Joris DeeneA public mandate comes with great responsibility, especially in the area of data protection. A decision of the Data Protection Authority (DPA) of 10 October 2025 (No. 163/2025) sheds light on a sensitive question: may a mayor use the municipality's official contact information to advertise a personal, commercial project? The answer is an unequivocal no. The DPA rruled that this constitutes unlawful processing of personal data in violation of the General Data Protection Regulation (GDPR) .
The facts: an invitation with a double agenda
The case revolved around a mayor who used the e-mail addresses of hundreds of internal employees, external contacts and citizens to send an invitation to the presentation of his new book. This invitation was sent from his official municipal email address.
Although the mayor argued that the book translated his administrative vision and framed it within the public interest to inform citizens, the DPA established a different purpose. The invitation and the book were directly linked to a new, private, and commercial project by the mayor, complete with its own website, coaching services, and even a recently established company. Thus, the focus was not on the general interest of the municipality, but on the mayor's commercial interests as a private person.
The decision of the Litigation Chamber
The DPA Litigation Chamber ruled that both the mayor and the municipality were at fault, albeit on different grounds.
1. The mayor as a separate 'data controller'
This is the legal crux of the matter. The DPA argued that in sending this particular email, the mayor was not acting as an "employee" of the municipality, but as a separate data controller. Why? Because he himself determined the purpose of the data processing (direct marketing for his book) and deployed the means (the municipality's email environment).
This distinction is important: because he acted as a separate entity, he could not hide behind the legal grounds that the municipality had for collecting and using that contact information.
2. No valid legal basis for direct marketing
The municipality collected contact information for its public interest tasks, such as communication with citizens and internal operations. Sending a commercial invitation is incompatible with this.
The mayor therefore needed his own new legal basis for his direct marketing campaign. According to the ePrivacy Directive, converted into the Belgian Code of Economic Law, the sending of direct marketing via e-mail generally requires the prior consent of the recipient. The Mayor could not demonstrate that he had such valid consent. Consequently, the processing was unlawful.
3. The municipality and the role of the DPO
The municipality was also reprimanded. The DPA found that the municipality's Data Protection Officer (DPO) also held a full-time position as a communications expert. As a result, the DPO did not have sufficient time to properly perform its statutory duties. The municipality thus violated its duty to provide the DPO with the necessary resources, including time.
Legal analysis and interpretation
This decision is a textbook example of the GDPR principle of purpose limitation (Article 5.1.b GDPR). Personal data may only be collected for specified, explicit and legitimate purposes. They may not be further processed in a way that is incompatible with those original purposes. The DPA applied the compatibility test from Article 6.4 of the GDPR and concluded that the mayor's private, commercial purpose was completely incompatible with the public purposes of the municipality.
In addition, the ruling emphasizes the importance of correctly identifying the controller (Article 4.7 GDPR). Whoever determines the "why" (purpose) and the "how" (means) of a processing operation bears ultimate responsibility. By pursuing his own ends, the mayor stepped out of his role as an organ of the municipality and became the controller himself, with all the obligations that entails. This is an important warning for any mandatary or official who has access to public databases.
Finally, for the municipality, the reprimand underscores the strategic importance of the DPO. A DPO without sufficient time and resources is a paper tiger. The DPA makes it clear that it considers this a priority and strictly monitors the effective and independent performance of this function within government agencies.
What this specifically means
- For government mandataries: There is a strict and impenetrable separation between your public function and any private (commercial) activities. Using government databases or resources for personal purposes is a serious violation of the GDPR and can lead to sanctions.
- For government agencies: Have a clear and strict internal policy on the use of contact information. Ensure that your DPO is not only appointed, but effectively has the resources (including time) and independence to properly perform his or her oversight and advisory function.
- For citizens and employees: You may not simply receive commercial messages from a public agency or mandate holder based on contact information you have provided in a public context. If this does happen, you may file a complaint with the Data Protection Authority.
FAQ (frequently asked questions)
What is the difference between the municipality and the mayor as a data controller?
The controller is the entity that determines the purpose and means of data processing. For the normal operation of the municipality, the municipality itself is the controller. In this particular case, however, the mayor determined his own, personal purpose (promotion for his book), which made him personally responsible for that particular action.
Would the mayor have been allowed to send the email if the book had been free?
Probably not. Although the presence of a sale price emphasizes the commercial nature, the analysis revolves around the purpose of the processing. Even with a free book, the purpose would still be the promotion of a private project, which is incompatible with the public tasks for which the data was collected.
What can I do if I receive a similar unsolicited email from a politician?
If you suspect that your data is being used unlawfully, you can take several steps. You can exercise your rights and ask the sender where they got your data and ask them to delete your data. If you receive no response or an unsatisfactory response, you can file a complaint with the Data Protection Authority.
Conclusion
This decision draws a clear red line: public databases serve the public interest, not private commercial agendas. The ruling reminds every mandatary in Belgium of the strict separation between their public role and personal interests. For government organizations, it is a wake-up call to take seriously and safeguard the position of their DPO.
Dutch 
English