Lessons Learned from the First Belgian GDPR Fine

The Belgian Data Protection Authority (DPA) has served notice to GDPR violators just one month after its Executive Committee members were sworn in to office. On May 28th, the Belgian DPA imposed its first financial sanction since the GDPR came into force. The case concerned the misuse of personal data by an elected official seeking re-election. And, although the administrative fine is quite modest in terms of amount (€ 2,000), its message is loud and clear: the DPA is empowered and ready to enforce the GDPR. In the words of the DPA’s new president: “the time of sit back and relax is over”.

The facts

The case concerns a mayor who misused personal data in the execution of his office for electoral campaigning purposes. The day before the local elections, the mayor had used “reply” in an email thread that concerned an urban development project, a subject of his official mayoral duties, to send out an unsolicited electoral campaigning message. As a result, two recipients of the email brought separate complaints before the Belgian DPA.

The assessment of the Belgian DPA

After merging the two complaints, the Disputes Chamber – the DPA’s administrative dispute settling body - – determined that there had been a violation of the purpose limitation principle. The GDPR requires that personal data (here, the email addresses of the complainants) are collected for specified, explicit and legitimate purposes, and that they should  not be further processed in a manner that is incompatible with those purposes. In the case at hand, the mayor had violated this principle by reusing the email addresses to which he had access in the performance of his duties (in casu the handling of an urban development project) for sending out electoral campaigning messages. For this violation, the Disputes Chamber decided to impose a reprimand.

The Disputes Chamber also took into account some aggravating factors. First, The Chamber found that elected officials, such as the Mayor,  must take extra care that he or she complies with the GDPR. Indeed, citizens must be able to rely on the fact that the data that they entrust to the holder of a public mandate in the performance of his or her duties will not be used for other purposes, contrary to the law. Also, the Disputes Chamber took into consideration the fact that the mayor had used the data for personal reasons. Finally, in  the Disputes Chamber rejected the Mayor’s defense that he did not understand  his obligations and responsibilities under the GDPR. Considering that the GDPR has received plenty of public media coverage, a mayor is expected to have adequate knowledge of his or her responsibilities under the GDPR - or that he or she at least gets informed about such responsibilities. As a result, the Disputes Chamber found a serious violation of the GDPR, and  proceeded to impose an administrative fine.

Takeaways

Although this is only the first administrative fine imposed by the Belgian DPA, there are already some useful takeaways to be discerned from the penalty decision.

For one, controllers cannot hide behind their ignorance of the GDPR to exonerate themselves of non-compliance. The GDPR has received ample public media coverage and one should by now be held accountable for compliance with its provisions.

Secondly, a breach of the GDPR can happen fast. In the case at hand, a split second decision to send out an email to contacts that one has gathered in a different context can be enough to trigger an administrative fine.

And thirdly, the statement of the new Chairman of the Belgian DPA should not be ignored: “The protection of personal data is both a state of mind and a practice: the controller must always take a critical look at the use he wishes to make of the data in his possession.”