The Belgian Data Protection Authority (https://www.dataprotectionauthority.be/) has issued its first fine!
Summary of what occurred:
A mayor sent an e-mail with election propaganda to two residents of his town. The mayor received these e-mail addresses through an application for building permit. The residents filed a complaint to the Authority because their personal data was used in violation with the GDPR principle of “purpose limitation” and “lawfulness of processing”.  The major received a fine of 2000 euro.
Check if your company is not in violation with the GDPR to avoid above issues:
- You have clearly identified your purposes for processing
- You have documented those purposes
- You included the necessary details of your purposes in your privacy statement
- You regularly review your processing and, where necessary, update your documentation and your privacy statement
- If you plan to use personal data for a new purpose, check that this is compatible with your original purpose or request specific consent from the data subject for the new purpose
If you have any questions about data protection or information security, don’t hesitate to contact us by email firstname.lastname@example.org or telephone +32 3 449 57 51.
You can subscribe to the RSM IT Advisory newsletter on this link: https://www.rsm.global/belgium/preferences-form
The full decision of the Authority is available in Dutch: https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/BETG_04_2019_nl.pdf
 Violated articles:
PURPOSE LIMITATION (Article 5.1.b) GDPR)
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.
LAWFULLNESS OF PROCESSING (Article 6.4 GDPR)
Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1), the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account:
(a) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or pseudonymisation.