On 28 May 2019, the Belgian Data Protection Authority (DPA) announced (available in French and Dutch) the imposition of the first General Data Protection Regulation (GDPR) fine in Belgium. A mayor was fined EUR 2000 for the misuse of personal data for electoral campaign purposes.
The DPA's decision suggests that GDPR compliance applies to all data controllers, and most certainly to those with a public mandate. According to the opinion, citizens expect a mayor to be aware of the GDPR and to comply with its obligations.
The DPA's handling of the complaint
The DPA received a complaint concerning a mayor that obtained personal data in the performance of his duties and used it for election campaign purposes.
The mayor reportedly received this data when the complainants contacted his office through their architect as part of a subdivision modification. The architect communicated with the mayor by e-mail, which included a copy of the complainants' e-mail addresses. On the eve of the 14 October 2018 municipal elections, the mayor used the email to send election propaganda to the complainants.
Following a hearing on 28 May 2019, the DPA Disputes Chamber concluded that a violation of the GDPR had been committed.
Violation: non-compliance with the purpose limitation principle
The GDPR specifies that personal data collected by a data controller prevents the use of this information (in this case, email addresses) for a new purpose if they are incompatible with the original purpose (articles 5(1)(b) and 6(4), GDPR).
The question was: Does data, obtained in an urban-planning project and reused for election-campaign purposes, contravene the purpose principle and constitute a breach of the GDPR?
The DPA Disputes Chamber ruled that compliance with the purpose limitation principle is one of the crucial GDPR tenets and that holders of a public mandate, such as mayors to whom citizens have entrusted personal data, must be particularly vigilant. They must be aware that data acquired in public service can never be reused for personal purposes. In the Chamber's view, a citizen must be able to trust the fact that data he entrusts to the holder of a public mandate in the performance of his duties will not be used for other purposes.
Public services and agents as role models
According to the DPA ruling, a mayor is expected to have knowledge of his GDPR obligations, especially since the application of the GDPR has received considerable public attention. Hence, in the opinion of the Chamber, skirting such obligations constitutes a serious infringement of the GDPR.
The DPA fine and its publicity
In light of the small number of persons affected, as well as the nature, duration, and limited gravity of the infringement, the Chamber issued a reprimand and a financial penalty in the form of a moderate fine of EUR 2000.
"The use of personal data by politicians for election campaign purposes is an issue of great concern to citizens," stated the DPA Disputes Chamber. "It is important to remember that public agents must comply with the legislation".
A message is sent
This decision constitutes the first financial sanction imposed by the new Belgian DPA, occurring only a month after its new management committee began work. While the fine was moderate, its message is important: data protection is everyone's business.
DPA President Stevens added: “The protection of personal data is both a state of mind and a practice: the controller must always take a critical look at the use he/she wishes to make of the data at his/her disposal”.
The mayor can appeal this decision.
Thomas Dubuisson, Associate, thomas.dubuisson@cms-db.com
Tom De Cordier, Partner, tom.decordier@cms-db.com