GDPR cooperation obligation: does missing mail from the DPA lead to a fine?

The duty to cooperate (Article 31 General Data Protection Regulation - GDPR) requires every data controller to actively cooperate with the Data Protection Authority. In its Decision on the merits 94/2026 of April 28, 2026 the Litigation Chamber made clear that missing official mail - even due to vacations or poor internal organization - is no excuse and can result in an administrative fine. In this case, a non-profit organization was fined €1,000 for not responding to registered letters and not appearing at the hearing. The message is clear: anyone processing personal data must ensure a working channel for official communication.

The facts: a cross-border complaint about an erasure request

On August 28, 2022, a natural person filed a complaint with the French regulator CNIL. He blamed a Belgian foundation for failing to act on his request to erase his personal data (Article 17 GDPR).

Because the processing was cross-border, on March 15, 2023, CNIL initiated the procedure provided for in Article 56 GDPR to designate the lead supervisor. The Belgian Data Protection Authority declared itself competent as the lead authority.

On April 24, 2023, the Litigation Chamber notified both parties by registered mail of the proceedings and the deadlines to file briefs (Articles 95, § 2 and 99 Data Protection Act - DPA). Neither party responded. The Litigation Chamber summoned the parties for a hearing on Oct. 30, 2025; this summons also went unheeded.

Only after receiving the transcript of the hearing did the foundation respond on November 14, 2025. It erased the complainant's records that day and provided evidence of this. As an explanation for its silence, it argued that registered mail had arrived during vacation or absence periods, resulting in inadequate mail handling.

The duty to cooperate under Article 31 GDPR

Article 31 GDPR provides that “the controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks."

The Litigation Chamber qualifies the failure to appear at the hearing as a violation of that duty of cooperation. The reasoning is remarkable: the filing of briefs remains a free choice (an exercise of the right of defense), but when the Litigation Chamber calls an ex officio hearing under Article 95 DPA, it is because it needs additional information. Therefore, failure to appear at such an ex officio summons is not a passive exercise of the right of defense, but a violation of an active obligation.

The Litigation Chamber finds that a controller must ensure an organization that allows to effectively receive and respond to official communications by mail or e-mail. Failure to take note of the content of those communications qualifies as negligence within the meaning of Article 83.2(b) GDPR.

For the original main complaint - the erasure request - the Litigation Chamber ruled that the breach should be considered resolved. Indeed, the data were deleted, albeit with a long delay, on November 14, 2025. The Litigation Chamber does remind, however, that the data controller must answer such a request in principle within one month (Article 12.3 GDPR).

Legal analysis and interpretation

Negligence suffices since Deutsche Wohnen

An important element in the justification is the explicit reference to the Court of Justice's Deutsche Wohnen ruling. That ruling stated that a GDPR fine can be imposed as soon as the data controller acts negligently; intent is not a requirement (ECJ December 5, 2023, C-807/21, ECLI:EU:C:2023:950, “Deutsche Wohnen”).

The Litigation Chamber now applies this principle strictly to a procedural default. The fact that the foundation had not actually opened the registered mailings does not relieve it of its obligations. A data controller has its own, organizational duty to be accessible through the communication channels it uses or publicly discloses. Thus, the threshold for culpability is deliberately low.

Penalty calculation according to EDPB guidelines.

The penalty calculation strictly follows the European Data Protection Board guidelines 04/2022. The Litigation Chamber qualifies the breach as of minor gravity and sets the starting amount at 5% of the statutory maximum (Article 83.4(a) GDPR, being 10 million euros), yielding 500,000 euros.

Because the annual turnover is below EUR 2 million, it applies the correction from point 65 of the Guidelines: the starting amount is reduced to 0.3% of it, or EUR 1,500. Two mitigating circumstances - the data were eventually deleted and it was a first complaint - reduce the amount by another 500 euros, to finally 1,000 euros. The calculation illustrates how the EDPB's scale adjustments nuance the statutory caps to the financial realities of small entities, but without neutralizing the violation.

No profit motive is not a free pass

The Litigation Chamber expressly did not consider the social purpose of the foundation. The foundation argued that it had no staff, did not pursue a profit motive and was in financial difficulties, and argued for a mere admonition under recital 148 GDPR.

Crucial to the judgment was that the foundation had not provided recent accounting documents to substantiate its alleged financial vulnerability - despite an explicit request to do so on Feb. 18, 2026. The last known balance sheet figure was from 2010 (turnover 106,665 euros) and was then just taken as the calculation basis. So anyone who wants to have the proportionality discussion must be able to put current figures on the table.

What this specifically means for your organization

For data controllers

Establish a conclusive procedure for incoming official mail - even during vacation periods. Schedule replacements, use vacation automation and set up a central channel for correspondence from supervisors. Process requests to exercise rights (inspection, erasure, rectification...) within one month, even when submitted through an unofficial channel. And always respond to a summons from the Litigation Chamber: failure to appear is punished separately, regardless of the fate of the main complaint.

For non-profits and small organizations

The GDPR does not distinguish between for-profit and non-profit processing controllers. A non-profit organization or foundation must implement the same organizational safeguards as a commercial enterprise. Invoking financial weakness only works if you can present recent financial statements that objectively substantiate the precarious situation; a mere assertion is not enough.

For data subjects exercising their rights

A complaint through the Data Protection Authority remains effective even when the other party is silent. The Litigation Chamber enforces the exercise of the right to data erasure even years after the original facts. The lengthy proceedings in this case do show that such a course of action requires patience.

Frequently Asked Questions

What is the duty to cooperate under the GDPR?
Article 31 GDPR requires every controller and processor to cooperate with the Data Protection Authority upon request. This includes responding to letters, filing briefs when requested, and being present at hearings at which the Litigation Chamber summons you. It is an autonomous obligation: a breach triggers a separate sanction from the substantive complaint.

Can a nonprofit or foundation face a GDPR fine?
Yes. The GDPR does not distinguish between for-profit and non-profit processing controllers. The Litigation Chamber does take into account annual turnover when determining the penalty amount - for entities with turnover below €2 million, it applies specific scale adjustments. However, invoking financial weakness only works if you present recent financial statements that objectively substantiate the precarious situation.

What if I miss a letter from the DPA due to vacation?
Vacations or staff shortages do not constitute a valid excuse. The Litigation Chamber considers failure to take notice of official communications to be an organizational failure and qualifies it as negligence within the meaning of Article 83.2.b) GDPR. You are obliged to organize your mail and e-mail handling so that official communications reach you in a timely manner and are answered - even during periods of absence.

Conclusion

This decision confirms that the duty to cooperate in the GDPR is an autonomous obligation separate from the substantive breach. A data controller in Belgium that does not have its organizational outreach in order risks a separate fine - even in cases of minor severity and even without profit. For small entities, the amount remains limited, but the signal is clear: ignoring official communications from the regulator will not go unpunished, and the threshold for culpable negligence has been low since the Deutsche Wohnen ruling.