Belgian DPA publishes new detailed guidelines on direct marketing

The Belgian Data Protection Authority (DPA) has just published its new Recommendation for the processing of personal data for direct-marketing purposes. Available in French and Dutch, this 78-page document is a practical guide for organisations and marketeers engaged in digital and paper-based direct marketing, and includes useful examples and dos and don’ts.

A top priority for the Belgian DPA

The Belgian DPA has earmarked direct marketing as one of its top priorities for the next five years. It was also, however, among the top three types of complaints and requests sent to Belgian DPA. Since the last guidelines were released in 2013, the recent Recommendation has been welcomed by the industry. In addition, the DPA will soon publish FAQs to make the information more accessible.

Context and scope of the Recommendation

Every day many organisations use direct-marketing communications to reach millions of people. These communications involve the processing of personal data. To the marketing adage “get the right message to the right person at the right time”, the Belgian DPA has added “in the right way”. The Recommendation aims to help organisations involved in direct marketing comply with the applicable rules of the GDPR.

What exactly is direct marketing?

There is no legal or commonly accepted European definition of this concept. It is, however, important to understand whether or not your communication techniques fall under it. The Belgian DPA defines direct marketing as:

  • Any communication, whether solicited or unsolicited”: This definition covers all types of communication, such as the promotion of products or services and the promotion of ideas. The notion of "marketing" should not necessarily be understood as a communication for commercial or profit-making purposes. For instance, distributing advertising leaflets in the mailboxes of people in your neighbourhood who are not yet customers and inviting them to test your products is also considered direct marketing.

  • for the promotion of an organisation or an individual, of services, products, paid or free of charge, as well as brands or ideas”: a promotion does not necessarily have to be for goods or services. However, the rules on direct marketing do not apply when contact is made with consumers for the purpose of carrying out market research, surveys or satisfaction polls, provided that the communication is made for these purposes only.

  • addressed by an organisation or an individual acting in a commercial or non-commercial context”: It applies to any type of organisation, whether it is pursuing a commercial purpose or not. It can therefore be a communication made by foundations and public authorities. The definition also applies to persons not pursuing any profit motive, as long as their communications are intended to promote something.

  • directly to one or more natural persons in a private or professional context”: directed to one or more natural, identified or identifiable person, either by name or on the basis of other information relating to that person (e.g. an IP address), enabling him to be contacted.

  • by any means”: This includes non-digital communications (e.g. regular mail, human interaction) and digital communications, such as text, video, photo, image or sound communications carried out by telephone calls, SMS, MMS, e-mail, chat-boxes, pop-ups. Such processing may be carried out using different techniques, such as targeting and microtargeting, or real-time bidding, and on different channels such as social networking platforms.

  • involving the processing of personal data”: marketing communication that does not involve any processing of personal data is excluded from the notion of direct marketing and therefore from the scope of the GDPR.

How to comply with direct-marketing practices?

1) Determine the roles of each party in order to understand and define their respective obligations:

  • Controllers or joint controllers. When several organisations jointly determine the purposes and means of processing, the GDPR requires that these joint controllers define their respective obligations in a transparent manner by means of an agreement between them, which duly reflects their respective roles towards the persons concerned. The communication of data to third parties must be identified as precisely as possible. The Belgian DPA stresses that simply referring to the privacy policies of these third parties is not always sufficient to meet the transparency requirements, mainly in view of the complexity and length of these policies.

  • Processors. The DPA also recalls that the relationship with a processor must be the subject of a written contract. The fact that some processors may offer “turnkey” solutions will not interfere with your qualification as controller.

  • Purchase, rental, enrichment of personal data (data brokers). Organisations offering services for making personal data available, through brokerage, sale or rental, must also comply with strict transparency requirements.

2) Determine the purposes for processing the data:

The correct determination of your purposes is essential. According to the Belgian DPA, stating that your organisation “processes personal data for direct marketing purposes” is not sufficient to provide accurate information within the meaning of the GDPR.

The level of detail expected depends in particular on the type of marketing communications (e.g. SMS, e-mail, telephone, mail), their frequency (e.g. monthly, yearly), their content (e.g. information on the brand, a product, a service, newsletter, discount vouchers) or the complexity of the processing in question (i.e. whether it is based on profiling and is accurate).

Accurate descriptions of direct marketing include: informing customers about your new products or services; establishing the profile of your customers; proposing personalised offers for customers' birthdays; and keeping customers informed of your different actions.

