Court of Cassation confirms: symbolic GDPR fine of 1 euro is possible

The Court of Cassation, in a ruling of Jan. 15, 2026 set an important precedent for GDPR enforcement in Belgium. The Court confirmed that the Market Court, as an appellate body, has the power to reduce administrative fines of the Data Protection Authority (DPA) to a symbolic euro. This ruling underscores that sanctions must be not only dissuasive, but above all proportionate to the specific circumstances.

The enforcement of the General Data Protection Regulation (GDPR) often leads to discussions about the amount of penalties. The DPA has the power to impose significant penalties, but this power is not unlimited. In this landmark case between SNCB and the DPA, the Court of Cassation ruled that a judge with full jurisdiction may replace an administrative fine with a symbolic sanction if the original fine is found to be disproportionate.

The facts and procedural context

The case has its origins in the corona crisis. In 2020, SNCB was given the government contract to distribute the ‘Hello Belgium Railpass’ (a free 12-ride ticket) to boost domestic tourism.

On October 13, 2020, SNCB sent an e-mail to holders of this pass with practical information, as well as links to tourist tips (“Rediscover more than 500 destinations”). The DPA Inspectorate found that this e-mail should be considered direct marketing for which there was no valid legal basis or consent, and that there was no possibility to object (opt-out).

The Litigation Chamber of the DPA, in a decision of May 4, 2022 (no. 71/2022) imposed an administrative fine of 10,000 euros. SNCB appealed this to the Market Court.

In a ruling of June 14, 2023, the Market Court confirmed that there had been infringements of the GDPR (including the lack of a proper legal basis for direct marketing) and ruled that the fine was disproportionate. Taking into account mitigating circumstances - such as the difficult context of the corona crisis, the fact that SNCB had sought advice from its Data Protection Officer (DPO), and the one-off nature of the breach - the Market Court reduced the fine to one symbolic euro.

The DPA disagreed and went to the Court of Cassation. The regulator argued that a symbolic fine does not meet the requirement of Article 83 GDPR that sanctions be “effective, proportionate and dissuasive”.

The decision of the Court of Cassation.

The Court of Cassation rejected the DPA's appeal and upheld the Market Court's ruling. The decision rests on two legal pillars:

1. Full jurisdiction of the Market Court

The Court confirms that the Market Court rules with full jurisdiction. This means that the court not only reviews whether the DPA followed the law and procedures (legality review), but may review the case on the merits. The judge may substitute his own decision for that of the DPA. If the Market Court finds that a fine is disproportionate, it may adjust and reduce that fine itself, without having to send the case back to the DPA.

2. Symbolic fine can be ‘effective and deterrent’

The Court of Cassation ruled that Article 83 GDPR does not preclude a regulator or court from imposing a fine of one euro. The mere fact that a fine is called ‘symbolic’ does not mean that it does not meet the requirements of the GDPR. Combined with the determination of the breach and procedural costs, a symbolic fine may well be sufficiently dissuasive and effective in specific cases.

Legal analysis and interpretation

This ruling is significant for the legal practice surrounding data protection in Belgium. Below we analyze the underlying legal principles.

The interpretation of Article 83 GDPR

Article 83.1 GDPR requires administrative fines to be “effective, proportionate and dissuasive in each individual case.” The DPA adopted a strict interpretation in which a financial ‘pain’ was deemed necessary for deterrence. However, the Court of Cassation adopted an approach more closely aligned with the principle of proportionality. The court must take into account all the circumstances of the case, as listed in Article 83.2 GDPR (nature, severity, duration, intent/negligence, measures taken, etc.) .

In this case, mitigating circumstances weighed heavily:

• Context: SNCB acted under pressure from a government order during a health crisis.
• Good faith: SNCB had sought prior advice from its DPO and tried (despite the erroneous outcome) to comply with the rules.
• No damage: No concrete harm to those involved was demonstrated.

Although there is debate whether a purely symbolic sanction is compatible with the European requirement of ‘effectiveness’ (as also touched upon in ECJ case law outside the GDPR context), the Court of Cassation here confirms the national sovereignty of courts to proportionate.

The confirmation that a symbolic euro is sufficient shows that ‘deterrence’ need not be purely financial. The moral condemnation and the finding of the violation by a court can already represent a significant reputational risk and thus a deterrent for a public institution or a reputable company.

The role of the judge versus the regulator

The ruling clarifies the power relationship between the DPA and the Market Court. The DPA argued that the court's own modification of the fine would violate the separation of powers. The Court rejected this: the legislator, through Article 78 GDPR and national legislation, deliberately chose an appeal procedure with full jurisdiction. This is an essential guarantee for the legal protection of citizens and companies against administrative arbitrariness.

What this specifically means

This ruling has tangible implications for businesses and governments dealing with the DPA.

• A symbolic fine is not an acquittal: The most important insight for corporate executives is that a €1 fine is still a formal conviction. The violation of the GDPR is thus legally fixed. This opens the door wide for compensation claims by citizens (based on Art. 82 GDPR). A civil court will consider the company's fault proven, which lowers the threshold for damages.
• Appeals pay off: Companies that have incurred a fine that they believe is disproportionate have a stronger argument in their hands with this ruling. The Market Court conducts its own thorough review of proportionality.
• Role of the DPO is crucial: The Market Court and the Court of Cassation attached importance to the fact that SNCB had consulted its DPO. Even if the advice or decision subsequently proves legally incorrect (such as the qualification of the e-mail), demonstrating an internal process and ‘goodwill’ can lead to a more lenient sanction. So always document your decision-making.
• Nuance in enforcement: In the future, the DPA may need to justify more carefully why a specific penalty amount is necessary for deterrence, especially for unintentional violations in a complex context.

Frequently Asked Questions (FAQ)

Does this ruling mean I can ignore email marketing rules because it only costs 1 euro anyway?
Absolutely not. The Market Court confirmed that the SNCB email did constitute unauthorized direct marketing. The 1 euro was an exception due to very specific circumstances (public contract, pandemic, good faith). Moreover: the 1 euro conviction means that your mistake is legally established. This makes you extremely vulnerable to mass claims or individual damages from affected parties, which could total much higher than the original fine. You still need a valid legal basis (such as consent) for commercial emails.

When is a symbolic fine likely to succeed?
A symbolic fine is the exception, not the rule. It is promising in situations where there is good faith, a first offense, a complex legal context (such as concurrence with a public contract), and where there was no intent to abuse.

Can the court also increase a fine from the DPA?
Theoretically, the Market Court has full jurisdiction, which means that it completely reassesses the case. In practice, however, an appeal is usually filed by the sanctioned party to reduce or set aside the fine.

Conclusion

The January 15, 2026 ruling is a victory for the principle of proportionality within data protection law. It confirms that the judge is a full controller of the DPA and that fines should be tailor-made, not automatic. For companies and public authorities in Belgium, this is an important signal: diligence and transparency are valued, even when there is a legal error.