GDPR and Direct Marketing – the Belgian & Dutch DPAs’ Approach
On 10 February 2020, the Belgian Data Protection Authority (DPA) published a Recommendation on processing activities for direct marketing purposes. The DPA states that, following the entry into force of GDPR, it has received over six hundred questions concerning direct marketing by organizations and citizens, the topic being among the top 3 submitted to the Authority.
This Recommendation is based on and complements a framework of relevant existing advisory opinions and guidelines at the EU level. While the European Data Protection Board has not adopted ad hoc general guidelines on direct marketing so far, the topic has been of interest from the early Article 29 WP Opinion on unsolicited marketing communications, and remains hotly debated also in relation to the ePrivacy rules reform.
On top of all other applicable GDPR principles and obligations, thoroughly explained and detailed throughout the Recommendation, the following key takeaways should be retained by organizations who engage in direct marketing activities.
Definition of “direct marketing”
Firstly, the DPA provides a very broad definition of direct marketing activities:
“any communication, in any form, solicited or unsolicited, originating from an organisation or an individual and aimed at the promotion or sale of services, products (whether in return for payment or free of charge), as well as brands or ideas, addressed by an organisation or an individual acting in a commercial or non-commercial context, which is addressed directly to one or more natural persons in a private or professional context and which involves the processing of personal data”.
According to the DPA, this includes preparatory acts to compile contact lists and automatic price adjustments based on user profiles. Noteworthy, also communications not intended for profit may qualify as direct marketing.
The entities involved
The DPA stresses the importance, as in all processing activities, to determine each entity’s role within that context. Data controllers and joint controllers, as is well known, are responsible for providing information to data subjects and must do so in a transparent manner. Oneinteresting clarification covers data collection via social media, as noted also in the CJEU’s Fashion ID case: the presence of the social network’s website of general conditions and terms do not lift the data controller’s information obligations towards data subjects. 1 Website owners relying on certain Facebook tools, collect and transmit website visitor data to Facebook and may therefore qualify as joint controllers.
Data processors may be engaged for processing operations upon provision of sufficient guarantees. Data subjects in this context include all those that may be targeted by an organization’s direct marketing operations, such as clients, members, prospects, subscribers, voters.
Pursuant to Article 5(1)(b) of GDPR, purposes for data processing must be clearly identified and defined. In the context of direct marketing, the DPA provides the following examples of purposes:
• Informing customers about new products or services;
• Establishing a customer profile;
• Allowing third parties to use clients’ data to build voter profiles;
• Providing personalized birthday offers to customers;
• Keeping customers informed of the organization’s activities;
• Promoting brand image to the general public;
• Inviting clients or prospective clients to promotional events;
• Communicating targeted offers to clients;
• Attracting new clients, subscribers or affiliates.
Furthermore, in accordance with the principle of purpose limitation, re-purposing data originally collected for another purpose for direct marketing, must undergo a compatibility test and new purposes accordingly defined.
The DPA highlights that, in most cases, adopting a general “we process your data for direct marketing purposes” does not meet the level of accuracy prescribed by GDPR. The level of detail expected depends on the type of marketing communications (sms, e-mail, telephone, mail, etc.), their frequency, their content (information on the brand, a product, a service, newsletter, discount vouchers) or the complexity of the processing (e.g., based on profiling and its accuracy).
Transparency requirements also entail that the information provided be fair. Therefore, communicating “we process your data in order to improve our services” is not appropriate when the purpose of marketing communications is to promote the organization’s services and encourage customers’ use. Transparency also entails that all information obligations under GDPR be faithfully communicated to data subjects in a simple and comprehensible language.
The DPA addresses the main issues surrounding profiling practices, as these may be particularly relevant in direct marketing scenarios. Anonymity and necessity of personal data processing should be guiding principles. Be noted, in the context of automatic decisionmaking without human intervention, explicit consent is required.
Possible legal bases
Preliminarily, organizations should always verify the application of special laws restricting
possible legal bases, such as the ePrivacy Directive (see below).
a) Performance of a contract
The DPA advocates for a very strict interpretation of the performance of a contract legal basis (Article 6(1)(b) of GDPR). To apply, the processing must be necessary for the performance of a contract concluded with the data subject or in order to take pre-contractual measures at the request of the data subject, on the basis of a strict necessity test.
As a result, organizations typically rely on the legitimate interest basis (Article 6(1)(f) of GDPR), or consent (Article 6(1)(a) of GDPR).
The DPA recommends that if different direct marketing purposes are pursued and/or these involve different kinds of processing operations, organizations must be specific. Consent should be given to each activity separately. Moreover, single opt-in buttons (“accept all” consent) or overly general wording should not be used. Different purposes should be clearly listed, corresponding to each processing operation and allowing selective consent by data subjects, where appropriate.
Explicit consent is the only possible legal basis in the case of processing of specials categories of data (Article 9(2) of GDPR) for purposes of direct marketing.
If minors are involved (in Belgium, children under the age of 13), special protection applies in the use of data processing for marketing purposes or for the creation of personality or user
profiles (Recital 38 of GDPR).
As mentioned, relevant legal requirements in this context are provided by the ePrivacy Directive, transposed in the Belgian Code of Economic Law (“Book XII – Electronic Economy Law”) and in Royal Decree of 4 April 2003 regulating the transmission of advertisement by email.
