On 28 May 2019, the Litigation Chamber of the Belgian Data Protection Authority (DPA) has issued its first decision imposing a fine for violation of the EU General Data Protection Regulation (GDPR) since its entry into application on 25 May 2018.
The Litigation Chamber's decision concerns the use of e-mail addresses that were initially collected by a mayor in the context of the exercise of his public functions in order to send materials in relation to his electoral campaign. The fine imposed amounts to EUR 2,000.
Complaint: reuse of information collected in the context of the exercise of public functions for private purposes
On 12 December 2018, the plaintiffs lodged a complaint with the Belgian DPA against the defendant in its capacity of mayor in relation to the misuse of their e-mail addresses, which was provided by the plaintiffs' architect to the defendant in the context of an urbanistic request. The mayor reused the e-mail addresses to send election propaganda to the plaintiffs.
After hearing both parties on 28 May 2018, the Belgian DPA's Litigation Chamber ruled that the defendant had breached the GDPR.
Violation of the GDPR principle of purpose limitation
The principle of purpose limitation, set forth in Article 5(1)(b) of the GDPR, prevents a controller from using personal data for new purposes that are incompatible with the purpose for which the data were initially collected. In the case at hand, the reuse of the e-mail addresses initially collected by the defendant in the context of an urbanistic project for a new and incompatible purpose, i.e. for election campaign purpose, is contrary to this principle and thus constitute a violation of the GDPR.
Although the amount of fine issued, i.e., EUR 2,000, is relatively small (due to the limited impact of the infringement and number of individuals affected), the Litigation Chamber declared that the conduct of the defendant constitutes a serious infringement of the GDPR.
The Litigation Chamber insisted on the fact that any controller must take GDPR compliance seriously, particularly when it comes to holders of public mandates such as a mayor. The Belgian DPA also outlined that citizens should be able to trust that the personal data they share with public officers in the context of the latter's duties will not be illicitly reused for incompatible purposes, and in particular, for private purposes.
Importance of GDPR compliance
This decision of the Belgian DPA's Litigation Chamber constitutes the first financial penalty issued since the entry into application of the GDPR on 25 May 2018 and occurs one month after the new members of the Executive Board took office.
For more information
The Belgian DPA's decision n° 04/2019 of 28 May 2018 is available in Dutch (a French translation of the decision should be published on the Belgian DPA's website shortly).