May a politician send me unsolicited election emails?

You open your mailbox and find an e-mail from a politician asking you to vote for him or her. You do not remember ever subscribing to his or her newsletter. Is this allowed? No, the unsolicited use of your personal data for election propaganda violates the General Data Protection Regulation (GDPR). Data collected for a specific purpose should not be used for any other incompatible purpose - such as an election campaign.

In a decision of 22 September 2025 (no. 151/2025), the Data Protection Authority (DPA) once again brought this principle into sharp focus and reprimanded a politician for illegally sending election emails.

The facts: an unwanted election email

A citizen received an e-mail on June 5, 2024, from a politician as part of his election campaign. The citizen, suspecting that his data was being used unlawfully, immediately exercised his right of access. He asked the politician where his data came from, for what purpose it was used, and exactly what data was in his possession.

The response was unsatisfactory. The politician initially claimed that the e-mail had been sent by mistake. After insistence came a vague explanation: the data had "perhaps" been obtained at an event and was being used for "general communication." Not content with this, the citizen filed a complaint with the Data Protection Authority.

The politician defended himself by arguing that there was human error: an employee had accidentally used the wrong contact list, causing 5,000 people to mistakenly receive the email. This qualified as a "data leak," which the politician said would suspend normal GDPR obligations.

The decision of the Data Protection Authority

The Litigation Chamber of the DPA did not follow the politician's reasoning and found multiple violations of the GDPR.

Infringement 1: Unlawful processing and abuse of purpose limitation

The crux of the matter revolves around two fundamental principles of the GDPR:

1. Legality (Art. 5.1.a and 6.1 GDPR): Any processing of personal data requires a valid legal basis, such as unambiguous consent. The politician himself admitted that he had no consent from the complainant.
2. Purpose limitation (Art. 5.1.b GDPR): Personal data may only be collected for "specified, explicit and legitimate purposes." The plaintiff's data had been collected as part of activities of a political incubator, not for the politician's election campaign in any other capacity. Using these data for election propaganda was a novel, incompatible purpose.

The Litigation Chamber ruled that the politician had violated both principles.

Breach 2: Lack of transparency and duty of disclosure

The politician's website included a link to a privacy statement. However, this link led to the political party's general privacy statement, and not to a specific statement that described the politician's own processing operations. As a result, citizens were not adequately informed about what happened to their data, in violation of the transparency obligation.

Infringement 3: Violation of the right of access.

When a citizen exercises their right of acess, the data controller must provide clear and complete information. The politician's answers - "perhaps obtained at an event" and "for general communication" - were too vague and incomplete. This constituted a violation of Article 15 of the GDPR.

The DPA ultimately imposed a reprimand, a formal warning. No fine was imposed because the violations were inadvertent and the politician had taken corrective measures in the meantime, such as taking GDPR training.

Legal analysis and interpretation

This decision is an important reminder of the strict application of the GDPR, even in a political context. The defendant's attempt to frame the facts as a “data breach” in order to circumvent fundamental obligations is rightly dismissed by the Litigation Chamber. A data breach is a security breach and does not relieve the data controller of its obligation to have a valid legal basis and respect the purpose limitation principle at all times.

Crucial is the concept of the data controller. A politician may act in different capacities: as a city council member, as the initiator of a think tank, or as a parliamentary candidate. For each of these roles, he may be a separate data controller. Databases built in one capacity cannot simply be transferred and used in another capacity. This would completely erode the principle of purpose limitation.

By the way, this is not the first time the GDPR has looked into the use of e-mail addresses by politicians. Another recent case, which we analyzed here, was about collecting publicly available e-mail addresses for an election campaign.

What this specifically means

• For citizens: You have a right to know where your data comes from and why it is being used. Vague answers are not enough. You can always exercise your right of access, rectification or data erasure. In the event of an unsatisfactory answer, you can complain to the Data Protection Authority.
• For politicians and political parties: Be extremely careful with contact lists. "Human error" is not a valid excuse for ignoring the GDPR. Have strictly separated databases based on the capacity and purpose for which the data was collected. A contact obtained through your tenure as an alderman is not automatically a contact for your federal election campaign. Transparency is essential: make sure you have an accurate and specific privacy statement that covers your own processing.

Frequently asked questions (FAQ)

What should I do if I receive an unwanted political e-mail?
You can contact the sender and exercise your right of access. Ask explicitly about the source of your data and the legal basis for the processing. Also ask for your data to be deleted. If you receive no response or an inadequate response, you may file a complaint with the DPA.

Is human error a valid defense to a GDPR breach?
No, human error can explain the breach, but does not remove the responsibility of the data controller. Organizations and individuals processing data must take appropriate technical and organizational measures to prevent such errors. However, it may play a role in determining penalties (e.g., a reprimand instead of a fine).

May a politician use my e-mail address if I have made it public online?
Not just like that. Just because an e-mail address is publicly available does not mean there is an implied permission to use it for any purpose. Direct marketing, including election advertising via e-mail, generally requires your prior, explicit consent.

Conclusion

The Data Protection Authority ruling confirms that the rules of the GDPR apply in full to political campaigns. The collection of personal data creates a responsibility. Data must be used only for the specific purpose for which it was obtained and with respect for citizens' rights, including the right to clear and complete information.