APD/GBA (Belgium) - 53/2020

From GDPRhub
Revision as of 08:14, 17 September 2020 by 109.134.65.51 (talk) (→‎English Summary: added details from the decision and clarified where the email addresses originated.)
APD/GBA - DOS-2019-02974
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(a) GDPR
Article 5(1)(b) GDPR
Article 6(1) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 01.09.2020
Published: 01.09.2020
Fine: 5000 EUR
Parties: n/a
National Case Number/Name: DOS-2019-02974
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: BE DPA (in FR)
Initial Contributor: n/a

The Litigation Chamber of the Belgian DPA imposed a fine of € 5000 to a politician for sending unsolicited political email to the plaintiff, violating among others the purpose limitation principle.

English Summary

Facts

A mayor of a Belgian village sent unsollicited political emails using email addresses collected during his time as mayor. In this specific case it concerned emails a citizen sent to the mayor's office to complain in 2014. The mayor used these emails for his most recent election campaign.

Dispute

Can a politician reuse the emails collected during his time as mayor to send political campaign emails ?

Holding

The litigation chamber decided that the politician violated the purpose limitation principle and imposed a fine of € 5000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/13
Litigation Chamber
Decision on the merits 53/2020
September 1, 2020
File No.: DOS-2019-02974
Subject: Complaint due to the sending of an email of electoral propaganda
The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke
Hijmans, Chairman, and Messrs Frank de Smet and Christophe Boeraeve, members ;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and to the
free movement of such data, and repealing Directive 95/46/EC (General Regulation on the free movement of
data protection), hereinafter referred to as RGPD ;
Having regard to the law of 3 December 2017 creating the Data Protection Authority, hereinafter LCA ;
Having regard to the internal rules of procedure as approved by the House of Representatives on
December 20, 2018 and published in the Moniteur belge on January 15, 2019 ;
Having regard to the documents in the file ;
has taken the following decision concerning :
- the plaintiff ;
- the defendant: a politician.
1. Facts and procedure
Decision on the merits 53/2020 - 2/13
1. On May 25, 2019, the complainant filed a request for information with the
protection of data concerning the defendant's use of his e-mail address
received on May 22, 2019, sent on his behalf by his personal email for the sending of an electoral message received on
secretary. The complainant points out that he never gave his consent to the use of his address.
for this purpose by the defendant. The plaintiff also complains that this message was sent to
many recipients placed copies, which favoured the unsolicited distribution of his address
to these third parties.
2. The letter was worded as follows: "Ladies, Gentlemen, Dear friends, I
I am proud to be the [Xth] candidate of the [Y] list for our district [list of communes].
concerned .] May I be allowed to ask for your vote. A good result will allow me with
our team at the College and Provincial Council to be even more effective. I wish to put everything
to also support our local agents and their projects. ».
3. By letter dated July 2, 2019, the Data Protection Authority's Front-Line Service
invited the plaintiff to exercise his rights with the defendant, in this case, his right of opposition
to the processing of his personal data. At the same time, by letter dated July 2, 2019, the
the defendant to ask him, among other things, how he had obtained the information he needed.
the complainant's e-mail address, if he or she had filed a data leakage notification with ODA
and what steps have been taken to ensure that this type of incident does not happen again.
4. 4. From the responses that the respondent provided to the complainant and to the front-line service, he or she will
indicates that the complainant's email address was collected in connection with a request for information
addressed in March 2014 by the complainant to the secretariat of the mayor of the city of X. to report
a problem of public cleanliness. More specifically, it was an e-mail addressed to
"secretariat.bourgmestre@X.be " concerning a clandestine landfill site near the former
city walls for which the complainant requested the cleanup. On July 4, in his letter
Addressed to the Front Line Service, co-signed by the defendant's secretary
writes the following explanation concerning the collection of the disputed e-mail address: "The addresses
come from a "permanences" file organized by the defendant when he was mayor of the
city. The complainant is therefore included in the report for having, at one time or another, had contact with the city.
the defendant. "The Litigation Chamber cannot therefore follow the defendant in his explanations.
(July 2020) according to which the disputed e-mail address (and others) were collected
via e-mails addressed to him personally and not via an administrative or other service of the company.
the municipal administration.1 The Dispute Chamber understands that the data collected