Your organisation should also be careful to provide clear information on any further processing to the data subjects on the same topic. If this further processing is not based on the consent of the data subject, you must run the GDPR’s compatibility test.

3) Determine the processing activities and update your record of processing activities:

As with the purpose of data processing, you must be transparent about your processing activities. The required level of detail depends among other things on the type of data subjects (children, professionals, experts, etc.), the way personal data are processed and the degree of intrusion into their right to privacy during the processing. The more intrusive the processing, the more detailed and transparent you need to be.

Examples of processing activities include: using the messaging service of a social network to send messages for personalised birthday offers to your customers; using e-mail addresses to send customers information on your different actions or a newsletter; etc.

4) Identify the personal data you need:

  • Adhere to the principle of data minimisation. Review the personal data and categories of personal data you have at your disposal, taking into account the adequacy, relevance, limitations and purpose of the processing that you intend to carry out.

  • Take control of and manage your data (privacy by design and privacy by default). Make sure that you do not collect more data than necessary and guarantee the quality of the data you have. If you properly manage your databases, you will be able to quickly identify data that have become obsolete or can no longer be processed.

5) Check the legal basis:

Processing personal data is only allowed if it is based on one of the six legal bases provided for in the GDPR. You cannot process data without a legal basis. Be aware that certain specific legislation requires you to use one legal basis to regulate a certain type of processing (e.g. the e-Privacy Directive requires consent of the data subjects).

  • What is the legal basis for direct marketing processing activities?

    • Necessary for the performance of a contract? Most likely not. The specificity inherent to contractual relations limits the possibility to use this legal basis for direct marketing.

    • Legitimate interests? Before using this legal basis, you should consider whether you fall under the application of any special laws that would prevent you from using it (e.g. the e-Privacy Directive). The DPA states that legitimate interest can be relied upon only if the interests you pursue as controller, or those pursued by third parties to whom you wish to communicate the data, are recognised as legitimate; the processing activities are necessary for the realisation of those interests; and you assess whether your interests can take precedence over the interests, freedoms and fundamental rights of the people whose personal data you intend to process. You should also consider the categories of personal data you intend to process. (If these data include or might include data that fall within the category of “sensitive” data, you cannot base your processing on legitimate interests). If there is no reasonable expectation, then try to rely on another basis.

    • Consent? To be able to rely on consent you must make sure that the consent is:

      • Informed: The person giving consent must fully understand why and what he or she is consenting to. This condition is inextricably linked to the information that must be provided by the controller to the data subject.

      • Freely given: data subjects must have a real possibility to accept or refuse, without being deprived of access to a service or any other benefit in case of refusal.

      • Specific: You must clearly and specifically list each of the purposes pursued. Otherwise, the consent given is invalid because it is not specific. Data subjects (or users) should have the freedom to consent to certain processing operations and not to others, particularly in regard to the placement of cookies, for which you must, among other things, make a clear distinction between functional cookies and non-functional cookies, such as analytical cookies.

      • Unambiguous? Consent to receive promotional communications by e-mail does not imply consent to receive telephone calls. It is therefore necessary to ensure that unequivocal consent is obtained both on the content of communications and on the means used to do so. Requests should therefore be separated if several communication tools can be used, rather than using a single request.

    • Other important points to consider if you rely on consent:

      • Proof of consent. You are free to use whichever method you feel is most appropriate to comply with this obligation to maintain evidence of consent (e.g. you can keep a record of the consent statements received so that you can attest how consent was obtained, when it was collected and what information the data subject were provided with).

      • Withdrawal of consent: data subjects should be allowed to withdraw it at any time, free of charge, and without prejudice. 

  • What about the opposition mechanism?

    • The right to object must be unambiguous, clear, and in plain language with an unsubscribe option for all direct-marketing communications. It is not enough to indicate the possibility of exercising this right in a privacy policy. It must be presented to the data subjects in such way that it is reasonably deemed they have seen the unsubscribe option.

6) Be transparent

  • When to be transparent? The DPA states that when you collect data directly from the data subject, you must provide the information at the time the data are obtained. Where the data are not obtained directly from the data subject, you must provide the information within one month from receipt of the data and at the first communication with the data subject.

  • If you have a website, a link to your privacy policy should be clearly visible and easily accessible to visitors. According to the DPA, privacy policies placed in small print at the bottom of the page do not meet the transparency requirements.

  • The DPA also confirms that cookie policies must be separate from other documents, such as privacy policy, terms and conditions.

Thomas Dubuisson, Associate, Brussels

Tom De Cordier, Partner, Brussels