Belgian DPA publishes direct marketing guidelines
On 10 February 2020, the Belgian Data Protection Authority (BDPA) published its very first post-GDPR guidelines. They relate to the processing of personal data for direct marketing purposes. The BDPA explained that it wants to raise awareness among companies active in direct marketing on how to act and react in accordance with the EU General Data Protection Regulation 2016/679 (GDPR).
Because the direct marketing guidelines (the Guidelines) themselves are quite extensive (79 pages), this article only covers a few highlights.
Defining direct marketing
In its Guidelines, the BDPA defines direct marketing as “any communication, in any form, solicited or unsolicited, originating from a natural or legal person, targeting the promotion or sales of services, products (free or against remuneration), as well as brand or ideas, addressed by a natural or legal person active in commercial or non-commercial context, which is directly directed to one or more natural persons in a private or professional context and which includes the processing of personal data”.
The BDPA explains every component of this definition extensively (e.g. by confirming that also non-profit organizations and political parties can engage in direct marketing) and includes numerous examples (e.g. on how to differentiate market research from direct marketing activities).
Relevant GDPR provisions
The Guidelines further explain which GDPR provisions are applicable to direct marketing and how to act according to these provisions. Clarifications on the relationship between direct marketing and the basic principles of purpose limitation, data minimization and transparency are also included, as well as examples of joint controllership of data.
Among other things, the BDPA furthermore confirms that there is no hierarchy between the lawful bases of processing. No single lawful basis (e.g. consent) is better than others (e.g. legitimate interests), unless of course specific legislation prescribes the use of a specified legal basis (e.g. the obligation to rely on ‘opt-in’ consent for electronic direct marketing to prospects, as included in the Belgian Code of Economic Law). Regarding consent as legal basis, the Guidelines set out the criteria that must be met by a valid consent mechanism (including the mechanism to ‘opt-out’ again.)
Some specific points of attention
(1) Specific attention is given to profiling techniques, as the underlying processes are often invisible for data subjects. Profiling can obviously lead to (unintended) negative consequences because datasets can be too restrictive or too focused on certain aspects which can lead to (price) discrimination. This requires additional safeguards to be taken.
(3) Thirdly, activities of data brokerage are scrutinized, referring to the fine the Polish DPA has imposed on Bisnode in 2019.
(4) Finally, also the transfer and reuse of personal data in the context of M&A transactions is highlighted as an area that deserves specific attention, in particular when it comes to transparency and information obligations.
The BDPA concludes by stating that “acting in accordance with the GDPR is not only an obligation towards the processing of personal data, but also an obligation to act in an ethical manner towards everyone involved”. In order to create uniformity and consistency in direct marketing practices, the BDPA finally also recommends drawing up a code of conduct for direct marketing sectors involved, as foreseen in the GDPR.
A welcome Valentine’s day present?
In any case, we look forward to more guidance from the BDPA on various GDPR topics, and will keep you posted of any further developments in the Belgian privacy and data protection landscape.
Stéphanie De SmedtSenior associate Attorney at Law
Stéphanie De Smedt, attorney-at-law, is a member of the Litigation & Risk Management practice group in our Brussels office. She is head for Belgium of the IP/IT Team, the Data Protection Team and the Life Sciences Team.T: +32 2 773 23 77 E: firstname.lastname@example.org