1 The defendant sets out the facts as follows: "In addition to the answers I give in the form you will find
duly completed in the appendix, allow me to contradict a few elements contained in your letter: page 3- point 1 -
Decision on the merits 53/2020 - 3/13
by the mayor are not only the result of contacts of citizens with the city administration
but also, according to the defendant's statements, of emails addressed to him personally, which were
which was not the case with regard to the complainant's e-mail which was indeed collected via the secretariat
of the mayor.
5. With regard to the modus operandi for sending the disputed email, the defendant responded to the
questions from the Data Protection Authority by co-signing the following explanation provided by
the municipal employee who was his secretary when he was mayor:
"In fact, from my private messaging service, I sent an election advertisement for the defendant, in order to
to avoid using his professional messaging in his capacity as an MPP. [...] And this e-mail has
was sent spontaneously, omitting to put in CCI the recipients. There is therefore no
intention to misuse these addresses or harm anyone else. It is just a mistake of
manipulation that we regret. We have apologized to the complainant as you have
could read it".2
6. As a result of these responses, the complainant confirmed to ODA's Front-Line Service that he was willing to
that his request for information be forwarded as a complaint to the ODA Litigation Chamber,
by letters dated July 11 and 26, 2019. On August 6, 2019, the Front Line Service of the Authority of
The data protection authority declared the complaint admissible and forwarded it to the Litigation Chamber.
7. On August 25, 2019, the Litigation Chamber considered the file ready for processing.
as to the substance pursuant to articles 95 § 1, 1° and 98 LCA. On the same date, the Dispute Chamber
forwarded the complaint and exhibits to the defendant by registered letter and invited the parties to
argue their case according to a set timetable. The letter stated that "each of the parties is
to transmit its conclusions simultaneously to the secretariat of the Litigation Chamber and to
the other party".
8. By letter dated October 14, 2019, received October 18, 2019, the defendant states that it is
is at the disposal of the Litigation Chamber to be heard if the Chamber so wishes. The
in his brief letter, the defendant explains that he confirms "that the sending of the file to all of the
people was a simple handling error at the time of sending the document that was [sic]
individualized".

