APD/GBA - 10/2019
|APD/GBA - DOS-2018-06068|
|Relevant Law:||Article 5(1)(b) GDPR|
|National Case Number:||10/2019|
|European Case Law Identifier:||n/a|
|Appeal:||Cour des marchés de la cour d'appel de Bruxelles (Belgium)|
French and Dutch
|Original Source:||APD (in FR) and GBA (in NL)|
A mayor used citizen's data to send letters for his re-election campaign. The Belgian DPA (APD/GBA) issued a warning and a fine of € 5000 for violation of the principle of purpose limitation.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant was running a political campaign for a city election in October 2018. He submitted a complaint before the DPA because he argued that his political opponent (the mayor) used public data for the purpose of his political campaign. This database included the collection of the complainant’s personal data.
Dispute[edit | edit source]
Is the GDPR applying in a context of personal data processed for political purposes? Is the data collection legal?
Holding[edit | edit source]
First, the DPA found that the GDPR should apply to the controller of the processing at issue.
Secondly, that there was no legitimate purpose for the further processing of the personal data which were initially stored in the City’s records.
Therefore, the DPA found that the controller violated Articles 5(1)(b) and (e) and 6(4) GDPR. A fine of € 5,000 was issued.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the French or Dutch original for more details.
File No.: DOS-2018-06068 Litigation Chamber Decision on the merits 10/2019 of 25/11/2019 Subject: Complaint by X against a candidate in election Y The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke Hijmans, President, and Messrs. Poullet and C. Boeraeve, members, which takes over the case in its present composition; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter DPA; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter LCA); Having regard to the internal rules of procedure of the Data Protection Authority as approved by the House of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019; Having regard to the documents on file; Has taken the following decision: I. Retroactive proceedings Having regard to the complaint lodged on 21 October 2018 by X with the Data Protection Authority ; Having regard to the additional information communicated by X to the Data Protection Authority received by the latter on 21 November 2018; Having regard to the decision of 10 December 2018 of the Data Protection Authority's First Line Service declaring the complaint admissible and the transmission of the same to the Litigation Chamber on the same date; Having regard to the decision taken by the Litigation Chamber at its sitting of 19 December 2018 to request an investigation by the Inspection Service pursuant to Articles 63(2) and 94(1) of the ACL; Having regard to the referral of the Inspector General on the same date; Having regard to the Inspector General's report and minutes of investigation transmitted on 4 April 2019 to the Litigation Chamber, the findings of which are reproduced in this decision (see point III); Having regard to the decision taken by the Litigation Chamber at its sitting on 15 May 2019 to consider that the case file was ready for processing on the merits pursuant to Articles 95 § 1, 1° and 98 LCA ; Having regard to the communication, on 20 May 2019, of the Inspector General's report and investigation report to the parties and the invitation of the Litigation Chamber to the parties to put forward their arguments in accordance with an established timetable ; Having regard to the email of 6 June 2019 from Mr W, in which he informs the Litigation Chamber of his intervention as counsel for the candidate for municipal elections Y and in which he states that, following the exchange of conclusions, his client wishes to be heard pursuant to Article 51 of the Internal Rules of the Data Protection Authority; Having regard to the conclusions of X received on 12 June 2019; Having regard to the conclusions filed on 17 July 2019 by Maître W, counsel for the candidate in the communal elections Y; Having regard to the hearing at the session of 5 November 2019 during which the complainant appeared in person and was assisted by Mr Z and during which the candidate in the elections Y was represented by his counsel, Mr W; Having regard to the minutes of the hearing held on 5 November 2019, the content of which is summarised in point IV of this decision. II. Facts and subject matter of the complaint The plaintiff is an inhabitant of the municipality of ... and a candidate in the municipal elections of October 2018 in that municipality on a list competing with that of the defendant's candidate in the municipal elections Y. Mr. Y has been the mayor of ... since 2006, re-elected in this position after the communal elections of October 2018. In his complaint, X states that he received an election propaganda letter dated 9 October 2018 from Mr. Y - a letter on the letterhead of the commune of ... the Mayor's office and in an envelope from the Mayor's office - in which the latter, signing in his capacity as mayor, wrote to him as follows: "Dear X, Already 6 years ago, the citizens of ... renewed their confidence in me as Mayor. In this capacity, I had the opportunity to meet you during a citizen meeting or to receive a letter from you in which you were able to explain to me the questions, expectations or problems you were encountering. As you have seen, I have always made myself available (...). Next Sunday you are called to vote (...). So, I would like to ask for your support to allow me to continue to invest myself with as much enthusiasm and motivation as I have done in my role as Mayor of all the ... (…) Your Mayor (Signature) Y ». Mr. X denounces the fact