The Belgian Data Protection Authority on Tuesday May 28 sanctioned a local politician with a fine of 2000 EUR for having abused e-mailaddresses of citizens for election purposes. Although the amount of the fine is rather low, it shows the newly elected members of the DPA take their role seriously since they took office about a month ago.

What happened?

The mayor of a Belgian municipality used e-mailaddresses he had obtained during the performance of his duties. The complainants, through their architect, had contact with the mayor in connection with a real estate transaction. The architect contacted the mayor by e-mail with a copy of the e-mail addresses of the complainants. The day before the municipal elections of 14 October 2018, the mayor sent an electoral message to the complainants via a “Reply”.

Both parties were heard by the Litigation Chamber of the Belgian DBA on 28 May 2019. After this hearing, the chamber came to the conclusion that the AVG had indeed been violated because of non-compliance with the principle of “purpose limitation”.

Purpose limitation principle

The GDPR specifies that the data collected by the data controller (in this case, the e-mail addresses obtained by the mayor) must be collected for specific purposes and shall not be further processed in a way incompatible with those purposes. The re-use of data obtained within the framework of an urban development project for electoral purposes therefore goes against the principle of finality and is an infringement of the GDPR.

The Litigation Chamber of the Belgian DBA believes that compliance with the purpose limitation principle is one of the key rules of the GDPR and that the holders of a government mandate (such as mayors) to whom the citizens have entrusted their personal data must be particularly cautious processing such data. Politicians holding a public mandate must be aware that personal data obtained during the performance of public duties may never be used again for personal purposes.

Modest fine but clear message

Given the limited number of persons involved and the nature, gravity and duration of the infringement, the Litigation Chamber: “imposes a reprimand as well as a modest fine of €2,000“.

The President of the Belgian Data Protection Authority, David Stevens, publicly commented on the decision and warned that: “The protection of personal data is both a state of mind and a practice: the controller must always take a critical look at the use he wishes to make of the data in his possession.”