While an employee is absent from work, may their account and mailbox be handled by other employees?

ANSWER

When setting up work mailboxes or accounts for specific applications for employees using their personal data, such as first and last name, the data controller (employer) should, during an employee's absence from work, forward incoming electronic correspondence to the employee who is currently substituting for or carrying out the duties of the absent person. Granting access even to work mailboxes or personal (named) accounts to other employees should not occur. The same applies when employment ends — in that case all correspondence should be forwarded to the person who will take over the position of the departing employee.

By using such impermissible solutions, the employer exposes the employee, for example, to the Social Insurance Institution (ZUS) questioning their entitlement to sick leave and sickness benefit, as messages signed by the employee while on sick leave would indicate that the employee is nevertheless at work and performing work for the employer. Furthermore, from the perspective of personal data protection rules, persons substituting for an absent employee are not always appropriately authorised to process personal data, and the employer therefore exposes itself to an allegation of a personal data breach under Article 4(12) GDPR — unauthorised disclosure or unauthorised access to personal data. As a rule, every employee should have their own email address and their own accounts, and during their absence correspondence should be forwarded to persons who substitute for them.