Cleaning up the email archive: from mailbox quota to GDPR-compliant
An average business mailbox in the Netherlands contains, after five years, between 50,000 and 250,000 emails, with storage of 5-25 GB. For the company it is a treasure trove of correspondence and contracts; for IT it is a quota problem; for compliance it is a GDPR time bomb. This article describes how to set up a clean-up of the business email archive without losing business knowledge or exceeding retention periods.
Three forces demanding a clean-up
- Quota. Mail servers with capacity licences; cloud platforms with 50/100 GB per user; storage costs in cloud environments that scale with email count.
- GDPR storage limitation. Personal data of customers and applicants in email body and attachments. Under GDPR art. 5 this may not be retained longer than necessary.
- Speed and searchability. A mail archive of 250,000 messages is practically unusable for searches.
Retention periods for email
Email is not a separate category under the GDPR; the retention period follows the content:
- Customer correspondence without fiscal interest: 2-3 years after last contact.
- Contract-related emails: 7 years after end of agreement (fiscal).
- HR and application correspondence: 4 weeks (rejected candidate) to 7 years (after end of employment).
- Complaint correspondence: 2 years after resolution.
- Marketing/newsletter lists: until unsubscribe plus 30 days.
For the full overview, see the GDPR retention cheat sheet.
A clean-up strategy in four steps
Step 1: Inventory
- How many mailboxes, how much total volume.
- How much oldest data (per quarter in the oldest 5-7 years).
- Presence of ex-employees with still-active mailboxes.
Step 2: Set policy
- Standard retention period per category (derived from content).
- Auto-archiving to PST or journaling system for categories with fiscal periods.
- Auto-deletion after the retention period for the rest.
- Procedure for ‘right to be forgotten’ requests.
Step 3: Implementation
- In Microsoft 365: retention policies via Compliance Center.
- In Google Workspace: Vault retention rules.
- In on-premise Exchange: messaging records management policies.
- Per policy: scope, category, period, action (retain or delete).
Step 4: Communication
- Email to staff with date, policy and consequences.
- Personal exception for those who can demonstrate that older emails are still needed.
- Decision moment by management in case of doubt.
The biggest mistake: clearing without policy. A spontaneous ‘let's throw out emails older than 5 years’ is not a GDPR-compliant plan, it is a data breach waiting to happen.
What about ex-employees?
Mailboxes of people who have left are often a gap in policy. GDPR rules of thumb:
- Personal mailbox: no longer accessible; retention limited to legal reasons.
- Business email in their name: 90 days forwarding or access via licence sharing.
- Customer correspondence: archive in CRM or shared team system; then close the mailbox.
- Retention period for mailbox storage after leaving: 6 months to 1 year; then delete.
Local versus cloud deletion
A cloud delete is not the same as physical destruction. Read our article really deleting cloud data for the details. For most organisations: cryptographic erasure in the cloud suffices for GDPR purposes, provided the provider has demonstrable delete processes.
What does require physical destruction: local PST files on USB sticks or laptops, on-premise backups on tape or HDD. For these:
- USB sticks with PST: read disposing of USB sticks.
- Backup tapes: read backup tapes and LTO cleanup.
- Old HDDs with mail archive: DIN H-4 or H-5.
Auto-archive versus active clean-up
Two models:
Auto-archive
Emails older than X months go automatically to an ‘archive’ folder, and eventually to a cold-storage system. Good for mailbox quota, but extends the effective retention period unless a deletion policy is also active.
Active clean-up
Per quarter or year the oldest segment is reviewed and (per policy rule) deleted or retained. Requires human involvement, delivers better GDPR compliance.
Most organisations combine: auto-archive for capacity, annual review for compliance.
Specific points of attention
- Attachments with personal data. Excel files with customer lists, PDF contracts with BSN, CV attachments from applicants. Inventory this stream separately.
- Personal folders and rules. Staff create their own mailbox structures that are sometimes 10 years old.
- Sent items. Personal data here too. Not only the inbox.
- Shared mailboxes. info@, support@, hr@. Their own retention policy.
- OneDrive/SharePoint links. Attachments in emails often refer to shared files; for cloud deletion see really deleting cloud data.
Documentation
For GDPR evidence you need:
- Retention policy recorded in writing.
- Implementation evidence (screenshots of Compliance Center / Vault).
- Log of executed deletions (automated or manual).
- Update in the record of processing activities.
Cloud mail cleaned up, on-premise backups destroyed.
We destroy the physical copies that do not travel with cloud deletion: USBs, tapes, old HDDs with mail archive.
Read more for IT MSPsIs your organisation working on email retention policy? Email us via desnipperaar.nl about the physical side of the clean-up.