2nd paragraph - it is affirmed: "the defendant used in order to send electoral mail a list of citizens who have
been in contact with the commune for various questions". Answer: this statement is not correct. I had
of a file of persons who have contacted me personally and not an administrative or other service of
the municipal administration" (letter of the defendant of July 6, 2020 addressed to the Litigation Chamber by e-mail of July 7, 2020).
2020).
2 Letter from Respondent to ODA Frontline Service, July 4, 2019.
Decision on the merits 53/2020 - 4/13
9. The respondent also states that it "sought the advice of an expert in the new
legislation "to help him coach his team" in order to avoid any future mistakes by the
like". The defendant states that the question of what precautions should be taken with
e-mail addresses that people have not spontaneously transmitted, is still under analysis. The
the defendant concluded that he thought he was entitled to contact the persons who had given him their
address, and that he is now aware that this is "obviously not so obvious".
10. In an email dated November 7, 2019, the plaintiff introduced his arguments such as the calendar
of conclusion invited him to do so. On that occasion, the complainant reported that he had not received the findings of the
the elements of his complaint, and asks to retain as an aggravating circumstance the following
that the denounced violations were committed by a politician in the exercise of his mandate.
11. The Litigation Chamber resumed the case by written procedure on July 3, 2020 and adopted the following decision
a draft decision. On the same day, the Litigation Chamber communicated by e-mail to the defendant
the amount of the fine envisaged against it, as well as a list of the breaches observed at the
RGPD and justifying this amount. In particular, the Chamber found that the Respondent did not submit
its findings to the complainant. The defendant was invited, by the same e-mail, to put forward its pleas in law.
defence to the amount of the proposed fine. In this communication, the Chamber
The litigator stressed that the debates on the merits were closed. The Litigation Chamber received
the defendant's reply by email on July 7, 2020 (completed fine form and letter).
dated July 6, 2020).
2. Violations of the GDMP
12. The defendant in his capacity as burgomaster at the time of the collection of the e-mail address
concerned, is the person responsible for processing the personal data file that he or she has
constituted from the data of citizens addressing his secretariat and/or himself
personally for various requests. It is his responsibility to ensure that the data
have been processed on an appropriate legal basis and in compliance with the law.
strictly the principles set out in the RGPD. It is also responsible for
appropriate technical and organizational measures to ensure, in particular, that the data does not
will not be further processed for a purpose that is incompatible with the purpose for which they were
were initially collected and processed (Articles 5.1(f), 6.4 and 32 of the GDMP). From the documents provided, it appears that
by the defendant himself that he was a mayor at the time the disputed e-mail address was
collected (email to "secretariat.bourgmestre@....be"). The Dispute Chamber takes note 
Decision on the merits 53/2020 - 5/13
the fact that the defendant was no longer mayor at the time the disputed email was sent3. For
the part of the data collected from emails sent to the secretariat of the mayor, the Chamber
the defendant has therefore personally processed data collected as a result of the litigation.
that mayor, at the very least, the email of the complainant.
13. On the basis of these elements of the file, the Litigation Chamber considers that it is established
that the defendant used to send out election mailings a list of citizens who were in
contact with the commune of which the defendant was then mayor, for various questions related to
to its function as a public representative, and that the personal data collected in this context would have
had to be processed with the strict purpose of answering questions asked by citizens.
14. In his capacity as data controller, the defendant is obliged to comply with the principles of the law.
protection of data and must be able to demonstrate compliance (principle of data protection).
of liability - section 5.2. of the GDMP). It must also implement all measures to ensure that
necessary for this purpose (Article 24 of the GDMP).
15. The purpose principle is an angular principle of data protection. Dedicated from
1981 to Article 5 b) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
of the Council of Europe (ETS 108), it is set out at
Article 6.1.b) of Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995
relating to the protection of individuals with regard to the processing of personal data
and the free circulation of this data as well as in article 4 § 1, 2° of the Law of December 8, 2009.
1992 relating to the protection of privacy with regard to the processing of personal data
personal. When the right to data protection is enshrined as a fundamental right
by Article 8 of the Charter of Fundamental Rights of the European Union in 2000, the principle of
purpose has been stated as a key element of this right4. This principle has, logically, been taken up again at
Article 5.1(b) of the GDPR under the Principles for the Processing of Personal Data
(Chapter II).
16. Article 5.1(b) of the GDMP provides that :
« 1. Personal data must be : (...) (b) collected for the following purposes
and legitimate, and not to be further processed in a particular, explicit and legitimate manner, and not to be
incompatible with these purposes; further processing for archival purposes in the interest of
public, for the purposes of scientific or historical research or for statistical purposes is not

3 Letter of the Respondent to the Litigation Chamber of July 6, 2020.
4 Article 8 of the Charter of Fundamental Rights of the European Union: 1 Everyone has the right to data protection.
of a personal nature concerning it. 
Decision on the merits 53/2020 - 6/13
considered in accordance with Article 89(1) as incompatible with the purposes of
initials" (limitation of purposes). »
17. 17. Personal data may not be further processed in a way that is contrary to the law.
incompatible with their collection purpose (section 5.1.b. of the GDGR)5. Further processing of data
personal data for purposes other than the one(s) for which they were collected.
initially collected is permitted only if such further processing is compatible with the purposes for which it was collected.
for which the personal data were initially collected, taking into account the link
between the purposes for which they were collected and the purposes of further processing
considered, also taking into account the framework in which the personal data were considered, and the
collected, the possible consequences of the envisaged further processing for the data subject
and the existence of appropriate guarantees.
18. A compatible purpose is, for example, a purpose that the data subject can foresee
or that can be considered compatible by virtue of a legal provision (see Article 6.4. of the
RGPD). Based on the criteria in section 6.4 of the EDR: there is no link between the two.
purposes of processing, and the contexts of data collection are totally foreign, one of the most important
concerning the management of the commune in the treatment of the answers to the questions of the citizens,
the other that of the relations between an elector and a candidate for an elective mandate. This incompatibility
is further evidenced by the fact that the applicable law allows candidates in elections to have access to
to a voters' list specially dedicated to the realization of their campaign.
19. Any subsequent incompatible use is prohibited with two exceptions provided for in Article
6.4. of the RGPD. Where the data subject has given his consent to further processing in order to
a distinct purpose or where the processing operation is based on a legal provision which constitutes an
necessary and proportionate measure in a democratic society, in particular to ensure the guarantee of
important purposes in the public interest, the data controller has the possibility of processing
subsequently these personal data for other purposes, whether or not they are compatible with the purpose for which they were collected.
or not with the initial purposes. In this case, the defendant may not base his subsequent treatment
of data neither on the consent of the persons concerned nor on a legal basis under Belgian law
or European Union as a necessary and proportionate measure in a democratic society for
ensure the objectives set out in section 23.1 of the MDR (section 6.4 of the MDR).

