy for how long you keep that data and how you delete it when it is no longer needed. Your privacy policy should reflect this honestly, so that people know what happens to their information.