The GDPR is applicable to all
Written by Konstantinos Kakavoulis
At the end of May, the Belgian Authority for the Protection of Personal Data [“L’Autorité de protection des données” (APD)] imposed a fine for violating the provisions of the General Data Protection Regulation (“GDPR”) for the first time.
You want probably to stop reading this article. If you hear the amount of the fine, you will probably stop immediately: just 2.000 euros.
However, this decision is very interesting. That’s because the Belgian Personal Data Protection Authority imposed this fine on a mayor!
The mayor had sent 2 emails to two city residents about his campaign. The two citizens had sent firstly e-mail to the mayor, in which they analyzed their idea of a project in their city. The mayor one day before the local elections responded to the emails of the two citizens by sending them his political campaign.
The Belgian Authority considered that the use of the e-mail addresses of the two citizens was abusive and imposed a fine.
“Public officials are the first to comply with the law. A mayor is expected and must know the legislation and comply with it.”
As noted by Hielke Hijmans, the President of the Belgian Authority, “the use of personal data by politicians for electoral purposes is an important issue for citizens. Public servants are the first to comply with the law. A mayor is expected and must know the legislation and comply with it. “
Personal data “are collected for specified, explicit and legitimate purposes and are not further processed in a manner incompatible with these purposes” (Article 5 (b) GDPR).
In this case, the mayor had received the email addresses of the two citizens for a very specific purpose. But he chose to use them for a completely different purpose. This behavior is a violation of the GDPR. Indeed, it is particularly interesting that the Belgian Authority has focused its attention on the provisions of the GDPR and not on national legislation on electronic communications.
So what did the Belgian authorities say with this decision?
That privacy is everyone’s responsibility!
The obligation to protect and correctly process personal data is not only for companies and organizations. Public servants and public officials also have a serious responsibility. They must realize that personal data that they have gathered in the exercise of public authority can not in any way be used for personal gain.
Clearly, we already knew from the scope of the GDPR that public officials also have to comply with the rules. However, this is the first time that a national authority enforces it in practice.
As the national elections are approaching at our country and we still have memories of pre-electoral messages from candidates in the municipal elections and the European elections, we expect to see if the candidates will take into account the personal data of the citizens as a worth-protecting element.
In any case, if you feel that your personal data are being violated by candidates in the upcoming elections, you can file a direct and free complaint with the Greek Data Protection Authority. In fact, the Greek Authority has recently published its decision on a similar case in which it imposed a fine of 2,000 euros to a candidate for a Member of the European Parliament.