5 Article 5(1)(b) of the GDPMR states that "personal data must be : (...) b) collected for the purpose of
legitimate, explicit and specified purposes, and not to be further processed in a manner inconsistent with those purposes.
purposes". See the explanations on this principle of finality in the decision of the Litigation Chamber 11/2019 of November 25.
2019.
Decision on the merits 53/2020 - 7/13
20. The purpose of advertising/electoral propaganda is not a further purpose of processing
data compatible with the original purpose of collecting data from citizens in the context of
evoked. In its note "Elections" published in the early 2000s on its website and put in
Updated following the implementation of the DPGR6
the Data Protection Authority mentions
that :
"However, political parties and their candidates in an election may be tempted to have
use of personal data collected in the context of other processing operations
whose primary purpose had nothing to do with electoral propaganda. This is true as well
for data retrieved from public sector files (such as the National Registry, the
data from public service personnel files, a list of people assisted by
a CPAS, data obtained in the exercise of an alderman's mandate, ...) that
for data from private sector files (company customer files, list of
members of an association, ...)".
21. The note goes on to state: "From this point of view, it is therefore not permitted to reuse the
personal data recorded in the above-mentioned files for propaganda purposes
election. Such processing is incompatible with the purposes for which the data were collected.
initially harvested, which is punishable under section 83.5 of the GDMP".
22. With respect to the prohibition on the re-use of election propaganda data for electioneering purposes, the
obtained in the exercise of an alderman's or burgomaster's mandate, the Chamber shall
also refers to the explanations provided on this subject in its decision on the merits of the case.
11/2019 of November 25, 20197. The Litigation Chamber also emphasizes that the reuse by
a burgomaster of personal data collected in the course of his duties for the purposes of
incompatible, is such as to undermine the foundations of democracy and equality between the
candidates.
23. Under these conditions and on the basis of all the preceding elements, the Chamber of Deputies shall
Litigation considers that the defendant, according to its own statements, processed data to
personal character of the citizens of his commune, and in particular those of the complainant, in violation of
section 5.1.b of the MDR (purpose limitation) of the MDR and section 6 of the MDR (lawfulness of the
treatment). The Litigation Chamber also finds a violation of articles 25.1 and 25.2 of the

