You are here:
04 June 2019 / news

First Belgian GDPR fine

On 28 May 2019, the Data Protection Authority (DPA) imposed its first administrative fine under the GDPR . A mayor was fined 2,000 EUR for misusing personal data for electoral campaign purposes. The DPA noted that while the fine is modest, the message is not: all data controllers must take their responsibility, most certainly those who hold a public mandate.

First Belgian GDPR fine

The case: sending of personalized e-mail by a government representative

The DPA received a complaint about a mayor who re-used personal data received during the performance of his duties for electoral campaign purposes. The mayor received this data when the complainants contacted him through their architect as part of a subdivision modification. The architect contacted the mayor by e-mail and copied the complainants in this e-mail. The day before the municipal elections of 14 October 2018, the mayor used this e-mail to send an electoral message to the complainants.

Following a hearing of both parties on 28 May 2019, the Dispute Chamber came to the conclusion that the GDPR had indeed been infringed by the major.

Non-compliance with the purpose limitation principle

The GDPR specifies that personal data collected for specific purposes must not be processed for a new purpose if this is incompatible with the original purposes. The re-use of data (in this case, e-mail addresses) obtained within the framework of an urban development project for electoral campaign purposes goes against the purpose limitation principle and therefore constitutes an infringement of the GDPR.

The Dispute Chamber held that compliance with the purpose limitation principle is one of the essential elements of the GDPR and that holders of a public mandate (such as mayors) to whom citizens have entrusted their personal data must be particularly vigilant. They must be aware that data obtained in the framework of a public office may never be re-used for personal purposes.

Given the limited number of persons involved and the limited impact of the infringement, the Dispute Chamber imposed a reprimand and a modest fine of 2,000 EUR.

A regulation applicable to everyone

This decision constitutes the first administrative fine imposed by the DPA, and was taken only one month after the new members of the Belgian DPA have taken office. While the fine is modest, the message is not: data protection concerns us all and GDPR compliance applies to all controllers, most certainly to those who hold a public mandate.

The mayor can appeal the decision of the DPA with the Brussels Markets Court.



Belgian Data Protection Authority – again – imposes GDPR fines on public officers

Belgian Data Protection Authority – again – imposes GDPR fines on public officers

The Belgian Data Protection Authority (BDPA) is slowly but steadily becoming more active in enforcing the EU General Data Protection Regulation (GDPR). Just... read more
Belgian team collecting the award for 'Best Law Firm of the Year' during the Trends Legal Awards 2019

Loyens & Loeff Belgium wins two awards during Trends Legal Awards

We are delighted to announce that we have won not only the ‘Best Law Firm of the Year’ award, but also the award for 'Best Law Firm in Tax Law' from Trends Legal... read more
More clarity on the exemption of wage withholding tax for construction industry

More clarity on the exemption of wage withholding tax for construction industry

Since 1 January 2018 construction companies, that employ shift workers, can benefit from a substantial cut in payroll taxes. Recent legislation clarifies this... read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Stay informed