Belgian DPA issues guidance on Direct Marketing
As of the entry into force of the General Data Protection Regulation (GDPR) on 25 May 2018, the Belgian Data Protection Agency (DPA) has received over 600 enquiries regarding ‘direct marketing’. Due to its relevance, direct marketing was designated as one of the strategic priorities for the coming years and recently the Belgian DPA published its first guidance on this topic.[1] We’ve set out below an overview of some of the main items covered in the guidance.
What falls within the scope of direct marketing?
The GDPR does not provide a definition of the concept of ‘direct marketing’. In its guidance, however, the Belgian DPA has now given a broad interpretation: direct marketing is considered to be “any form of communication” whether or not requested by the recipient and targeted at the sale or promotion of services and goods (whether in return for a payment or free of charge), including brands and ideas. Furthermore, the rules regarding direct marketing are not limited to mere commercial or lucrative activities and purposes - they apply to any form of promotion and its commercial acceptance in the broadest sense.
As a result of this broad definition, it is crucial to review on a case-by-case basis whether the (strict) rules regarding direct marketing are applicable. Whether it is a newsletter, a newsflash informing customers of the environmental sustainability of a company’s products or an invitation to a (political) networking event, all could potentially qualify as direct marketing.
Key take-aways for direct marketing from the Belgian DPA
The Belgian DPA has made a number of recommendations for the processing of personal data with regard to direct marketing activities. Below is a selection of the main recommendations:
- Pay attention when buying personal data from third parties
The increasing use of so called ‘data brokers’ is particularly well-known in the advertising sector. However, when relying on personal data that is indirectly gathered by third parties, precautionary measures are to be taken from a data protection perspective as it always remains the responsibility of the acquiring party to verify the origin of the personal data which is bought as well as the lawfulness of the processing which was invoked. - Determine the exact purposes of the processing
The controller is obliged to determine the objectives to be achieved with the processing of the personal data.[2] The direct marketing purposes must be determined first, only after which the processing of personal data can be performed. According to the Belgian DPA, examples of direct marketing purposes are: ‘making customer profiles’, ‘informing clients of newly launched services’ or ‘making personalized offers to customers on their birthdays’. - Adequately inform the data subjects of the direct marketing processing
A clear message must be provided to data subjects to abide by the transparency principle embedded in the GDPR. The notice “we process your data for direct marketing purposes” does not suffice in itself.
This applies equally to the often displayed vague message of “your data will be processed to improve our services” in the event that ‘services’ actually means ‘direct marketing purposes’. The message conveyed must be concise, easy to understand and easily accessible in clear and plain language.[3] Hence, further elaboration on the type, frequency and content of the marketing communication as well as the complexity of processing is indispensable. - Verify the lawful basis
Processing personal data can only be initiated after having established a lawful basis. Even though there are six different lawful bases provided for by the GDPR[4] only one can be applied per processing purpose. During processing it is not possible to change the lawful basis. Therefore, when the lawful basis is no longer applicable to a processing purpose, the processing of personal data must be terminated for that specific purpose.
But what about the lawful basis that is applied for direct marketing specifically? In its guidance, the Belgian DPA observes that even though there is no hierarchical structure between the lawful bases, some of them are more (or less) adapted to the specificities of direct marketing:
a) The performance of a contract[5]
An agreement is presumed to be less fitting to serve for direct marketing purposes as it holds a very specific lawful basis. The very limited applicability in the framework of direct marketing is, moreover, due to the unlikeliness that the conducted agreement precisely and exclusively has as its object the sending of direct marketing. However, the Belgian DPA does not fully exclude its applicability, provided that the fundamental notion of ‘strict necessity’ is taken into account and complied with.
b) Legitimate interest[6]
As a preliminary remark, the DPA’s guidance refers to specific legislation concerning the use of legitimate interest as a lawful basis. This legislation takes precedence over the GDPR. For example, the e-Privacy Directive states that, as a principle, unsolicited direct marketing may only be allowed in respect of subscribers who have given their prior consent.[7]
However, electronic contact details obtained in the context of a sale may be used for direct marketing for similar products and services if the customers have the clear and distinct opportunity to easily object to the use free of charge.[8] This exception can only be relied upon by the controller that originally obtained the personal data and used it for similar goods and services provided by the same entity.
Regarding legitimate interest under the GDPR, it is indicated that it may serve as a lawful basis for direct marketing purposes[9] provided that the requirements for the use of legitimate interest as provided for by the GDPR are complied with and thus, for example, all data subjects are able to exercise their right of objection at all times.[10]
The controller must facilitate the data subjects’ right to object, meaning that it must be expressly communicated in clear and plain language in all direct marketing means. The message must be placed visibly, meaning that it cannot be put, for example, at the bottom of an email in small font making it unnoticeable. Furthermore, according to the Belgian DPA, data subjects must be able to exercise their right of objection free of charge, directly, easily and without completing any extra steps.
When the right to object is invoked, personal data can no longer be processed for that direct marketing purpose.[11] The personal data kept for direct marketing must be deleted, subject to exceptions provided for by the GDPR.
c) Consent[12]
For any use of consent as legal basis, the consent given by the data subject must be informed, freely given, specific, unambiguous and explicit. The controller must be able to demonstrate the data subject’s consent to the processing of their personal data for direct marketing purposes for the entire duration of the processing.[13]
Furthermore, the data subject must be able to withdraw their consent freely without any negative consequences. For example, the service provided to a data subject may not become of an inferior quality due to their withdrawal of consent for direct marketing.
Conclusion
Attention must be paid to all components of GDPR compliance when applying direct marketing and, in particular, the qualification and obligations of the actors involved, a correct relationship with the data subject, establishing the processing purposes as well as relying upon an adequate lawful basis.
Notwithstanding the fact that the Belgian DPA guidance sets out a number of specific requirements, it is also crucial that all other principles of the GPDR are complied with. This ranges from conducting a written register of processing activities[14] to adequately responding to invoked data subject rights.[15] With its guidance, the Belgian DPA has brought clarification on the matter of direct marketing and has taken a clear stance by applying a broad interpretation to the applicability of the direct marketing rules. Furthermore, the Belgian DPA made the need for protection of the data subject the common thread throughout its guidance.
[1] Recommendation nr. 01/2020 of the Belgian Data Protection Authority on the processing of personal data for direct marketing purposes (17 January 2020), www.gegevensbeschermingsautoriteit.be/.
[2] Article 5.1 (b) GDPR.
[3] Recital 58 GDPR.
[4] Recitals 39-50 GDPR and article 6 GDPR.
[5] Article 6.1 (b) GDPR.
[6] Article 6.1 (f) GDPR.
[7] Article 13.1 e-Privacy Directive 2002/58/EC.
[8] Article 13.2 e-Privacy Directive 2002/58/EC.
[9] Recital 47 GDPR.
[10] Article 21.2 GDPR.
[11] Article 23.3 GDPR.
[12] Article 6.1 (a) GDPR.
[13] Recital 42 GDPR and article 7.1 GDPR.
[14] Article 30 GDPR.
[15] Chapter III GDPR.