6 Processing of personal data for the purposes of personalized election propaganda and respect for life
privacy of citizens: fundamental principles, https://www.autoriteprotectiondonnees.be/publications/note-juridique-sur-leselections.pdf. 7 See
https://www.autoriteprotectiondonnees.be/citoyen/chercher?q=&search_category%5B%5D=taxonomy%3Apublications&sear
ch_type%5B%5D=decision&search_subtype%5B%5D=taxonomy%3Adispute_chamber_substance_decisions&s=recent&l=25
(DEDF11-2019), pp. 5-6. 
Decision on the merits 53/2020 - 8/13
RGPD, under which it is the responsibility of the data controller to implement the measures
appropriate technical and organizational measures to ensure that, by default, only the data to be used for the
personal data which are necessary for each specific purpose of the processing are
treated.
24. With regard to the sending of an email where all recipients are visible, the Chamber
the defendant does not contest the facts and declares that the person acting as defendant does not contest the facts.
under its authority made an error in the processing of the personal data of the
The complainant "by failing to put in TCC the addressees "8 . Whether or not there was an error in the
manipulation, the Contentious Chamber considers that there has been a violation of articles 32.1 and 32.4 of the RGPD9
and that these facts constitute a breach of security within the meaning of section 4.12 of the GDPR, such that
denounced by the complainant in his complaint. The Litigation Chamber recalls that it is also responsible for
the data controller to implement technical and organizational measures
appropriate to ensure that, by default, only the data necessary for the purposes of
each specific purpose, including from the point of view of their accessibility (s. 25.2 of the GDGR). The
Chambre contentieuse also recalls that it is the responsibility of the controller to notify
such data breaches to the competent authority when the conditions for the application of Article
33 of the RGPD are gathered together. In this case, no such notification has been introduced, which constitutes
also an infringement of the GDMP.
25. In summary, in light of the inspection report and taking into account the Respondent's findings,
the Litigation Chamber establishes the following violations of the GDR :
- Violation of articles 5.1.a, 5.1.b) and 6.1 of the RGPD, given that by sending the disputed email,
the defendant processed the plaintiff's personal data without a legal basis and in
violation of the purpose for which these data were collected by the Secretariat of the
mayor (answer his questions).
- Violation of sections 25.1 and 25.2 of the MPR, which require the person responsible to
processing to implement the appropriate technical and organizational measures to
guarantee that, by default, only the personal data that are necessary to the
with regard to each specific purpose of the treatment are processed.
- Violation of articles 32.1 and 32.4 of the RGPD, since a person acting under
the defendant's authority has sent the plaintiff's email contact information to third parties, in the context of
of an e-mail where all the recipients were visible. Violation of article 33 of the RGPD being
given that this data leak was not notified to the DPA.

8 Letter from Respondent to ODA Frontline Service, July 4, 2019.
9 In the same sense, see the decision of the Litigation Chamber ANO 2/2019 of April 2, 2019, see
https://www.autoriteprotectiondonnees.be/citoyen/chercher?q=&search_category%5B%5D=taxonomy%3Apublications&sear
ch_type%5B%5D=decision&search_subtype%5B%5D=taxonomy%3Adispute_chamber_substance_decisions&s=recent&l=2.
Decision on the merits 53/2020 - 9/13
3. Corrective action
26. The Litigation Chamber has already had the opportunity to rule on cases of unlawful treatment
of data for electoral purposes in the following cases : Decision 11-2019 of November 25, 2019;
Decision 10-2019 of November 25, 2019; Decision 04/2019 of May 28, 2019 and Decision 30/2020 of November 8, 2019; Decision 10-2019 of November 25, 2019; Decision 04/2019 of May 28, 2019 and Decision 30/2020 of May 8, 2019.
June 202010.
27. In these four cases, the Litigation Chamber imposed administrative fines,
in particular for non-compliance with the principle of finality, enshrined in article 5.1.b of the GDMP. These were
in these cases, the unlawful further processing for electoral purposes of data of a personal nature for the
personal data collected (at least with regard to the e-mail address at issue on 22 May 2019)
within the framework of the exercise of communal competences. The present case is part of this
jurisprudence.
28. The Litigation Chamber considers that the breaches it has identified (infra, § 22)
justify the imposition of administrative fines in accordance with articles 100, 13° and 101 of the ACL
as well as 83 of the DPGR, and this taking into account the following.
29. First, the nature and seriousness of the breaches are taken into account (section 83, 1,
(a) of the DPGR). Indeed, breaches of Articles 5.1.b (inconsistent subsequent treatment),5.1.a
(lawfulness) and 6.1 of the GDPMR (unlawful processing) identified in this Decision constitute
breaches of the fundamental principles of data protection. These include
violations for which the maximum fine amounts are the highest (Section 83.5 of the
RGPD).
30. Second, the Litigation Chamber considers that the quality of the defendant, at the time
of the data collection, namely that of the mayor, and subsequently the quality of
the time the litigious e-mail was sent11 , constitutes an aggravating circumstance at the time of the sending of the litigious e-mail.
under section 83.2.k. In view of this role played by the defendant in public life, he could
legitimately be expected to take the greatest care not to reuse data for personal use.
collected through the secretariat of the city of which he had been mayor, and conduct an election campaign.