that Mr. Y has set up a database and collected his personal data without informing him, a database which also includes the data of all the other citizens of the municipality who requested the intervention of Mr. Y in his capacity as Mayor. During the hearing of 5 November 2019, he states in this respect that he did not personally request the intervention of Mr Y but accompanied a neighbour who had made this request to the C during his appointment. He also denounces the fact that his data were reused in the context of the October 2018 election campaign to send him the above-mentioned letter. III. The Inspector General's report and investigation report In his report and investigation report, the Inspector General made the following findings: "In his letter in reply [read in response to the Inspector General's request for information], Mr. Y explains that the supplementary list [i.e. the list of persons who requested him as mayor] was drawn up between 2012 and 2018 in the context of his function as Mayor of the municipality of .... It includes the contact details of citizens who have requested an appointment or have written to him to set out their grievances in order to obtain information, assistance or advice in a case that concerns them. It is on the basis of the voters' list, cross-referenced with data from the supplementary list, that he transmitted his electoral mail". The said report of the Inspector General also notes that this complementary list includes the following data: first name, surname, address, telephone number of the persons who contacted Mr. Y in his capacity as Mayor as well as the purpose of the contact. IV. The minutes of the hearing of 5 November 2019 At the oral hearing on 5 November 2019, the complainant's counsel developed orally the written arguments submitted by the complainant in the course of the procedure. The complainant particularly stressed - as already mentioned in section II - that he had not personally requested Mr Y's intervention but had accompanied a neighbour who had taken such a step. His counsel insisted that the complainant had not been informed of the initial data collection. As for Mr. Y, his counsel also developed orally the written arguments he had previously filed. He insisted on the fact that, although Mr Y had indeed cross-referenced the list of contacts requesting him in his capacity as Mayor with the list of electors, he could have, at least in part, also remembered and written to a number of fellow citizens who had requested him during his term of office by going through the list of electors. He also noted that only this list was cross-checked with the voters' list and not any other list from another communal service/department to which the inhabitants would have appealed. V. As to the competence of the ODA, in particular the Litigation Chamber As to the competence of the Data Protection Authority, in particular the Litigation Chamber Pursuant to Article 4 § 1 of the LCA, the Data Protection Authority is responsible for monitoring compliance with the fundamental principles of the protection of personal data, within the framework of the Law of 3 December 2017 establishing the Data Protection Authority (LCA) and the laws containing provisions relating to the protection of the processing of personal data. Pursuant to Article 33 §1 of the DPA, the Litigation Chamber is the administrative litigation body of the Authority. It is seized of the complaints that the front-line service transmits to it pursuant to Article 62 § 1 of the LCA, i.e. admissible complaints if, in accordance with Article 60 § 2 of the LCA, they are drawn up in one of the national languages, contain a statement of the facts and the information necessary to identify the processing of personal data to which they relate and fall within the competence of the Data Protection Authority. In a judgment of 23 October 20191 , the Market Court confirmed in this respect that: "De bevoegdheid van de GBA strekt zich enkel uit tot het oordelen over een correcte naleving van de AVG en de Belgische privacywetgeving zoals duidelijk omschreven in de GBA-wet". Translation: The competence of the ODA is limited only to deciding on the correct compliance with the GDR and Belgian privacy legislation, as clearly specified in the ODA law]2. (Article 75-17) that does not constitute a breach of data protection rules or on the validity of a decision of inadmissibility of a request for citizen interpellation submitted by the complainant, two grievances invoked by the complainant in his submissions which do not relate to compliance with the fundamental principles of personal data protection with regard to the processing of identified personal data as defined in Article 4(1) and (2) of the General Data Protection Regulations (GDPR). 1 Hof van beroep Brussel, sectie Marktenhof, 19de kamer A, kamer voor marktzaken, arrest dd. 23 oktober 2019. 2 Free translation made by the Secretariat of the Data Protection Authority in the absence of an official translation. VI. On the grounds of the decision On failure to process data in a way compatible with the purposes for which they were collected In his capacity as data controller, Mr Y is required to comply with data protection principles and must be able to demonstrate that they are respected (principle of responsibility - Article 5.2. of the DPMR). He must also implement all necessary measures to that effect (Article 24 of the DPMR). The purpose principle is a cornerstone principle of data protection. It has been enshrined since 1981 in Article 5 b) of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS 108), it is set out in Article 6 § 1 b) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and in Article 4 § 1, 2° of the Law of 8 December 1992 on the protection of privacy with regard to the processing of personal data . When the right to data protection was established as a fundamental right by Article 8 of the Charter of Fundamental Rights of the European Union in 2000, the purpose principle was stated as a key element of this right3. This principle has logically been taken up in Article 5(1)(b) of the GDPR under the Principles relating to the processing of personal data (Chapter II). Article 5(1)(b) of the RGPD thus provides that : « 1. Personal data must be : (...) (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archival purposes in the public interest, for scientific or historical research or for statistical purposes shall not be regarded, in accordance with Article 89(1), as incompatible with the original purposes" (purpose limitation). 