Belgian Data Protection Authority – again – imposes GDPR fines on public officers
The Belgian Data Protection Authority (BDPA) is slowly but steadily becoming more active in enforcing the EU General Data Protection Regulation (GDPR). Just like the very first GDPR fine that was imposed in Belgium (see below), the most recent fines are the result of complaints filed with the BDPA in the context of the 2018 municipal elections in Belgium.
The misuse of personal data by persons holding a public mandate and therefore having a duty to serve as an example for other citizens, is particularly worrisome according to the BDPA.
Two new GDPR fines in Belgium
On 28 November 2019, the BDPA imposed two administrative fines of EUR 5000,- each (text of press release: NL / FR). One fine was imposed on a mayor, and the second on an alderman. In both cases, the infringement concerned the re-use of personal data for purposes (the sending of personalized electoral campaign mail) which were deemed incompatible with the purpose for which the data were initially collected.
The case concerning the mayor originated from a complaint filed with the BDPA in the context of the 2018 municipal elections. It appears that the mayor had initially received the contact details of 476 individuals who had appealed to the mayor between 2012 and 2018. The mayor then reused this data in 2018 for his electoral campaign, a purpose which is incompatible with the initial purpose of the data collection.
The second fine was imposed on an alderman who had sent an electoral campaign letter to a list of his clients. The alderman had obtained this list of clients, consisting of 654 individuals, during the performance of a function that he fulfilled parallel to (i.e. unrelated to) his public mandate as an alderman. This therefore constituted misuse of personal data.
Non-compliance with the purpose limitation principle
The GDPR specifies that personal data collected for specified, explicit and legitimate purposes cannot be further processed in a manner that is incompatible with the initial purposes, also referred to as the 'purpose limitation principle' (Article 6(1)(b)). In accordance with this principle, the BDPA emphasized that the re-use of personal data - obtained within the context of a public mandate - for an electoral campaign, is incompatible with the initial data collection purpose and therefore infringes the GDPR.
Furthermore, the chairman of the Disputes Chamber of the BDPA confirmed that the status of public representatives (such mayors or aldermen) must be accompanied with exemplary behaviour in conformity with the law. Given the fact that hundreds of people were affected and the fact that the defendants were active as public representatives at the time of the infringement, the Disputes Chamber held that a fine of EUR 5000,- was justified in each of the two cases discussed above.
The use of personal data by public representatives
Earlier this year (in May 2019), the BDPA had also imposed a fine of EUR 2000,- on a mayor in a similar situation (personal data was also misused for electoral campaign purposes). This was the very first GDPR fine in Belgium. By imposing a similar fine on a public representative today, the BDPA is certainly reiterating the message that, also in the context of an electoral campaign, the rules of the GDPR fully apply.
Stéphanie De SmedtSenior associate Attorney at Law
Stéphanie De Smedt, attorney-at-law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: firstname.lastname@example.org