First fine imposed by the Belgian Data Protection Authority

The Belgian Data Protection Authority has finally imposed its first financial sanction on 28 May 2019. An administrative fine of 2,000 EUR was imposed for misuse of personal data by a public official for election purposes.

Without going into the details of the case, the ball started rolling after a complaint was lodged with the Belgian Data Protection Authority. The complaint concerned the use of personal data by a mayor for the local electoral campaign in 2018. After having heard both parties involved, the Dispute Committee of the Belgian Data Protection Authority came to the conclusion that the GDPR was violated. Further details of the case can be found on the website of the Belgian Data Protection Authority (in Dutch: https://www.gegevensbeschermingsautoriteit.be/).

For a long time the silence of our Data Protection Authority was interpreted by many as a “tolerance”. Consequently, many Belgian entities have still not taken any action yet to become compliance, or have put the implementation of their compliance plan on hold. The reason it took over 11 months for the first sanction to be issued was due to a language issue in the composition of the management committee of the Belgian Data Protection Authority. The selection of a German-speaking director took quite a while.

The sanction, an administrative fine of 2,000 EUR, may not seem significant, yet this should be a clear message that our Data Protection Authority has become active. As stated by the new chairman of the Belgian Data Protection Authority, David Stevens: “The time of sit back and relax is over”.

Note that the GDPR provides the data protection authorities with a wide array of sanction mechanisms, some of which are far worse than a fine, e.g. issuing a warning and reprimand, imposing a temporary or permanent ban on data processing, suspending data transfers to third countries, ordering the rectification, restriction or erasure of data. Besides the penalty of 2,000 EUR, the Belgian Data Protection Authority also issued a reprimand taken into account the specific circumstances surrounding the case.

We find that although many Belgian companies have already taken some steps to becoming compliant, quite a few have not continued the implementation of their compliance plan. The decision to shift the focus to other ,sometimes more urgent matters to be dealt with was often justified with the silence of our Data Protection Authority. If you have any questions or are in need of support with becoming GDPR compliant, feel free to contact us as we can help you.