Legitimate purpose
On September 1st, the Belgian Data Protection Authority (DPA) has imposed a fine of € 5000 on a private individual for illicit use of personal data (D 53/2020). The individual is a member of parlement (MP) who has used private e-mail addresses in his possession to solicit votes in an election campaign. The e-mail addresses were obtained by the MP during his previous activities as burgomaster.
In its decision, the DPA analyzes the factual elements of the case and repeats the key principles of the GDPR i.e. that data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The DPA considers that said fundamental principles have been breached in the case under consideration, confirming its jurisprudence in similar past cases (D 04/2019, D 10/2019, D 11/2019 and D 30/2020).
When determining the amount of the fine, the DPA explains that it takes into account the severity of the breach (considered as high in present case), the incriminating factor that the offender is expected to act as a role model (being a public figure), and his lack of cooperation in the investigation process. As attenuating factor, the DPA acknowledges that there was no deliberate intention to breach the law. The full text of the decision can be found here.
Acceleration of enforcement actions
It is expected that the number of enforcement actions will increase in the near future towards both private individuals and companies. Although the amount of the fines are somehow limited so far, this could rapidly change as evidenced by the fine of € 600.000 imposed by the Belgian DPA on Google Belgium for breach of the right to be forgotten. This is the highest fine ever imposed by the DPA who wanted to make an example, as it explained in its decision (D 37/2020).