10 Available on the ODA website under the publications tab "Decisions of the Litigation Chamber",
https://www.autoriteprotectiondonnees.be/citoyen/publications/decisions.
11 The Litigation Chamber notes the clarification made by the defendant in his letter of 6 July 2020 to the Chamber
that he was no longer mayor at the time the disputed email was sent. The contentious Chamber notes
information available to him, the defendant was at the time a member of the provincial legislature, a position he held until he was elected to the House of Commons.
is still occupied in July 2019. The Litigation Chamber relies on public information available on the
province represented by the defendant where the defendant's CV is described. In July 2019 and July 2020, the defendant signed its
Letters to the Litigation Chamber as a Member of the Legislative Assembly of the province he or she represents.
Decision on the merits 53/2020 - 10/13
in compliance with all applicable rules and, in this case, with the rules for the protection of
data.
31. Finally, the Litigation Chamber takes note of the fact that the defendant exposes his good
willingness to implement the DPGR, in that it states that it "sought the advice of an expert in the
new legislation "to help him coach his team" in order to avoid any new mistakes in the future.
of the kind" (see § 9 above). The Litigation Chamber cannot take into account the entry into force of the
of the DPGR as a mitigating circumstance, as the observed violations of the purpose and principles of the
lawfulness are not new elements in data protection legislation.
personal. In its note on "Elections" published in the early 2000s on the website of
the DPA and updated following the entry into force of the DPR12, the Data Protection Authority
already mentioned the ban on reusing data extracted from the
public sector (such as the National Registry, data from the
list of people assisted by a CPAS, data obtained from the public health care system, a list of
the exercise of an alderman's mandate, ...) or data from private sector files (client file of a
company, list of members of an association, ...)".
32. These principles already formed the cornerstone of the Parliament Directive 95/46/EC
European Parliament and Council of October 24, 1995 (art. 6.1.b and art. 6.1.a and 7), which the RGPD replaced. It
The same applies to the obligation to implement organizational and security measures.
under the old Directive (art. 17), which has been strengthened and clarified in the GDMP in article
32 in particular.
33. The Litigation Chamber further notes that according to the facts transmitted to it, the
failed to communicate its findings to the plaintiff, or at least to reserve the right to make the
proof that such a communication has been made (recommended or proof of sending an email). The mail
the Litigation Chamber on September 25, 2019 indicated in a registered letter addressed to the defendant by the
Each of the parties is required to submit its conclusions simultaneously.
to the secretariat of the Litigation Chamber and to the other party". However, the plaintiff pointed out that he had not
not received the conclusions of the defendant, who is therefore in default of at least providing proof of
its full cooperation in this procedure. However, the defendant did receive the letter
of September 25, 2019 inviting it to conclude by October 25, 2019 at the latest, and to forward
its conclusions simultaneously to the other party. The defendant has acknowledged receipt of this letter.
by letter dated October 14, 201913. The Litigation Chamber cannot therefore follow the defendant in

