Who: The Belgian Data Protection Authority (BDPA)
Where: Belgium
When: 17 January 2020
Law stated as at: 2 April 2020
What happened:
The BDPA issued its first guidelines of the year in relation with processing of personal data for direct marketing purposes (in French and Dutch), which is one of its priorities in its strategic plan for 2020 to 2025.
In order to create trust among consumers who share their personal data, the BPDA aims at a common understanding and interpretation of the data protection rules in a context of direct marketing.
Hence, the guidelines should establish a set of good professional practices for direct marketing.
In the first part, taking inspiration from the draft EU E-Privacy Regulation, the BDPA proposes a broad definition of direct marketing, encompassing political or non-business related activities as well. Key notions such as “communication“, “promotion“, as well as the means and recipients of direct marketing, are further detailed and explained.
The remainder of the recommendation details what the BDPA deems “good practices“, considering the following topics among others:
Direct marketers under the General Data Protection Regulation
- Clarification of the roles, obligations and liabilities of controller, processor, joint-controller(s) and subcontractor(s) , including cases where a business cumulates several qualities;
- data obtained through data brokers or related advertising businesses, that gather, aggregate, enrich and pre-process personal data prior to their further resale, with a warning regarding the fairness of such businesses’ practices and a strict due diligence duty for the buyer of such data prior to further processing; and
- communication of collected personal data to new entities following a business restructuring or M&A operation of the owner of such data.
Processing of personal data
- Applying the compatibility test when reusing previously collected data for other new purposes;
- importance of distinguishing means and purposes. For example, data profiling would constitute a means of processing whereas the purpose is to better target existing or potential clients, something that many business appear to mix up, according to the BDPA; and
- quality of the data collected: applying the principles of accountability and privacy by design, businesses should assess carefully what technical and organisational means they have in order to ensure the accuracy, relevance and appropriate retention period of the personal data collected.
Appropriate Legal grounds for processing of personal data in a context of direct marketing
- How to properly rely on “legitimate interests” without making it a default legal ground; and
- How to assess whether consent is freely given, specific, informed, unambiguous, and, where applicable, explicit and manners to validly obtain consent for a minor’s personal data.
Why this matters:
These guidelines are welcome at a time where e-commerce is booming, and advertising techniques are increasingly personalised and intrusive. While not binding, they will most likely be perceived by the consumers as a label of quality and trustworthiness, and play a significant roles in court in the event of disputes or claims. They are drafted in a comprehensive and clear manner, and use real life cases and examples from other case-law or decisions from other data protection authorities within the European Union, so that anyone can consult them.
