X (Data Subject) – €1,000 Fine (Belgium, 2026)

On 28 August 2022, the data subject (X), complained to the French Data Protection Authority (DPA), the CNIL against the Data Controller (NGO Foundation Y) for failing to respond to a data erasure request as provided inder article 17 GDPR. On 15 March 2023, the CNIL initiated a procedure to identify the lead supervisory authority (LSA), as provided under Article 56 GDPR and the Belgian DPA, the APD, declared itself LSA. On 24 April 2023, both parties are informed to submit arguments to the case, none are received by the LSA. On the 7 July 2025 the APD’s Contentious Chamber schedules a hearing for 30 October 2025, neither party attended the hearing. On 3 November 2025, the Chamber transmits their oral process to the parties. On 7 November 2025, the Controller requests a copy of the case file which is transmitted on 14 November 2025. On the same day, the Controller informs the Chamber that it deleted the Data Subject’s personal data and submits proof to that extent. On 27 January 2026, the Chamber informs the Controller of its intention to impose an administrative fine against them. On 11 February 2026, the Chamber receives the Controller’s response to the administrative fine, claiming the Controller received the Chamber’s emails whilst on holiday or in periods of absence and they did not receive the Data Subject’s email as it did not go through official channels. Additionally, the Controller specifies they took immediate action once they took notice of the case at hand and argued the fine would create undue hardship for a non-profit organisation with no employees. On 18 February 2026, the Chamber requests the Controller to submit their 2025 financials. By 23 March, 2026 the Chamber did not receive a response. * Resolution of the underlying erasure complaint: The LSA recognises on 14 November 2025, the Controller did delete the Data Subject’s personal data which resolved that aspect of the case. * Violation of Article 31 GDPR and subsequent administrative fine calcu