On January 17, The Belgian Data Protection Authority (DPA) published Recommendation no 01/2020 providing Guidance on direct marketing. The Recommendation provides a methodology on how to comply with the General Data Protection Regulation (GDPR) when conducting direct marketing.
Context and Scope of Application
The Recommendation applies to all kinds of promotions, including sales and advertising, and is not limited to promotions of a commercial nature. It refers to all data subjects that may be targeted by direct marketing such as clients, members, prospects, subscribers, or even voters.
Definition of Direct Marketing
The Belgian DPA defines direct marketing as any communication, solicited or unsolicited, aiming to promote an organisation, person, service, product, trademark, or idea, regardless of whether this communication is of commercial or non-commercial purpose.
Some relevant examples include, but are not limited to:
- Companies sending emails to clients mentioned in their listing;
- NGOs delivering mail to a list of subscribers to inform them on a new campaign; and
- Political parties inviting their contacts to participate in political events.
However, the definition does not include non-profit marketing in the context of campaigns, which aim to raise public health awareness regarding specific diseases. For example, a public administration targeting specific groups susceptible to specific diseases does not engage in direct marketing unless a specific medicinal product and/or pharmaceutical company is mentioned.
How to Comply?
The Recommendation provides a step-by-step approach on how achieve compliance:
1. Necessity for a Clear Definition of Processing Purposes
The Belgian DPA advises all those engaging in direct marketing to clearly define their processing purposes, in order to ensure that they have a legal basis for pursuing processing as required under Article 6 of the GDPR.
Some examples of processing purposes related to direct marketing are:
- Informing clients on new products or services;
- Creating client profiles;
- Allowing third parties to use their clients’ data to create voter profiles;
- Proposing personalised offers on the birthdays of their clients.
- Keeping track of their clients’ various actions;
- Promoting their brand to the public;
- Inviting clients or prospects to events (to promote their organisation);
- Disseminating targeted offers to clients with a view to meet their interests; and
- Attracting new clients, subscribers, or members.
2. Necessity for Data Minimisation
In line with Article 5 of the GDPR, The Belgian DPA underlines the importance of identifying the personal data that is absolutely necessary for achieving the purpose of direct marketing.
3. Fulfilment of Transparency Obligations and making sure that Data Subjects can exercise their rights
The Belgian DPA recommends that data controllers engaging in direct marketing make efforts to remain transparent as regards the use of data subjects’ personal data in compliance with their obligations under Articles 12, 13, 14, 15-22, 34, and 58 of the GDPR. Data controllers, therefore, have an obligation to articulate their terms in simple and accessible ways. This will enable Data Subjects to effectively exercise their rights.
4. Right to Object
According to the Recommendation, data controllers in direct marketing should explicitly include the right to object in their privacy policies in a simple and clear language in all their communications. A mere indication of the possibility to exercise that right as part of the data controller’s privacy policy does not suffice.
5. Consent
The recommendation underlines the need for consent to be specific, informed, clear, and unambiguous as provided by Article 4 of the GDPR and advises on additional safeguards for obtaining the valid consent of minors. It emphasises that those who engage in direct marketing should explain in simple terms to minors, which data they wish to use and for what purposes they intend to use them, while reassuring them that consent can be withdrawn at any time.
6. Ethical Obligations.
The Belgian DPA recommends that actors engaging in direct marketing put in place Codes of Conduct as provided by Article 41 of the GDPR to ensure uniformity and coherence in their practices. It also advises that companies be clear and honest towards data subjects about how they use their data and that they showcase the steps they take to comply with the GDPR in accordance with the principle of accountability.
***
The Recommendation from the Belgian Data Protection Authorities is immediately applicable and should be used as general guidance to comply with the GDPR when processing personal data as part of direct marketing campaigns in the EU.
*Vicky Vlontzou, a trainee in our Brussels office, contributed to this entry.
[View source.]