On February 10, 2020, the Belgian Data Protection Authority (the “Belgian DPA”) published its Recommendation 1/2020 on data processing activities for direct marketing purposes (the “Recommendation”). With this Recommendation, the Belgian DPA aims to clarify the complex rules relating to the processing of personal data for direct marketing purposes, including by providing practical examples and guidelines to the different stakeholders involved in direct marketing activities. Direct marketing is one of the Belgian DPA’s top priorities for the next few years, as indicated in its 2019-2025 Strategic Plan.

Some of the key takeaways from the Recommendation include:

  • Definition. The Belgian DPA defines direct marketing as “any communication, in any form, whether solicited or not, which aims at promoting an organization, a person, services or products (whether free or not), a brand or ideas, originating from an organization or a person acting in a commercial or non-commercial context and addressed directly to one or more natural persons in a private or professional context, that involves the processing of personal data.” Importantly, the Recommendation clarifies that advertising banners, which randomly appear on the Internet, do not fall within the definition of direct marketing. Targeted online advertising, such as banners that are tailored to users’ browsing history, does qualify as direct marketing.
  • Purchase, Rental and Enrichment of Personal Data. Purchasing, renting and enriching personal data—for example, via data brokers—are highlighted as activities that require specific attention. In these scenarios, it is important to (directly) provide appropriate information to data subjects or to ensure that appropriate information has been provided to them. The Belgian DPA also emphasizes that it is the data controller’s responsibility to verify, before the data processing takes place, the origin of the data and how data was collected (including on the basis of which legal ground it was collected, by which entity, for which purpose and for how long).
  • Processing Purposes. Determining and specifying the purposes for which personal data will be processed is essential. Generally, the Belgian DPA considers that merely stating that personal data will be processed for direct marketing purposes is not sufficient in light of Article 13 of the General Data Protection Regulation (“GDPR”). The Belgian DPA also stresses that information around the processing of personal data must be fairly provided; it is unfair, for example, to state that personal data will be processed for product or service improvement purposes while it will actually be processed for direct marketing purposes. In addition, the data controller should provide clear information about any further processing of the data. According to the Belgian DPA, the level of detail that must be provided to data subjects will depend on the type, frequency and the content of the marketing communications that will be sent, and the complexity of the related data processing activities.
  • Data Processing Activities. The Belgian DPA indicates that data processing activities, such as profiling, should be differentiated from processing purposes.
  • Data Minimization and Storage Limitation. Companies must ensure that they only collect personal data that is necessary for the processing purpose(s). To that end, the Belgian DPA recommends companies limit open fields in data collection forms and review their databases on a regular basis to delete any unnecessary data. The DPA also recommends implementing a process to ensure that “Do Not Call” lists are taken into account when reviewing databases where marketing data is stored.
  • Lawfulness. A valid legal basis must be relied upon for all data processing activities. Under the ePrivacy Directive, consent is required to send electronic marketing communications unless a business can rely on the so-called “existing customer” exemption, which enables companies to send electronic marketing about their own similar products and services to existing customers if certain conditions are met. Outside of the scope of the ePrivacy Directive, companies must assess which of the legal bases of Article 6 of the GDPR is the most suitable option to legitimize their processing of personal data for marketing purposes. Pursuant to Recital 47 of the GDPR, the processing of personal data for marketing purposes may be regarded as carried out for a company’s legitimate interests. In that case, a balancing test must be conducted, taking into account the necessity of the data processing, individuals’ reasonable expectations, the types of personal data collected and processed, and the means of the processing.
  • Right to Object. Individuals must be offered a right to object, at any time and easily, without having to take additional steps and free of charge, to the processing of their personal data for direct marketing purposes. This includes a right to object to any profiling that is related to such direct marketing. Clear and concise information must be provided about the right to object. According to the Belgian DPA, simply including an “Unsubscribe” button in small characters at the end of a marketing email, along with a link to the data controller’s privacy policy, is not sufficient. Where technically feasible, the Belgian DPA recommends allowing individuals to granularly select the marketing activities for which they want to object (e.g., email marketing, short message service marketing (“SMS”), newsletters, etc.).
  • Consent. When relying on consent for direct marketing activities, companies must ensure that the conditions for valid consent under the GDPR are met (i.e., consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the data processing). The Recommendation mentions that companies can use techniques other than tick boxes to collect consent, in order to avoid consent “fatigue.” Companies cannot condition the provision of a product or service to consent to personal data processing that is not necessary for the performance of a contract. Additionally, a consent form must also be specific with respect to the content of the marketing communication and the means used—for example, separate consent must be collected for SMS marketing and telephone marketing. Additionally, consent must be regularly updated, demonstrable and easy to withdraw.
  • Cookies. In the Recommendation, the Belgian DPA also addresses the notice and consent requirements for the use of cookies. According to the Belgian DPA, functional cookies must be clearly differentiated from other types of cookies, such as analytics cookies, and specific consent must be obtained for any non-essential cookies. Additionally, companies must provide appropriate information about cookies and their respective purposes. For example, a cookie banner must include detailed information about how to consent and/or object to the use of cookies, the purposes for each cookie and the entity responsible for placing the cookies. The Belgian DPA points to the Planet49 case law in confirming that merely continuing to browse a site or an app no longer constitutes valid consent to the use of cookies.
  • Individuals’ Rights. The Belgian DPA notes that when an individual withdraws their consent to the processing of their personal data, there is no longer a valid legal basis to process such data, unless personal data must be kept to comply with a legal obligation. This means that if the individual withdraws their consent and there is no alternative legal ground, the personal data should be deleted (regardless of whether the individual exercises their deletion rights). In that scenario, companies may, for example, send an automatic notification to the individual stating that their personal data will be deleted from the company’s database as a result of the consent withdrawal. The same principle applies where individuals object to the processing of their personal data on the basis of the legitimate interest ground.

Read the Recommendation (in French and in Dutch) and the Belgian DPA’s press release (in French and in Dutch).