The DPA notes that, pursuant to Article 13(1) of the ePrivacy Directive, organizations must obtain prior consent of subscribers or users for unsolicited direct marketing communications by electronic means, including via automated calling and communication systems without human intervention (automatic calling machines), fax or e-mail, for commercial purposes.
However, Article 13(2) of the ePrivacy Directive, as implemented by the abovementioned Royal Decree, also provides for a “soft opt-in” exception for e-mail for direct marketing purposes, when addressing existing customers or subscribers whose electronic contact details were obtained in the course of sales of the organization’s product or service. This exception allows organizations to send e-mails to existing customers for the purpose of promoting similar products or services, provided that customers are clearly and expressly given the option to object, free of charge and in a simple manner.
c) Legitimate interest
Where an organization chooses to rely on a legitimate interest as the basis for processing, the usual test applies. The possibility to object to the data processing is key in the context of direct marketing purposes. In fact, without a real and effective right of objection, no balance can be struck between the organization’s legitimate interests and data subjects’ fundamental rights and freedoms. Furthermore, a legitimate interest test should be particularly cautious when it involves minors, as judges will be inclined to consider the minor’s interests prevalent.
Data minimization requires organizations to keep personal data collection to the minimum necessary (Article 5 of GDPR). In the context of direct marketing, it is particularly important to identify what personal data is strictly necessary to achieve the organization’s purposes.
Management of data subjects’ rights
Within the context of direct marketing, the right to object is particularly relevant. Objection must be unconditional and easily exercisable, involving clear visibility, simple and unambiguous language, free of charge. It should be placed in all direct marketing communications. Upon the data subject’s objection, all processing relating to direct marketing purposes must cease.
Furthermore, the DPA recommends that organizations keep regularly and automatically – where technically possible –lists set up, e.g., for individuals who do not wish to be contacted by telephone (“Don’t call me anymore list”).
It’s important for organizations to be aware that the Belgian DPA has made direct marketing a priority in its Strategic Plan 2019-2025. This entails that greater scrutiny is likely to be awarded to such practices going forward, both from the point of view of support, as well as supervision.
Both the GDPR and the Dutch Telecommunications Act apply to direct marketing in the Netherlands.
The Dutch Data Protection Authority (DPA) is the independent supervisory body in the Netherlands that promotes and monitors the protection of personal data. On 4 October 2018, the Dutch DPA issued guidelines on the interpretation of the GDPR with regard to direct marketing, including Q&A’s that has been updated since, also with news items.
The Dutch DPA’s approach regarding direct marketing is very similar to the above referred to Belgian DPA’s approach, although a bit less specific on purpose definition and the transparency requirements. Also, in the Netherlands organizations typically rely on the legitimate interest basis (Article 6(1)(f) of GDPR), or consent (Article 6(1)(a) of GDPR).
With regard to consent requirements, in the Netherlands minors are considered children under the age of 16 (the age limit determined in Article 8 of GDPR has been confirmed in Article 5 of the Dutch Implementation Law GDPR).
With regard to the legitimate interest basis the DPA issued guidelines on the interpretation of this legal basis on 1 November 2019. The DPA determines in these guidelines that informing existing customers, after they have bought a product, about the seller’s own similar products or services, is considered a legitimate interest (so no prior consent is required). The following, however, is not considered a legitimate interest:
• only serving pure commercial interests;
• profit maximalisation;
• monitoring of (potential) customer’s (buying) behaviour without legitimate interest.
A lot of discussion has been arisen with regard to this interpretation, because it is contrary to the EU approach, but is not clear yet how the DPA will enforce this interpretation.
The e-Privacy Directive has been transposed by the Netherlands in the Telecommunications Act. In accordance with article 11.7 of the Telecommunications Act the following applies with regard to the different means of direct marketing:
• By fax, e-mail and SMS: prior consent required (opt-in);
• By means of telephone or other means: allowed unless someone opted-out. Also, be aware of the existence of the “do not call me register” (Bel-me-niet Register) and the “mail filter” (Postfilter).
• There are a number of specific exceptions to the requirement of consent:
– If the user is a legal entity or a natural person acting in the exercise of its/his profession or business, no prior consent shall be required for the transmission by:
▪ means of electronic mail of unsolicited communications for commercial, idealistic, or charitable purposes:
a) If the sender when transmitting the communication makes use of electronic contact details intended and provided by the user and said contact details have been used in accordance with the purposes attached to said contact details by the user; or
b) If the user is based outside the EEA and the rules regarding the sending of unsolicited communications in the country concerned have been complied with.
– Addressing existing customers whose electronic contact details were obtained in the course of sales of the organization’s product or service. This exception allows organizations to send e-mails to existing customers for the
purpose of promoting similar products or services, provided that customers are clearly and expressly given the option to object, free of charge and in a simple manner, prior to the collection of their data and in each subsequent
The Dutch Authority for Consumers and Markets (ACM) is the independent regulator that champions the rights of consumers and businesses and enforces the Telecommunications Act. With regard to direct marketing issues, the ACM and DPA cooperate.
In its Focus Dutch Data Protection Authority 2020-2023 the DPA has selected the following three focus areas for 2020-2023: data brokering, digital governance and AI and algorithms. This entails that greater scrutiny is likely to be awarded to direct marketing practices including data brokering or AI/algorithms (such as profiling) going forward, both from the point of view of support, as well as supervision.