X (Data Subject) – €1,000 Fine (Belgium, 2026)

On 28 August 2022, a data subject lodged a complaint with the French DPA against an NGO (the controller), concerning an alleged failure to respond to an erasure request. On 15 March 2023, the French DPA initiated a procedure to identify the lead supervisory authority, in accordance with Article 56 GDPR. The Belgian DPA declared itself the lead supervisory authority. On 24 April 2023, both parties were informed of the deadlines for submitting written submissions. No submissions were filed by either party. On 7 July 2025, the DPA scheduled a hearing for 30 October 2025, but neither party attended. On 7 November 2025, the controller requested a copy of the case file, which was sent on 14 November 2025. On the same day, the controller informed the DPA that it had erased the data subject’s personal data and provided proof. On 27 January 2026, the DPA informed the controller of its intention to impose an administrative fine against it. On 11 February 2026, the controller responded that it had not effectively received the registered letters or postal notices, as they had arrived during holiday or absence periods. It also claimed that it had not become aware of the erasure request earlier because the data subject had not used the official channel. The controller further stated that it had acted immediately after becoming aware of the case and argued that even a €1,000 fine would constitute a significant burden for a non-profit organisation with no employees. On 18 February 2026, the DPA asked the controller to submit its 2025 financial documents. By 23 March 2026, the DPA had not received a response. * Resolution of the underlying erasure complaint: The DPA noted that, on 14 November 2025, the controller had erased the data subject’s personal data and therefore considered the erasure-related matter resolved. * Violation of Article 31 GDPR and subsequent administrative fine calculation: However, the DPA found a violation of Article 31 GDPR. The controller had failed to a