Privacy & Information Security Law Blog

On May 28, 2019, shortly after the appointment of the new Belgian commissioner and the Director of the Litigation Chamber, the Belgian Data Protection Authority (the “Belgian DPA”) imposed its first fine since the EU General Data Protection Regulation ( “GDPR”) came into effect. The Belgian DPA fined a Belgian mayor EUR 2,000 for abusive use of personal data obtained in the context of his mayoral functions for election campaign purposes.

The Belgian DPA received a complaint from the data subjects whose personal data had been collected for local administration purposes and further used by the mayor for election campaign purposes. The parties were heard in front of the Belgian DPA’s Litigation Chamber. After hearing both parties, the Belgian DPA concluded that the use of the plaintiffs’ personal data by the mayor infringes on the GDPR’s purpose limitation principle--the purpose for which the personal data was initially collected was not compatible with the purpose for which the data was further used by the mayor.

The Belgian DPA however took into account the limited number of affected data subjects, nature, gravity and duration of the infringement when deciding the amount of the fine, and ultimately issued a reprimand and imposed a moderate fine of EUR 2,000.

The decision of the Litigation Chamber is the first financial penalty imposed by the Belgian DPA. While the amount of the fine is moderate, the message it carries is strong: data protection must be the concern of everyone. According to the Director of the Litigation Chamber, Dr. Hielke Hijmans, compliance with the GDPR applies to all data controllers, including public officials.