First GDPR fine in Belgium: € 2000 imposed on a mayor

Author info
Bernd Fiten

The previous statement by the new Chairman of the Belgian Data Protection Authority (DPA) affirming that the DPA will step up a gear in 2019 to ensure compliance with the GDPR has in the meantime been reinforced by the imposition of the first GDPR fine in Belgium.

On 28 May 2019, the recently established Litigation Chamber of the DPA ruled that the principle of purpose limitation was violated by a mayor who had used personal data obtained in the performance of his duties for his election campaign.

What happened?

In the context of a land division file, an architect sent an e-mail to the mayor on behalf of her clients - the complainants in this case - in order to make an appointment. In this e-mail, the complainants were put in cc.

Shortly before the municipal elections of 14 October 2018 however, the mayor answered this e-mail with election propaganda. The complainants then filed a complaint with the DPA and forwarded the mayor's reply to the leader of another political party.

That political party then went to the Council for Election Disputes, which imposed a warning on the mayor. According to the mayor, the DPA could therefore not punish him again on the basis of the same violation. The DPA however stated that its fine did not concern the same facts, because it appeared from the Council's judgment that the warning was given for other facts.

Breach of the principle of purpose limitation

The DPA then assessed whether there had been a violation of the principle of purpose limitation. This principle provides that personal data must be collected for a specified, explicit and legitimate purpose (the initial purpose) and may only be processed for another purpose if the purpose for further processing is compatible with the initial purpose (Article 5.1.b) GDPR).

In assessing whether the purpose for further processing is compatible with the initial purpose, the following elements should be taken into account (Article 6(4) of the GDPR):

  • The link between the initial purpose (setting up an appointment in a land division file with the mayor) and the purpose for further processing (sending election propaganda for the mayor's personal purposes);
  • The context in which the personal data have been collected, in particular the relationship between the data subjects (the complainants as citizens) and the controller (the mayor acting in his public mandate);
  • Furthermore, account should also be taken of the nature of the personal data, the possible consequences of the intended further processing and whether or not appropriate safeguards are in place (these elements were not applicable in this case).

On the basis of these elements, the DPA now rules that sending election propaganda is not compatible with the initial purpose. The DPA also refers to the exemplary role of the mayor and the extensive coverage of the GDPR in the media. The DPA therefore imposes both a reprimand and an administrative fine on the mayor for this serious infringement.

First GDPR fine with clear message

For the imposition of the administrative fine, the DPA relies on article 101 of the Act of 3 December 2017 establishing the Data Protection Authority. This article refers to the GDPR for the imposition of administrative fines. A breach of the principle of purpose limitation is covered by the ‘heaviest’ category of infringements, for which a maximum fine of 20,000,000 euros or - in the case of companies - 4% of the total worldwide annual turnover applies.

The GDPR only sets a maximum fine, not a minimum fine. However, the GDPR does stipulate that fines must be sufficiently deterrent. In addition, the fine must also be effective and proportionate. For this reason, a number of factors may influence the amount of the fine, such as:

  • The nature, seriousness and duration of the infringement,
  • The deliberate nature of the infringement,
  • The categories of personal data,
  • The technical and organizational measures taken,
  • The measures taken to limit damage,
  • Previous breaches by the controller or processor,
  • The way in which the DPA became aware of the infringement,
  • Etc.

Several of these factors have been taken into account in this case. On its website, the DPA states that it wanted to give a clear message, but that the fine imposed is modest because of the nature, the seriousness and the duration of the infringement as well as the limited number of persons involved.

The fine imposed is indeed modest compared to, for example, the fine imposed on Google by the French supervisory authority (CNIL) earlier this year. However, it is difficult to compare a fine imposed on a multinational such as Google and a fine imposed on a private individual, as was the case here.

More information about this topic? Please contact law firm Timelex.