You are here:
18 February 2020 / news

Belgian DPA publishes direct marketing guidelines

On 10 February 2020, the Belgian Data Protection Authority (BDPA) published its very first post-GDPR guidelines. They relate to the processing of personal data for direct marketing purposes. The BDPA explained that it wants to raise awareness among companies active in direct marketing on how to act and react in accordance with the EU General Data Protection Regulation 2016/679 (GDPR).

Because the direct marketing guidelines (the Guidelines) themselves are quite extensive (79 pages), this article only covers a few highlights.


Defining direct marketing

In its Guidelines, the BDPA defines direct marketing as “any communication, in any form, solicited or unsolicited, originating from a natural or legal person, targeting the promotion or sales of services, products (free or against remuneration), as well as brand or ideas, addressed by a natural or legal person active in commercial or non-commercial context, which is directly directed to one or more natural persons in a private or professional context and which includes the processing of personal data”.

The BDPA explains every component of this definition extensively (e.g. by confirming that also non-profit organizations and political parties can engage in direct marketing) and includes numerous examples (e.g. on how to differentiate market research from direct marketing activities).

Relevant GDPR provisions

The Guidelines further explain which GDPR provisions are applicable to direct marketing and how to act according to these provisions. Clarifications on the relationship between direct marketing and the basic principles of purpose limitation, data minimization and transparency are also included, as well as examples of joint controllership of data.

Among other things, the BDPA furthermore confirms that there is no hierarchy between the lawful bases of processing. No single lawful basis (e.g. consent) is better than others (e.g. legitimate interests), unless of course specific legislation prescribes the use of a specified legal basis (e.g. the obligation to rely on ‘opt-in’ consent for electronic direct marketing to prospects, as included in the Belgian Code of Economic Law). Regarding consent as legal basis, the Guidelines set out the criteria that must be met by a valid consent mechanism (including the mechanism to ‘opt-out’ again.)

Some specific points of attention

(1) Specific attention is given to profiling techniques, as the underlying processes are often invisible for data subjects. Profiling can obviously lead to (unintended) negative consequences because datasets can be too restrictive or too focused on certain aspects which can lead to (price) discrimination. This requires additional safeguards to be taken. 

(2) Secondly, the Guidelines also contain a few recommendations relating to the use of cookies (e.g. analytical or tracking cookies) for direct marketing purposes, in line with its recent case law. 

(3) Thirdly, activities of data brokerage are scrutinized, referring to the fine the Polish DPA has imposed on Bisnode in 2019.

(4) Finally, also the transfer and reuse of personal data in the context of M&A transactions is highlighted as an area that deserves specific attention, in particular when it comes to transparency and information obligations.

The BDPA concludes by stating that “acting in accordance with the GDPR is not only an obligation towards the processing of personal data, but also an obligation to act in an ethical manner towards everyone involved”. In order to create uniformity and consistency in direct marketing practices, the BDPA finally also recommends drawing up a code of conduct for direct marketing sectors involved, as foreseen in the GDPR.

A welcome Valentine’s day present?

In general, we welcome the approach of adopting detailed and extensive guidelines, which include many examples, to provide more clarity on specific GDPR topics. On the other hand, we regret that a similar guidance, focusing specifically on the use of cookies, was not adopted as well, as this would have been very useful for Belgian companies in the aftermath of the BDPA’s cookies fine of December 2019.

In any case, we look forward to more guidance from the BDPA on various GDPR topics, and will keep you posted of any further developments in the Belgian privacy and data protection landscape.

Legal considerations for businesses during the coronavirus outbreak in Belgium

As the coronavirus (COVID-19) continues to impact the daily lives of people around the world, the priority for companies remains, of course, the safety of their... read more

Schrems II, the day after

What actions do you need to take with regard to your international data transfers? read more
Schrems II zaak

Privacy shield out, fortunately we still have the model contracts

Schrems has done it again - After having successfully dismantled the Safe Harbor mechanism read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Stay informed