Search for:

On 28 May 2019, the Litigation Chamber of the Belgian Data Protection Authority (DPA) has issued its first decision imposing a fine for violation of the EU General Data Protection Regulation (GDPR) since its entry into application on 25 May 2018.

The Litigation Chamber’s decision concerns the use of e-mail addresses that were initially collected by a mayor in the context of the exercise of his public functions in order to send materials in relation to his electoral campaign. The fine imposed amounts to EUR 2,000.

Complaint: reuse of information collected in the context of the exercise of public functions for private purposes

On 12 December 2018, the plaintiffs lodged a complaint with the Belgian DPA against the defendant in its capacity of mayor in relation to the misuse of their e-mail addresses, which was provided by the plaintiffs’ architect to the defendant in the context of an urbanistic request. The mayor reused the e-mail addresses to send election propaganda to the plaintiffs.

After hearing both parties on 28 May 2018, the Belgian DPA’s Litigation Chamber ruled that the defendant had breached the GDPR.

Violation of the GDPR principle of purpose limitation

The principle of purpose limitation, set forth in Article 5(1)(b) of the GDPR, prevents a controller from using personal data for new purposes that are incompatible with the purpose for which the data were initially collected. In the case at hand, the reuse of the e-mail addresses initially collected by the defendant in the context of an urbanistic project for a new and incompatible purpose, i.e. for election campaign purpose, is contrary to this principle and thus constitute a violation of the GDPR.

Although the amount of fine issued, i.e., EUR 2,000, is relatively small (due to the limited impact of the infringement and number of individuals affected), the Litigation Chamber declared that the conduct of the defendant constitutes a serious infringement of the GDPR.

The Litigation Chamber insisted on the fact that any controller must take GDPR compliance seriously, particularly when it comes to holders of public mandates such as a mayor. The Belgian DPA also outlined that citizens should be able to trust that the personal data they share with public officers in the context of the latter’s duties will not be illicitly reused for incompatible purposes, and in particular, for private purposes.

Importance of GDPR compliance

This decision of the Belgian DPA’s Litigation Chamber constitutes the first financial penalty issued since the entry into application of the GDPR on 25 May 2018 and occurs one month after the new members of the Executive Board took office.

For more information

The Belgian DPA’s decision n° 04/2019 of 28 May 2018 is available in Dutch (a French translation of the decision should be published on the Belgian DPA’s website shortly).

The Belgian DPA’s press release in relation to this decision is available in French and in Dutch.


Elisabeth Dehareng has been a partner in Baker McKenzie's Brussels office since 2014. Ms. Dehareng advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.


Daniel Fesler joined Baker McKenzie in 1993 and was admitted to the Brussels’ bar in 1990. He was made partner in 2004. His areas of practice are IT/IP law, Copyright, Database rights, E-commerce and Data Protection. Mr. Fesler is a member of Belgium’s IP and Trade & Commerce / TMT Practice Groups of Baker & McKenzie.


Noelle Pineux is an associate in Baker McKenzie's Brussels office.