Greetings from Brussels!
In February, the Belgian Data Protection Authority released its first recommendations of 2020 in relation to data processing activities for direct marketing purposes. The full text is available in both French and Dutch.
If you’ll recall, back in December 2019, the Belgian DPA released its “5-year Strategic Plan” confirming direct marketing as one of its top priorities over the next five years; the four other focus areas for activity were telecoms and media, public institutions, education and SMBs. Focusing on direct marketing will indeed be welcomed by citizens and companies alike, as it ranks in the top three types of complaints and request for clarification made to the Belgian authority. Alexandra Jaspar, director of the DPA’s Knowledge Center, said, "Direct marketing is used daily, by many actors, for millions of people, using increasingly sophisticated techniques: we had to clarify the rules in order to ensure respect for the rights of citizens."
The scope of application of the recommendation is broad, covering multiple kinds of promotions, including sales, marketing, and advertising. That said, it is not limited to promotions of a commercial nature. It also refers to all data subjects that may be targeted by direct marketing such as customers, members, prospects, subscription holders, or even voters. The Belgian DPA within the recommendation defines direct marketing as, “Any communication in any form whatsoever, solicited or unsolicited, from an organization or a person and aimed at the promotion or sale of services, products (paid or not), as well as brands or ideas, addressed by an organization or a person acting in a commercial or non-commercial framework, which is directly addressed to one or more natural persons in a private framework or professional and involving the processing of personal data.”
In terms of individual rights, the Belgian DPA is categorical in its guidance stating that when an individual withdraws consent to the processing of their personal data there is no “continued” valid or applicable legal basis to process or hold the said personal data; unless it must be retained in order to comply with an ancillary legal obligation. As such, the data in question needs to be “deleted” and the data subject informed of the action. This same principle is also applied where there is opposition to personal data being processed under a legitimate interest basis. Both cases should give organizations a fairly clear direction on processes re-engineering requirements.
In line with Article 5 of the GDPR, the Belgian DPA also underlines the principle of minimization to personal data necessary for achieving the purpose of direct marketing. To that end, the Belgian DPA also recommends that companies limit the use of free text fields in data collection design and to conduct regular reviews of their databases to delete any unnecessary data. The guidelines also extend to “call privacy,” advising adherence to informed or external "Do Not Call" lists when undertaking data retention reviews of stored data for marketing purposes. Furthermore, the DPA encourages the industry to put Codes of Conduct in place as provisioned under Article 41 of the GDPR to ensure uniformity, coherence and transparency of practices.
There is much to unpack in the recommendation, so it’s worth the read. David Stevens, president of the Belgian DPA, said that ensuring better protection of citizens' personal data does not only require enforcement action, adding “upstream, the recommendation is a very precious tool to guide data controllers, from the conception of their projects, towards practices that are respectful of privacy.” He concluded that “remembering the rules is sometimes more effective than taking out the stick.”