GDPR

Is a municipality liable when an official unlawfully consults the National Register?

Joris Deene
2 weeks ago
159 views
6 minutes reading time

When a municipal official looks into the National Register out of personal curiosity or without a valid reason, not only is the official at fault, but often the municipality itself. According to a decision of the Data Protection Authority (DPA) of 19 November 2025 (No. 188/2025), the municipal government remains the ‘data controller. It violates the General Data Protection Regulation (GDPR) when it has insufficient monitoring systems to detect such abuse, even if the employee ignored strict instructions.

The facts: unlawful peeks by officials

This case revolves around a citizen's complaint against a municipality over two incidents in which officials unlawfully sought access to personal data in the National Register.

The facts played out in December 2019:

  • Incident 1: A population service official accessed the records of the complainant's mother for purely private purposes.
  • Incident 2: Another official looked at the complainant's identity photo to verify who he was dealing with, purely out of “caution” because the complainant had sent an e-mail from an address with his deceased father's name.

The municipality admitted the facts and initiated disciplinary proceedings against the officials involved. However, the municipality argued that it itself could not be held liable. According to the board, the officials had overstepped their bounds and should be considered individually responsible.

The decision: municipality remains ultimately responsible

The DPA's Litigation Chamber did not follow the DPA ruled that the municipality did and does remain the data controller for data security, even in the case of misuse by staff.

The DPA identified two violations of the GDPR:

  1. Breach of accountability (Accountability - Art. 5.2 GDPR): The municipality could not show that it had taken sufficient measures to secure the use of the National Register.
  2. Lack of appropriate measures (Art. 24.1 GDPR: At the time, the municipality did not have an adequate control system. The software system (SAPHIR) allowed officials to provide only a generic reason (such as “population”) for a search, making targeted control impossible.

Although the officials had signed a confidentiality clause, this was not enough to exonerate the municipality, according to the DPA. The municipality was reprimanded.

Legal analysis and interpretation

This ruling confirms a strict interpretation of the concept of ‘data controller’ within public boards.

1. The employer as ‘data controller’ (Art. 4.7 GDPR)

A crucial legal point in this decision is the rejection of the argument that the municipality is completely free if an employee exceeds its authority. The DPA states that as long as the employee acts within the context of the means provided by the employer (access to the National Register through municipal software), the employer remains responsible for determining the purpose and means of processing in general. Nuance: The DPA does note that for the specific tort (the private search), the officials themselves should be considered data controllers because they themselves determined the purpose for this outside of their job duties. However, this does not relieve the municipality of its own liability for the lack of adequate security and control.

2. The obligation of active control (Art. 17 National Register Act).

The decision emphasizes that given the sensitivity of the data of 11 million citizens, access to the National Register requires a strict framework. Merely having them sign a ‘policy’ is insufficient. Boards must comply with the traceability requirement. Article 17 of the National Register Act requires that each consultation be logged with a specific reason (finality). A system that allows the use of vague terms (such as “population” or “internal use”) does not meet the legal requirements because it precludes any verification of finality.

3. No administrative fine for governments

Although the infringement is serious, the DPA imposes a reprimand and not a fine. The Litigation Chamber reiterates here its position that the Belgian legislator does not allow (for the time being) the imposition of administrative fines on public authorities for infringements committed in the exercise of their public duties.

What this specifically means for your organization

This ruling has direct implications for citizens, employees and public administrations alike.

  • For public administrations (Municipalities, PCSWs, Police zones): Auditing your log system is crucial. Can you find out why an official opened a specific file? If your software allows you to leave fields blank or select generic reasons, you are in violation. You should conduct periodic audits (e.g., quarterly) of log files. A mere confidentiality statement in the employment contract does not absolve you of liability.
  • For civil servants and employees: This decision does not mean you are off the hook. In this case, the officials involved were subject to disciplinary sanctions (warning/disciplinary penalty). Moreover, the DPA ruled that they could also be considered individual data controllers for their particular breach, although in this case the proceedings were only brought against the municipality.
  • For citizens: You have the right to know who viewed your data. If you suspect that an official or police officer accessed your data privately (e.g., an ex-partner, a neighbor), you can file a complaint. The government must be able to justify who had access and why.

Frequently Asked Questions (FAQ)

Can a municipality be fined by the DPA?
No, for its core functions as a government, it does not. Article 221, §2 of the Personal Data Processing Act stipulates that the administrative fines under the GDPR do not apply to public authorities and their appointees. However, there is one exception: legal persons under public law who offer goods or services on a market can be fined. For purely administrative tasks, such as the management of the National Register, the immunity from fines does apply (although other sanctions such as a reprimand remain possible).

Is the DPO (Data Protection Officer) responsible for the error?
No. In this case, the DPA explicitly ruled that the DPO has an advisory and monitoring role, but does not determine the purposes and means of processing. Even if the DPO was involved in the defense, the municipality as an organization remains solely ultimately responsible for GDPR violations.

What should be in the National Register log?
Article 17 of the National Register Act is very strict. The register must contain not only the date, time and identity of the user, but also the data consulted, the method of consultation (reading or modification) and the specific purpose (finality) of the consultation. Moreover, this register must be kept for at least 10 years.

Conclusion

This ruling is a stark warning to any organization in Belgium with access to sensitive government databases. Relying on employee common sense is not enough; there is an active requirement for technical monitoring and logging.

Do you have questions about data protection within the government or are you a victim of unlawful access to your records? Our attorneys specializing in privacy law and administrative law are ready to analyze your situation and provide you with legal assistance. Feel free to contact us for an initial advice

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics