New guidelines on the processing of personal data for direct marketing purposes
17 February 2020
Against this background, the Belgian Data Protection Authority (the BDPA) has published guidelines on the rules regarding the processing of personal data for direct marketing purposes (FR/NL) (the Guidelines). The Guidelines build on the rules and principles set out in the General Data Protection Regulation (the GDPR), the ePrivacy Directive 2002/58, the guidelines and documents issued by the European Data Protection Board and the decisions of the BDPA and of other national data protection authorities. The main takeaways in the Guidelines are set out below.
What is direct marketing?
The BDPA defines direct marketing communications as “any communication in any form, solicited or unsolicited, originating from an organisation or individual aimed at the promotion or sale of services, products, as well as brands or ideas, addressed by an organisation or individual acting in a commercial or non-commercial context, which is directly addressed to one or more natural persons in a private or professional context and which involves the processing of personal data”.
The Guidelines explain that, in view of the broad scope of this definition, many communications qualify as direct marketing communications. For example, according to the BDPA, emails sent by an anti-pollution association to inform its members about the different actions carried out around the world are direct marketing communications because they promote the association’s activities and its image.
Transparency is key
Pursuant to the transparency principle, which is one of the key principles set out in data protection legislation, data subjects should always be informed of the purposes for which their personal data is being collected. Accordingly, data controllers are obliged to describe the purposes for which personal data is processed as precisely as possible.
According to the BDPA, a blanket statement such as “we process your personal data for direct marketing purposes” would therefore not be sufficient. Examples of more detailed (and acceptable) purposes include the promotion of a brand image to the general public, inviting customers or prospects to events or canvassing new customers.
Data, data and more data
The BDPA also notes that, with the rise of Artificial Intelligence, it has become easier to process personal data in an automated way, which in turn can lead to profiling. Where such profiling results in automated decisions (without human intervention), the consent of the data subjects must in principle be obtained.
The Guidelines illustrate this point with the example of an insurance company that uses customer profiles to pre-select its insurance products and to offer different products and conditions to different customers. In such case, the BDPA considers that (i) the customers should be clearly informed about decisions made on the basis of automated processing and (ii) the customers’ express consent to the profiling must be obtained.
The Guidelines also elaborate on how data subjects may object to the processing of their personal data in the context of direct marketing. Under the GDPR, data controllers must clearly communicate to data subjects that they have the right to object to the processing of their personal data in simple and unambiguous language.
The BDPA states that such right to object must be repeated in every direct marketing communication. In this regard, the BDPA questions whether a hyperlink allowing data subjects to unsubscribe suffices (especially if written in small font) and recommends including a clear communication about the right to object, with an integrated checkbox.
Make sure that your direct marketing processing is based on a valid legal ground
The BDPA also highlights the importance of basing direct marketing processing activities on one of the legal grounds provided for in article 6 of the GDPR. Two legal grounds deserve special attention: legitimate interest and consent.
Firstly, the BDPA explains that, in examining whether there is a legitimate interest, the reasonable expectations of the data subjects must be taken into account based on their relationship with the controller. Importantly, the BDPA takes the strict view that the legitimate interest ground cannot in principle be relied on when a company has never had any contact with a prospect, as such prospect would not have the reasonable expectation that they would receive direct marketing from that company.
Secondly, the BDPA stresses that a data subject’s consent must be given in a free and specific way. This means that the data subject must have a real possibility to accept or refuse the processing without being denied access to the information concerned. Furthermore, the BDPA stresses that each of the intended purposes must be communicated in a clear and specific way, and that the data subject must be able to give their consent to each individual direct marketing purpose.
Bearing in mind that the BDPA is becoming increasingly active in enforcing the data protection rules and principle, companies would be well advised to thoroughly review and read the Guidelines and adapt their direct marketing processing activities accordingly.