On 28 May 2019, the Belgian Data Protection Authority (DPA) proclaimed its first fine in Belgium under GDPR.
A fine of EUR 2,000 imposed on the Mayor for misusing the personal data for electoral campaign purposes.
The decision which DPA announced says that GDPR compliance is applicable to everyone. Especially to data controllers and to those with a public mandate. Moreover, people expect a mayor to follow and comply with the GDPR obligations before them.
How the DPA handled the complaint?
A complaint was received to the DPA against the Mayor. Who gained access to personal data without the consent of people. He used it for his election campaign purposes.
The Mayor received this data when the complainants contacted his office through their architect as part of a subdivision modification.
Later, the architect contacted Mayor through an email and sent him a copy of the email addresses of those who complained against him.
14 October 2018 was the evening of maniple elections. In that, even the Mayor used the email and sent his election propaganda to the complainants. On 28 May 2019, the DPA Disputes Chamber announced the decision that a violation committed under the GDPR.
A violation of the purpose limitation principle
The GDPR has clarified it long ago that if a data controller collects the personal data, he must prevent the use of information for a new purpose if they failed to achieve the original purpose (articles 5(1)(b) and 6(4), GDPR).
The DPA Disputes Chamber stated that compliance with the purpose limitation principle is one of the most important GDPR tenets.
The holder of the public mandate (Mayor), to whom a common citizen entrusts with his personal data must take steps vigilantly.
They must know that data gathered in public service can’t be used for personal purposes. The Chamber, a resident trusts a holder of a public mandate with his data and expects not to use it for other purposes.
Because public services and agents are our role models
The DPA said a mayor is highly expected to have complete knowledge of the GDPR obligations, ever since the GDPR applications has received a significant amount of public attention.
Nevertheless, skirting these obligations constitutes an inevitable infringement of the GDPR, stated the Chamber.
A GDPR fine by the DPA and its publicity
After evaluating the situation, the DPA found out that a small number of people got affected by the infringement. Hence, the Chamber issued a pecuniary penalty or a GDPR fine of EUR 2000.
The DPA Disputes Chamber said, “The use of personal data by politicians for election campaign purposes is an issue of great concern to citizens. It is important to remember that public agents must comply with the legislation”.
A message is sent
It is the first financial sanction from the new Belgian DPA after the new management committee.
However, the GDPR fine is moderate, but has a great message in it that “Data Protection is everyone’s business”.
“The protection of personal data is both a state of mind and a practice. The controller must always take a critical look at the use he/she wishes to make of the data at his/her disposal,” added Stevens, the DPA President.