The Belgian Data Protection Authority (DPA) has just published its new Recommendation for the processing of personal data for direct-marketing purposes. Available in French and Dutch, this 78-page document is a practical guide for organisations and marketeers engaged in digital and paper-based direct marketing, and includes useful examples and dos and don’ts.
A top priority for the Belgian DPA
The Belgian DPA has earmarked direct marketing as one of its top priorities for the next five years. It was also, however, among the top three types of complaints and requests sent to Belgian DPA. Since the last guidelines were released in 2013, the recent Recommendation has been welcomed by the industry. In addition, the DPA will soon publish FAQs to make the information more accessible.
Context and scope of the Recommendation
Every day many organisations use direct-marketing communications to reach millions of people. These communications involve the processing of personal data. To the marketing adage “get the right message to the right person at the right time”, the Belgian DPA has added “in the right way”. The Recommendation aims to help organisations involved in direct marketing comply with the applicable rules of the GDPR.
What exactly is direct marketing?
There is no legal or commonly accepted European definition of this concept. It is, however, important to understand whether or not your communication techniques fall under it. The Belgian DPA defines direct marketing as:
Any communication, whether solicited or unsolicited”: This definition covers all types of communication, such as the promotion of products or services and the promotion of ideas. The notion of "marketing" should not necessarily be understood as a communication for commercial or profit-making purposes. For instance, distributing advertising leaflets in the mailboxes of people in your neighbourhood who are not yet customers and inviting them to test your products is also considered direct marketing.
for the promotion of an organisation or an individual, of services, products, paid or free of charge, as well as brands or ideas”: a promotion does not necessarily have to be for goods or services. However, the rules on direct marketing do not apply when contact is made with consumers for the purpose of carrying out market research, surveys or satisfaction polls, provided that the communication is made for these purposes only.
addressed by an organisation or an individual acting in a commercial or non-commercial context”: It applies to any type of organisation, whether it is pursuing a commercial purpose or not. It can therefore be a communication made by foundations and public authorities. The definition also applies to persons not pursuing any profit motive, as long as their communications are intended to promote something.
directly to one or more natural persons in a private or professional context”: directed to one or more natural, identified or identifiable person, either by name or on the basis of other information relating to that person (e.g. an IP address), enabling him to be contacted.
by any means”: This includes non-digital communications (e.g. regular mail, human interaction) and digital communications, such as text, video, photo, image or sound communications carried out by telephone calls, SMS, MMS, e-mail, chat-boxes, pop-ups. Such processing may be carried out using different techniques, such as targeting and microtargeting, or real-time bidding, and on different channels such as social networking platforms.
involving the processing of personal data”: marketing communication that does not involve any processing of personal data is excluded from the notion of direct marketing and therefore from the scope of the GDPR.
How to comply with direct-marketing practices?
1) Determine the roles of each party in order to understand and define their respective obligations:
Controllers or joint controllers. When several organisations jointly determine the purposes and means of processing, the GDPR requires that these joint controllers define their respective obligations in a transparent manner by means of an agreement between them, which duly reflects their respective roles towards the persons concerned. The communication of data to third parties must be identified as precisely as possible. The Belgian DPA stresses that simply referring to the privacy policies of these third parties is not always sufficient to meet the transparency requirements, mainly in view of the complexity and length of these policies.
Processors. The DPA also recalls that the relationship with a processor must be the subject of a written contract. The fact that some processors may offer “turnkey” solutions will not interfere with your qualification as controller.
Purchase, rental, enrichment of personal data (data brokers). Organisations offering services for making personal data available, through brokerage, sale or rental, must also comply with strict transparency requirements.
2) Determine the purposes for processing the data:
The correct determination of your purposes is essential. According to the Belgian DPA, stating that your organisation “processes personal data for direct marketing purposes” is not sufficient to provide accurate information within the meaning of the GDPR.
The level of detail expected depends in particular on the type of marketing communications (e.g. SMS, e-mail, telephone, mail), their frequency (e.g. monthly, yearly), their content (e.g. information on the brand, a product, a service, newsletter, discount vouchers) or the complexity of the processing in question (i.e. whether it is based on profiling and is accurate).
Accurate descriptions of direct marketing include: informing customers about your new products or services; establishing the profile of your customers; proposing personalised offers for customers' birthdays; and keeping customers informed of your different actions.
Your organisation should also be careful to provide clear information on any further processing to the data subjects on the same topic. If this further processing is not based on the consent of the data subject, you must run the GDPR’s compatibility test.
3) Determine the processing activities and update your record of processing activities:
As with the purpose of data processing, you must be transparent about your processing activities. The required level of detail depends among other things on the type of data subjects (children, professionals, experts, etc.), the way personal data are processed and the degree of intrusion into their right to privacy during the processing. The more intrusive the processing, the more detailed and transparent you need to be.
Examples of processing activities include: using the messaging service of a social network to send messages for personalised birthday offers to your customers; using e-mail addresses to send customers information on your different actions or a newsletter; etc.
4) Identify the personal data you need:
Adhere to the principle of data minimisation. Review the personal data and categories of personal data you have at your disposal, taking into account the adequacy, relevance, limitations and purpose of the processing that you intend to carry out.
Take control of and manage your data (privacy by design and privacy by default). Make sure that you do not collect more data than necessary and guarantee the quality of the data you have. If you properly manage your databases, you will be able to quickly identify data that have become obsolete or can no longer be processed.
5) Check the legal basis:
Processing personal data is only allowed if it is based on one of the six legal bases provided for in the GDPR. You cannot process data without a legal basis. Be aware that certain specific legislation requires you to use one legal basis to regulate a certain type of processing (e.g. the e-Privacy Directive requires consent of the data subjects).
6) Be transparent
When to be transparent? The DPA states that when you collect data directly from the data subject, you must provide the information at the time the data are obtained. Where the data are not obtained directly from the data subject, you must provide the information within one month from receipt of the data and at the first communication with the data subject.
For more information, feel free to contact your local CMS experts: Thomas Dubuisson or Tom De Cordier.