May a general contractor share all residents' contact information with subcontractors?

A general contractor may share buyers' contact information with subcontractors if it is compatible with the original purpose for which the data was collected, such as coordination of construction work. However, passing on an entire list of residents when the subcontractor only needs the details of a few residents is a clear violation of the principle of minimal data processing under the General Data Protection Regulation (GDPR). Such a breach can result in a sanction, such as a formal reprimand by the Data Protection Authority (DPA).

The facts

During the realization of a new construction project involving a large real estate complex, the principal provided the general contractor with a list of all residents' contact information. The purpose of this was to enable subcontractors to make direct appointments with the buyers to discuss their comments on the construction work.

Due to significant delays in construction work, an urgent situation arose around connecting the homes to the cable television network. To complete these works, the general contractor forwarded the complete list of residents to a telecommunications company's technical subcontractor. The telecommunications company then inadvertently forwarded this list to its commercial subcontractor, who was in charge of telephone canvassing.

This led to the residents receiving unsolicited monthly telephone calls for direct marketing. One of the owners subsequently filed a complaint with the Data Protection Authority against the general contractor, the telecommunications company, the principal and the commercial subcontractor.

The decision of the DPA

The Litigation Chamber of the DPA ruled on Feb. 16, 2026 (No. 32/2026) about several alleged violations of the GDPR.

Regarding the prime contractor, the DPA ruled:

• Passing on the list for utility connections served a purpose other than merely “discussing comments”.
• However, this transfer was compatible with the original purpose since it was a direct and foreseeable consequence of the coordination of work. Thus, no new ground of legitimacy was required.
• However, the general contractor shared the details of all 271 residents, while the technical subcontractor only had to intervene in two homes.
• This constitutes a violation of the principle of minimum data processing (Article 5.1.c GDPR). The DPA imposed a reprimand for this, taking into account mitigating circumstances such as the high urgency of the works.

As for the telecommunications company, the DPA decided:

• The wrongful transfer to the commercial subcontractor was human error and qualifies as a data breach (personal data breach).
• The company had taken sufficient appropriate technical and organizational measures in advance (such as training and codes of conduct) and acted correctly after the discovery of the leak.
• Consequently, all grievances against the telecommunications company were dismissed. The complaints against the principal and the commercial subcontractor were also dismissed.

Legal analysis and interpretation

This decision aptly illustrates the delicate balance between the operational realities on a construction site and the strict requirements of the GDPR.

First, the DPA affirms a pragmatic interpretation of the principle of purpose limitation (Article 5.1.b GDPR) and the compatibility test (Article 6.4 GDPR). The transition from collecting data to ‘discuss comments’ to ‘organizing practical connection work’ is considered compatible, given the role of the main contractor as coordinator. This saves companies the burden of having to seek a new consent or legal basis for each operational intermediate step.

However, the decision draws a hard line at the principle of minimum data processing (Article 5.1.c GDPR). Even in situations of operational urgency - such as the impending postponement of utility works that would leave residents without television or Internet - this does not relieve a data controller of the duty to filter data. Forwarding an entire database “just to be sure” is a classic pitfall in the construction industry that inevitably leads to non-compliance.

In addition, the telecommunications company's assessment is crucial to the interpretation of accountability and data security (Articles 5.1.f and 24.1 GDPR). The DPA explicitly recognizes that security requirements are a best effort commitment. A human error leading to a data breach (misdirecting an email) does not automatically equate to a lack of appropriate technical and organizational measures, provided the company can demonstrate that robust policies (training, contractual safeguards, prompt risk assessment and response) are in place.

What this specifically means

This judgement has practical implications for various actors in the supply chain:

• For construction promoters and general contractors: You may share buyers' contact information with subcontractors for performance and coordination of work. However, you must be strictly vigilant about what data you share. Always ask specifically which addresses require intervention and only share the details of those specific residents. Providing a ”pass-through" list is out of the question.
• For (sub)contractors and installers: Limit your requests for information to what is strictly necessary for your intervention. If you do not specify what data you need, you put the prime contractor in a quandary regarding the GDPR.
• For larger enterprises (such as telecom): This case proves the tremendous value of internal compliance processes. Make sure your employees are trained, that your “Supplier Code of Conduct” is in place, and that you take immediate action when an incident occurs (even if the risk is low). This can save you from heavy administrative fines when an employee makes a mistake.

Frequently asked questions (FAQ)

What exactly does the principle of minimal data processing entail?
This principle from the GDPR states that you may only request and process personal data that is absolutely necessary, relevant and sufficient for the purpose you wish to achieve. In practice, this means, for example, that you may not forward a list of 200 people if you only need to contact 2.

Can a company be fined if an employee accidentally causes a data breach?
Not necessary. The legislation imposes a best effort obligation on companies. If a company can demonstrate that it has provided adequate security measures, training and internal instructions, human error is not automatically considered a structural breach of the company's security obligation.

May subcontractors use obtained customer data for advertising?
No. Data obtained for the performance of a contract (such as construction work) may not be used for direct marketing or commercial prospecting without question. Employees and subcontractors may only process data on behalf of and in accordance with the instructions of the controller.

Conclusion

Sharing customer and resident data in a chain of contractors and subcontractors is a daily necessity, but carries significant risks. Although the Data Protection Authority takes a pragmatic approach to the purposes of data processing on a worksite, it takes strict action when an unnecessary amount of personal data is shared. At the same time, this decision shows that in Belgium, a strong internal data protection culture effectively protects companies from penalties for human error.