3 Article 8 of the Charter of Fundamental Rights of the European Union: 1 Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly, for specified purposes and on the basis of the consent of the data subject or some other legitimate basis laid down by law. Everyone has the right of access to and the right to rectify data collected concerning him or her. 3. 3. Compliance with these rules shall be subject to control by an independent authority. In other words, this principle requires that data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for purposes other than the one for which they were originally collected is only allowed if such further processing is compatible with the purposes for which the personal data were originally collected, taking into account the link between the purposes for which they were collected and the purposes of the envisaged further processing, the context in which the personal data were collected, the possible consequences of the envisaged further processing for the data subject and the existence of appropriate safeguards. A compatible purpose is for example a purpose which the data subject can foresee or which can be considered compatible under a legal provision (see Article 6.4. of the GDMP). In its note on "Elections" published on its website in the early 2000s and updated following the entry into force of the DPMR4 , the Data Protection Authority mentions that : "From this perspective, it is therefore not permitted to re-use personal data recorded in the above-mentioned files [both public and professional files, for example] for the purpose of electoral propaganda. Such processing is incompatible with the purposes for which these data were originally collected, which is punishable under Article 83.5 of the GDMP". The note goes on to state that : "By way of example, personal data of citizens obtained in the exercise of an alderman's mandate may not be reused for the organisation of an electoral campaign. This is a misuse of information obtained lawfully in the exercise of an alderman's mandate. Such use of personal data is not only prohibited because of the principle of purpose limitation but also breaks the equality between political parties and equality between candidates. The legislation aims at treating all candidates equally by giving them access to the same data, namely those on the voters' lists". Any further incompatible use is prohibited with two exceptions provided for in Article 6.4. of the GDR. Where the data subject has given his or her consent to further processing for a distinct purpose or where the processing is based on a legal provision which constitutes a measure 4 Processing of personal data for the purposes of personalised election propaganda mailings and respect for the privacy of citizens: fundamental principles, https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Note_elections_RGPD.pdf. necessary and proportionate in a democratic society, in particular to guarantee important public interest purposes, the controller may nevertheless further process these personal data for other purposes, whether or not they are compatible with the original purposes. The Litigation Chamber specifies in this respect that the consent of the data subject must relate to the further processing for a distinct purpose and not constitute, where appropriate, the basis for the legitimacy of the first processing operation. In other words, it is irrelevant in this respect that the initial data processing is itself based on consent. In any event, it must be ensured that the data subject is informed about such other purposes and his or her rights.5 Both in his replies by letter of 25 March 2019 to the questions put by the Inspector General and in the conclusions he submitted to the Litigation Chamber, Mr Y does not dispute that he cross-checked the personal data of a significant number of persons who applied to him between 2012 and 2018 (list of 476 persons in total) with those on the voters' list in order to send the former a letter inviting them to remember the service rendered and to vote for him in the October communal elections. The Inspector General's report of 4 April 2019 also mentions this. During the hearing of 5 November 2019, Mr. Y insists on the fact that the said letter does not mention the service rendered and is addressed only to the persons who requested it and not to all those who, during his mandate as Mayor, would have called upon one or the other communal service. As the Litigation Chamber decided in its decision 04/2019 of 28 May 20196 , this further use of personal data is incompatible with the primary purpose of the processing and is not authorised by the RGPD. The argument that the data subjects on this list have given their consent is rejected by the Litigation Chamber. Contrary to the Respondent's submission, the consent - which would otherwise have to satisfy all the conditions of Article 7 of the RGPD - on which the initial processing is based is not such as to qualify that further processing as admissible under Articles 5(1)(b) and 6(4) of the RGPD. In conclusion, it follows from the foregoing that by using a file constituted from the data of persons who requested it in their capacity as mayor under the previous mandate by sending them a letter - on the letterhead of the Commune of ..., office of the Mayor and signed in their capacity as mayor - in the context of the municipal elections of October 2018, intended to invite them to 5 Processing of personal data for the purposes of personalised election propaganda mailings and respect for the privacy of citizens: basic principles: https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/Note_elections_RGPD.pdf 6 This decision is published: https://www.autoriteprotectiondonnees.be/sites/privacycommission/files/documents/BETG04- 2019ANO_ENG.pdf voting for him, Mr Y processed the said personal data in a manner incompatible with the initial purpose of collecting such data - even if it was lawful - and this in breach of Articles 5(1)(b) and 6(4) of the RGPD. The Litigation Chamber recalls in general terms that any processing of personal data - including the initial collection but also the conservation of the data collected in particular - must be based on one of the bases of lawfulness provided for in Article 6 of the PGRD. The rights, in particular the right to information, of the data subject as provided for in Chapter III of the PGRDD must also be respected. Moreover, pursuant to Article 5(1)(e) of the EDPR, data may not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which they are processed. VII. On remedial measures and sanctions According to article 100 LCA, the Litigation Chamber has the power to : 1° dismiss the complaint without further action; 2° order the dismissal of the case; 3° to pronounce a suspension of the pronouncement; 4° to propose a settlement; 5° issue warnings or reprimands; 6° order to comply with the requests of the person concerned to exercise these rights; 7° order that the person concerned be informed of the security problem; (8) order to freeze, limit or prohibit temporarily or permanently the treatment; (9) order to bring the treatment into conformity; 10° order the rectification, restriction or deletion of data and the notification of the data to the recipients of the data; 11° order the withdrawal of the approval of certification bodies; 12° order the imposition of penalty payments; 13° give administrative fines; 14° order the suspension of transborder data flows to another State or an international organization; 15° transmit the file to the Public Prosecutor's Office of the King's Prosecutor of Brussels, which informs it of the action taken on the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. As for the administrative fine that may be imposed in accordance with Articles 83 of the RGPD and Articles 100, 13° and 101 of the LCA, Article 83 of the RGPD provides as follows: "Article 83 RGPD 1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation, as referred to in paragraphs 4, 5 and 6, are in each case effective, proportionate and dissuasive. 2. 2. Depending on the specific features of each case, administrative fines shall be imposed in addition to, or instead of, the measures referred to in Article 58(2)(a), (b), (c), (d) and (e), (f) and (g). (a) to (h), and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of the following elements : (a) the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them (b) whether the breach was committed intentionally or through negligence or misconduct; (c) any measure taken by the controller or the processor to mitigate the damage suffered by the data subjects; (d) the degree of responsibility of the controller or the processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32; (e) any relevant breach previously committed by the controller or the processor; (f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating its possible negative effects; (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or the processor notified the breach; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and (k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. As to the nature of the breach (Article 83(2)(a) of the GDR), the Litigation Chamber recalled that compliance with the purpose principle is an essential and founding principle of data protection. This principle, enshrined in Article 5 of the RGPD (Chapter II - Principles; Article 5 - principles relating to the processing of personal data) has applied not only since the entry into force of the RGPD on 24 May 2018 but also since the entry into force in 1993 of the Law of 8 December 1992 on the processing of personal data which preceded it. According to the Chambre Contentieuse, failure to comply with this fundamental principle constitutes a serious breach. The argument that Mr Y did not master all the contours of this regulation, described as "new", does not therefore stand up to analysis. This lack of control does not detract from the fact that, at the time of the facts, the principle of finality had already been in force for more than 25 years. As to Mr Y's intention, this is proven. He did not act negligently but deliberately used the list of persons who had contacted him during his previous term as mayor to contact them in the context of the local elections of October 2018 in ... As to the purpose of the processing (Art. 83.2(a) of the RGPD), the Litigation Chamber notes that it consists in encouraging the recipients of the mail to vote for a particular candidate. If this is of course the aim of any electoral campaign, the respect of the laws in the context of the campaign is particularly important, especially since as outgoing mayor, the candidate enjoys de facto a reputation among the electorate. In this respect, the European Data Protection Committee (EDPS) has recently recalled the importance of data protection rules in the electoral context in the following terms: "Compliance with data protection rules, including in the context of electoral activities and campaigns, is essential for the protection of democracy. It is also a means of preserving the trust of citizens and the integrity of elections "7. 