Defining direct marketing
In its Guidelines, the BDPA defines direct marketing as “any communication, in any form, solicited or unsolicited, originating from a natural or legal person, targeting the promotion or sales of services, products (free or against remuneration), as well as brand or ideas, addressed by a natural or legal person active in commercial or non-commercial context, which is directly directed to one or more natural persons in a private or professional context and which includes the processing of personal data”.
The BDPA explains every component of this definition extensively (e.g. by confirming that also non-profit organizations and political parties can engage in direct marketing) and includes numerous examples (e.g. on how to differentiate market research from direct marketing activities).
Relevant GDPR provisions
The Guidelines further explain which GDPR provisions are applicable to direct marketing and how to act according to these provisions. Clarifications on the relationship between direct marketing and the basic principles of purpose limitation, data minimization and transparency are also included, as well as examples of joint controllership of data.
Among other things, the BDPA furthermore confirms that there is no hierarchy between the lawful bases of processing. No single lawful basis (e.g. consent) is better than others (e.g. legitimate interests), unless of course specific legislation prescribes the use of a specified legal basis (e.g. the obligation to rely on ‘opt-in’ consent for electronic direct marketing to prospects, as included in the Belgian Code of Economic Law). Regarding consent as legal basis, the Guidelines set out the criteria that must be met by a valid consent mechanism (including the mechanism to ‘opt-out’ again.)
Some specific points of attention
(1) Specific attention is given to profiling techniques, as the underlying processes are often invisible for data subjects. Profiling can obviously lead to (unintended) negative consequences because datasets can be too restrictive or too focused on certain aspects which can lead to (price) discrimination. This requires additional safeguards to be taken.
(2) Secondly, the Guidelines also contain a few recommendations relating to the use of cookies (e.g. analytical or tracking cookies) for direct marketing purposes, in line with its recent case law.
(3) Thirdly, activities of data brokerage are scrutinized, referring to the fine the Polish DPA has imposed on Bisnode in 2019.
(4) Finally, also the transfer and reuse of personal data in the context of M&A transactions is highlighted as an area that deserves specific attention, in particular when it comes to transparency and information obligations.
The BDPA concludes by stating that “acting in accordance with the GDPR is not only an obligation towards the processing of personal data, but also an obligation to act in an ethical manner towards everyone involved”. In order to create uniformity and consistency in direct marketing practices, the BDPA finally also recommends drawing up a code of conduct for direct marketing sectors involved, as foreseen in the GDPR.
A welcome Valentine’s day present?
In general, we welcome the approach of adopting detailed and extensive guidelines, which include many examples, to provide more clarity on specific GDPR topics. On the other hand, we regret that a similar guidance, focusing specifically on the use of cookies, was not adopted as well, as this would have been very useful for Belgian companies in the aftermath of the BDPA’s cookies fine of December 2019.
In any case, we look forward to more guidance from the BDPA on various GDPR topics, and will keep you posted of any further developments in the Belgian privacy and data protection landscape.