GDPR

Receiving unsolicited political e-mail: why is the DPA dismissing my complaint?

Joris Deene
2 weeks ago
145 views
6 minutes reading time

You receive unsolicited political advertising via e-mail. You file a complaint with the Data Protection Authority (DPA), but to your surprise, the case is dismissed. A decision by the DPA of 20 October 2025 (No. 172/2025) illustrates why this can happen: if you cannot sufficiently prove who effectively sent the e-mail, and the alleged sender denies any involvement, the DPA may dismiss the complaint for lack of evidence and disproportionate investigative resources.

The facts: a complaint about political propaganda

The case begins when a citizen receives an unsolicited e-mail containing political propaganda on June 7, 2024. A day later, the citizen replies that he never gave permission to be on the mailing list and announces that he will file a complaint with the DPA. This happens on June 29, 2024.

The DPA initiates proceedings and on Jan. 21, 2025, requests more information from the respondent (the politician whose name was attached to the email). The defendant initially does not respond. Only months later, after a new notification, does the defendant respond.

Her defense is clear:

  • She does not understand the complaint.
  • The e-mail address that sent the propaganda does not belong to her and she does not use it.
  • She never sent the communication in question and has no connection to it.

The decision: classification without consequence

The Litigation Chamber of the DPA decides to dismiss the complaint, or "file without action".

This is not a technical dismissal (e.g., because the complaint was incomplete), but an opportunity dismissal. The DPA has ruled that, although there may be elements that indicate an infringement, it is not appropriate to investigate the matter further.

The crux of the motivation is that the DPA has insufficient evidence to establish that the respondent is actually the source of the unsolicited e-mail. The DPA notes that:

  1. The complaint does not contain sufficient details or evidence to establish a violation of the General Data Protection Regulation (GDPR) .
  2. The case does not appear to have a high social or personal impact.
  3. The defendant denies any involvement.
  4. The e-mail address with which the defendant did communicate with the DPA is different from the address that sent the spam.

Legal analysis and interpretation

This decision exposes a pain point in GDPR enforcement: the burden of proof and identification of the controller.

The data controller is the person or organization that decides why and how data are processed (in this case, who decided to send the propaganda email). The DPA can only sanction this person or organization.

The legal stumbling block here is not so much whether sending unsolicited mail constitutes an infringement, but rather who the perpetrator is. The complainant points to the politician, but the politician denies in no uncertain terms. The DPA is stuck: it cannot prove which of the two is telling the truth without launching a thorough technical investigation.

This is where the DPA applies its own dismissal policy . It notes that an in-depth investigation (e.g., IP address tracing) would require "significant resources." These resources the DPA finds "disproportionate" to the importance of the complaint.

In essence, the time-honored legal principle applies: actori incumbit probatio (the burden of proof is on the one who asserts). The plaintiff could not sufficiently substantiate that the defendant was the perpetrator, and the DPA was unwilling to expend disproportionate resources to pursue this further.

What this specifically means

  • For citizens receiving spam: Filing a complaint with the DPA is your right, but it does not guarantee a sanction. Provide as much evidence as possible. A simple 'forward' of the e-mail is often insufficient. Keep the complete e-mail, including the technical 'headers' (source code), from which the transmission path (IP addresses) can possibly be deduced. Be aware that if the (alleged) sender simply denies, your case can become very difficult.
  • For politicians and organizations (the alleged senders): This ruling shows that you can defend yourself against false accusations. If your name or e-mail address is misused ("spoofing"), it is crucial to deny it clearly and with reasons to the DPA. A credible denial may suffice if the complainant's evidence is weak. This also highlights the importance of proactively securing your own systems to prevent data leaks or misuse of your name.

Frequently asked questions (FAQ)

What is an "opportunity dismissal" by the DPA?
This is a decision by the Litigation Chamber not to pursue a complaint even though there may be evidence of a violation. This may occur if the complaint contains insufficient evidence, if the case has too low a social or personal impact, or if further investigation would require disproportionate resources from the DPA.

What can I do if the DPA dismisses my complaint?
A dismissal decision of the Litigation Chamber is in principle subject to appeal. You may lodge an appeal with the Market Court (part of the Brussels Court of Appeal) within thirty days of notification of the decision.

Above all, what do I need to prove when I complain about spam?
In addition to proving that you received the communication without authorization, it is crucial to provide as many elements as possible that help prove who actually sent the mail. After all, the DPA must be able to identify the data controller (the perpetrator) in order to impose a penalty.

Conclusion

This decision by the Data Protection Authority illustrates the harsh reality of legal enforcement in a digital context. A clear violation of data protection law (unsolicited political e-mail) does not automatically lead to a sanction. The burden of proof in Belgium lies with the complainant, and the DPA makes a pragmatic trade-off between the seriousness of the case and the resources needed for an investigation. Without conclusive proof of who the perpetrator is, the complaint is not pursued further.

Are you dealing with a complex case involving the GDPR, unsolicited communications or a complaint to the Data Protection Authority? Our attorneys specializing in privacy and data protection law are ready to analyze your case and defend your rights. Feel free to contact us for an initial consultation.

Also read our blogs:
May a politician send me unsolicited election emails?
May a politician use my e-mail address for election advertising?
Can a mayor use the municipality's contact list for his private project?

Joris Deene

Attorney-partner at Everest Attorneys

View all posts

You might also like this

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics