On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.
Some of the key takeaways from the Recommendation include:
- Definition. The Belgian DPA defines direct marketing as “any communication, in any form, whether solicited or not, which aims at promoting an organization, a person, services or products (whether free or not), a brand or ideas, originating from an organization or a person acting in a commercial or non-commercial context and addressed directly to one or more natural persons in a private or professional context, that involves the processing of personal data.” Importantly, the Recommendation clarifies that advertising banners, which randomly appear on the Internet, do not fall within the definition of direct marketing. Targeted online advertising, such as banners that are tailored to users’ browsing history, does qualify as direct marketing.
- Purchase, Rental and Enrichment of Personal Data. Purchasing, renting and enriching personal data—for example, via data brokers—are highlighted as activities that require specific attention. In these scenarios, it is important to (directly) provide appropriate information to data subjects or to ensure that appropriate information has been provided to them. The Belgian DPA also emphasizes that it is the data controller’s responsibility to verify, before the data processing takes place, the origin of the data and how data was collected (including on the basis of which legal ground it was collected, by which entity, for which purpose and for how long).
- Processing Purposes. Determining and specifying the purposes for which personal data will be processed is essential. Generally, the Belgian DPA considers that merely stating that personal data will be processed for direct marketing purposes is not sufficient in light of Article 13 of the General Data Protection Regulation (“GDPR”). The Belgian DPA also stresses that information around the processing of personal data must be fairly provided; it is unfair, for example, to state that personal data will be processed for product or service improvement purposes while it will actually be processed for direct marketing purposes. In addition, the data controller should provide clear information about any further processing of the data. According to the Belgian DPA, the level of detail that must be provided to data subjects will depend on the type, frequency and the content of the marketing communications that will be sent, and the complexity of the related data processing activities.
- Data Processing Activities. The Belgian DPA indicates that data processing activities, such as profiling, should be differentiated from processing purposes.
- Data Minimization and Storage Limitation. Companies must ensure that they only collect personal data that is necessary for the processing purpose(s). To that end, the Belgian DPA recommends companies limit open fields in data collection forms and review their databases on a regular basis to delete any unnecessary data. The DPA also recommends implementing a process to ensure that “Do Not Call” lists are taken into account when reviewing databases where marketing data is stored.
- Lawfulness. A valid legal basis must be relied upon for all data processing activities. Under the ePrivacy Directive, consent is required to send electronic marketing communications unless a business can rely on the so-called “existing customer” exemption, which enables companies to send electronic marketing about their own similar products and services to existing customers if certain conditions are met. Outside of the scope of the ePrivacy Directive, companies must assess which of the legal bases of Article 6 of the GDPR is the most suitable option to legitimize their processing of personal data for marketing purposes. Pursuant to Recital 47 of the GDPR, the processing of personal data for marketing purposes may be regarded as carried out for a company’s legitimate interests. In that case, a balancing test must be conducted, taking into account the necessity of the data processing, individuals’ reasonable expectations, the types of personal data collected and processed, and the means of the processing.
- Consent. When relying on consent for direct marketing activities, companies must ensure that the conditions for valid consent under the GDPR are met (i.e., consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the data processing). The Recommendation mentions that companies can use techniques other than tick boxes to collect consent, in order to avoid consent “fatigue.” Companies cannot condition the provision of a product or service to consent to personal data processing that is not necessary for the performance of a contract. Additionally, a consent form must also be specific with respect to the content of the marketing communication and the means used—for example, separate consent must be collected for SMS marketing and telephone marketing. Additionally, consent must be regularly updated, demonstrable and easy to withdraw.
- Individuals’ Rights. The Belgian DPA notes that when an individual withdraws their consent to the processing of their personal data, there is no longer a valid legal basis to process such data, unless personal data must be kept to comply with a legal obligation. This means that if the individual withdraws their consent and there is no alternative legal ground, the personal data should be deleted (regardless of whether the individual exercises their deletion rights). In that scenario, companies may, for example, send an automatic notification to the individual stating that their personal data will be deleted from the company’s database as a result of the consent withdrawal. The same principle applies where individuals object to the processing of their personal data on the basis of the legitimate interest ground.