7 As the Chambre Contentieuse pointed out in its above-mentioned decision 04/2019 of 28 May 2019,8 Mr Y's position as mayor since 2006 should also have been accompanied by a 7 Voy. European Data Protection Board (EDPB), Statement 2/2019 on the use of personal data in the course of political campaigns (13 March 2019): "Compliance with data protection rules, including in the context of electoral activities and political campaigns, is essential to protect democracy. It is also a means to preserve the trust and confidence of citizens and the integrity of elections". 8 The decision of the Chamber of Disputes 04/2019 of 28 May 2019 states the following in this regard: "This [read compliance with the rules laid down by the RGPD] applies to any controller and a fortiori to the holder of a public mandate such as a burgomaster. The citizen must be certain that the data he entrusts to the holder of a public mandate in the exercise of his duties to exemplary behaviour with regard to compliance with legislation, including data protection legislation, especially in the electoral context. This capacity of public representative already at the time of the facts is retained by the Litigation Chamber in the assessment of the seriousness of the breach. As Mr. Y has been re-elected since October 2018 as mayor, the Litigation Chamber also takes this element into account when assessing the effectiveness of any sanction pursuant to Article 83 of the GDR. The Litigation Chamber also notes that, as regards the data processed (Article 83.2. a) of the RGPD), Mr Y used only the identification data of the citizens who had previously contacted him (surname, first name, address), the latter stressing that the data processed in the context of the mailing referred to in the complaint are also available to him via the Register of Electors, which he can legitimately use for electoral propaganda purposes - and which, at least in part, he could have remembered by going through the said list of electors. The Litigation Chamber considers that although the categories of personal data processed (surname, first name and postal address) are not such as to cause irreparable harm to the privacy and data protection of the addressees of the said letters, on the other hand, in the electoral context and in view of the purpose of the processing already mentioned, the number of persons concerned (476) - a fortiori in view of the number of potential voters in a municipality such as that of ... - is not negligible. It has also been established that the lists were indeed cross-checked. The Judicial Chamber states that the other criteria listed in Article 83(2) of the RGPD are not, in this case, such as to result in an administrative fine of an amount other than that which it sets under the terms of this decision. In conclusion, in the light of the elements developed above which are specific to this case, the Litigation Chamber considers that the facts found and the failure to comply with Articles 5(1)(b) and 6(4) of the PGRD justify the imposition of an effective, proportionate and dissuasive penalty as provided for in Article 83 of the PGRD and having regard to the assessment factors listed in Article 83.2. of the RGPD, a reprimand (Article 100 § 1, 5° LCA), together with an administrative fine of EUR 5,000 (Articles 100 § 1, 13 and 101 LCA) be imposed on Mr Y. his functions will not be used for other purposes, in violation of the law. Moreover, this is a case of use for the personal purposes of the holder of that office. A burgomaster must be expected to be aware of the obligations under the RGPD or to be properly informed about them. It is also important that the media pay close attention to the application of the MDPR. The Chambre Contentieuse believes that a mayor must set an example when it comes to complying with the law". For all the above reasons, and in order to remind all public officials of the law applicable to the protection of personal data and the ban on using citizens' files for purposes other than those for which they were initially collected, the Litigation Chamber considers it essential to make its decision public on the basis of Article 100 § 1, 16° LCA by omitting all data that allow the direct identification of the parties. In doing so, the Data Protection Authority is acting in accordance with the legislature's wish as provided for in Article 7, 2° of the Act of 5 May 2019 amending the Code of Criminal Investigation and the Judicial Code as regards the publication of judgments and decisions, thus anticipating the entry into force of this provision (M.B., 16 May 2019). FOR THESE REASONS, The Litigation Chamber of the Data Protection Authority decides, after deliberation, to : - Issue a reprimand against Mr. Y on the basis of Article 100 § 1, 5° LCA; - To impose an administrative fine on Mr. Y in the amount of 5,000 euros pursuant to Articles 100 § 1, 13° and 101 LCA; - To make public its decision on the basis of Article 100 § 1, 16° LCA by publishing it on its website https://www.autoriteprotectiondonnees.be/, omitting however any element allowing the direct identification of the parties. Pursuant to Article 108 § 1 LCA, this decision may be appealed to the Market Court within 30 days of its notification, with the Data Protection Authority as defendant. Hielke Hijmans President of the Litigation Chamber