12 Processing of personal data for the purposes of personalized election propaganda and respect for life
Citizen privacy: fundamental principles, https://www.autoriteprotectiondonnees.be/publications/note-juridique-sur-leselections.pdf.
13 The Litigation Chamber did send this registered letter dated 30-09 to the defendant's business address.
Decision on the merits 53/2020 - 11/13
the statement that "I have never been asked or even advised to send in any
conclusions to the complainant. The registered letter of the Litigation Chamber also offered the following
the possibility for the defendant to ask for a copy of the file of exhibits, in which he could have reread
his own statements to ensure the consistency of his own defence, which he did not do.
34. 34. The defendant did not follow the procedure communicated to him by registered mail.
and by email. His response that he had not been informed of the obligation to send
conclusions to the complainant is contrary to the facts. The Litigation Chamber is of the opinion that by this
omission and erroneous denials of facts, the defendant did not provide full cooperation in the
procedure, which constitutes an aggravating circumstance.
35. In his reply to the form of reaction to a proposed fine, the defendant shall
argues mainly that the sending of this mail is the result of an error of its view of
handling. In this respect, the Litigation Chamber recalls that such a mistake of manipulation, the
if applicable, constitutes a security breach and as such a data breach within the meaning of Article
4.12 of the DP Regs that result in the defendant's liability for implementation
adequate safety measures to avoid such errors (see § 20 above). The
The Litigation Chamber notes, however, that there is no evidence in the file that the infringement would have been
committed deliberately, on the instructions of the defendant. The Litigation Chamber therefore holds that
the non-deliberate nature of the infringement as a mitigating circumstance.
36. The defendant's arguments do not change the fact that the personal data
of the complainant and of all persons included in the "permanence" file were unlawfully
processed, namely all persons calling on the mayor's secretariat (see above, §.
5).
37. Lastly, as regards the amount of the fine, the Litigation Chamber adopts the same criteria as for the
those set out above to withhold the amount of EUR 5,000 in order to deter the defendant from repeating
such failures.
38. With regard to the amount, the defendant points out that the amount of the fine seems to him
disproportionate in view of the fact that, in his opinion, it is a handling error which would not have been
brought no benefit. In this respect, the Litigation Chamber has no information at its disposal that could
to reasonably assess the extent to which the processing of the data in the file
Whether or not "permanence" positively influenced the outcome of the elections. The House

14 Letter of the Respondent to the Litigation Chamber of July 6, 2020.
Decision on the merits 53/2020 - 12/13
cannot, therefore, accept this element put forward by the defendant as a circumstance that is not in dispute.
mitigating factor within the meaning of section 83.2.k of the DP Regs.
39. Concerning the financial means, the defendant reports financial difficulties following a
litigation in which he won and which caused him to incur significant legal costs again.
undischarged. The Respondent points out that the amount claimed today by the Litigation Chamber
would only add to these difficulties. The defendant does not, however, bring any element of a nature to
statements, and does not propose to be at the disposal of the Litigation Chamber to
this topic. The plaintiff bears the burden of proof for the elements he or she puts forward in response to the
fine form. At this stage of the procedure, the Dispute Chamber decides not to reopen the case.
debates on this point.
40. The contentious Chamber retains the quality of the defendant at the time of the facts (mayor, mayor of the town).
then MLA), as an aggravating circumstance in the present case (see supra, § 5 and 30).
Indeed, it is incumbent on every public agent to adopt exemplary conduct, including in relation to
concerns the respect of the legislation regarding the protection of personal data.
41. For these reasons, the Litigation Chamber considers that it is appropriate to maintain the amount of
the envisaged fine of EUR 5,000.
42. In view of the importance of transparency with regard to the decision making process
and the decisions of the Litigation Chamber, this decision will be published on the Authority's website
data protection by deletion of directly identifying data of the parties
and the persons mentioned, whether they are individuals or legal entities.
BY THESE REASONS,
THE LITIGATION CHAMBER,
Decides, after deliberation, to impose on the controller a fine of EUR 5,000 on the
based on articles 100, 13° and 101 of the LCA and 83 of the RGPD, for all breaches of the law.
(b) for failure to comply with section 5.1(b) of the MDR, and for failure to comply with section 5.1(a) of the MDR.
and 5.1(b), 6.1, 25.1 and 25.2, 32.1 and 32.4 of the MDR read together.
Decision on the merits 53/2020 - 13/13
This decision may be appealed against within thirty days from the date of the decision.
notification, to the Market Court15 (article 108, § 1 of the LCA), with the Autorité de protection des
given as a defendant.
(Sé.) Hielke Hijmans
President of the Litigation Chamber

15 The Court of Appeal of Brussels.