First penalty by Belgian Data Protection Authority
On 28 May 2019, the Belgian Data Protection Authority (DPA) imposed an administrative fine on a Belgian politician for a breach of the General Data Protection Regulation (GDPR). The fine of EUR 2,000 is the first one of its kind and comes a year after the GDPR entered into force on 25 May 2018.
At the end of 2018, the Litigation Chamber of the DPA received a complaint concerning a town mayor who allegedly had used several e-mail addresses he had received in relation to the exercise of his duties.
In the procedure of obtaining an allotment permit (‘verkavelingsvergunning’ or ‘permis de bâtir’), an architect had contacted the competent mayor through means of an e-mail. On 13 October 2018, a day before the municipal elections, the mayor replied to the email with unrelated propaganda for his re-election.
As a general principle, when personal data is used for a specific purpose (i.e. the permit), it cannot be reused for another purpose (i.e. the municipal elections) if it is conceived as incompatible with the initial purpose, unless (i) a freely given, specific, informed and unambiguous consent from the individual is obtained; or (ii) there is a clear processing ground provided by the GDPR. The DPA considers the principle of ‘purpose limitation’ to be key in GDPR compliance.
However, in the underlying case, no consent was given by the data subject nor other processing ground was used, resulting in a GDPR breach. Because of the exemplary role of a mayor, the breach was regarded as a ‘serious breach’. Furthermore, the Litigation Chamber expressed that someone holding a public mandate is to be trusted to lawfully process personal data and not to process the data for other purposes, in violation of the law.
Because of the ‘grossly negligent actions’ of the mayor, the Litigation Chamber decided to impose a reprimand as well as an administrative fine of EUR 2,000. The amount of the penalty was justified by the Litigation Chamber as the impact of the breach is relatively low as well as the (known) number of persons concerned. The mayor can still launch an appeal against the decision within one month of service thereof.
The DPA itself has expressed that the fine of the decision is moderate, in contrary to the clear message it provides: the protection of personal data is a concern for all of us. The president of the Litigation Chamber explains:
“GDPR compliance applies for all data processors and most definitely for government representatives. A mayor is to be expected to comply with the law and its obligations”.
As this is the first one of its kind, it will be interesting to see how the following decisions (and sanctions) will roll out. Taking into account the statements of the DPA, it is clear that the investigation of breaches of the GDPR has now become a number one priority. As the Litigation Chamber was only completely put into place at the end of May, it is expected that more decisions will follow rather soon.