datenrecht.ch

Bel­gi­um: Recom­men­da­ti­on on the pro­ce­s­sing of per­so­nal data for direct mar­ke­ting purposes

The Bel­gi­an regu­la­tor, in a docu­ment dated Janu­ary 2020 Recom­men­da­ti­ons on the pro­ce­s­sing of per­so­nal data for direct mar­ke­ting pur­po­ses published. The recom­men­da­ti­ons pro­vi­de gui­dance on how to com­ply with the GDPR when pro­ce­s­sing data for direct mar­ke­ting purposes.

The recom­men­da­ti­ons are quite exten­si­ve (almost 80 pages, con­tai­ning various examp­les and fur­ther refe­ren­ces). Among other things, the fol­lo­wing notes are note­wor­t­hy on cur­so­ry perusal:

    • No direct mar­ke­ting are pure Ser­vice bul­le­tins such as the con­fir­ma­ti­on of an order (unless this is also asso­cia­ted with an adver­ti­sing mes­sa­ge). Also not inclu­ded are Mar­ket rese­arch or a Satis­fac­tion sur­veypro­vi­ded that the rele­vant com­mu­ni­ca­ti­ons ser­ve this pur­po­se exclu­si­ve­ly and no per­so­nal data is coll­ec­ted in the pro­cess that also ser­ves adver­ti­sing purposes.
    • If seve­ral group com­pa­nies set up a joint direct mar­ke­ting plat­form and agree on the essen­ti­al para­me­ters of data pro­ce­s­sing (e.g., the cate­go­ries of per­so­nal data coll­ec­ted), this would invol­ve joint­ly respon­si­ble.
    • At the Deter­mi­na­ti­on of the pur­po­se direct mar­ke­ting” is not enough (which is also the Austri­an BVwG sees it this way). Examp­les of cor­re­spon­ding pur­po­ses are the following:
      • infor­mer vos cli­ents quant à vos nou­veaux pro­duits ou services;
      • éta­b­lir le pro­fil de vos clients ;
      • per­mett­re à des tiers d’uti­li­ser les don­nées de vos cli­ents pour éta­b­lir des pro­fils d’électeurs ;
      • pro­po­ser des off­res per­son­na­li­sées pour l’an­ni­ver­saire de vos clients ;
      • tenir infor­mé vos cli­ents de vos dif­fé­ren­tes actions ;
      • fai­re la pro­mo­ti­on de vot­re image de mar­que envers le grand public;
      • invi­ter vos cli­ents ou pro­s­pects à des évè­ne­ments (pour la pro­mo­ti­on de vot­re organization) ;
      • com­mu­ni­quer à vos cli­ents des off­res ciblées sus­cep­ti­bles de ren­con­trer leurs intérêts ;
      • démar­cher de nou­veaux cli­ents, abon­nés ou affiliés.
    • It is not pos­si­ble in the cour­se of the data pro­ce­s­sing to Chan­ge pro­ce­s­sing basis. if data pro­ce­s­sing is based on con­sent, this pro­ce­s­sing must be stop­ped if con­sent is revoked.
    • It is not pos­si­ble to per­form data pro­ce­s­sing on more than a legal basis support.
    • (This view is not neces­s­a­ri­ly sur­pri­sing and is not alo­ne. Howe­ver, it is in clear con­tra­dic­tion to Art. 6 (1) DSGVO (“Pro­ce­s­sing is lawful only if at least one of the fol­lo­wing con­di­ti­ons is met: […]”) and to Art. 17(1)(b) of the GDPR (obli­ga­ti­on to era­se: “The data sub­ject revo­kes his con­sent […] and lack of any other legal basis for processing”).
    • With refe­rence to Art. 6 (1) lit. f DSGVO, the aut­ho­ri­ty exclu­des an appeal to the legi­ti­ma­te inte­rest for direct mar­ke­ting is not suf­fi­ci­ent. In the neces­sa­ry balan­cing of inte­rests, howe­ver, it should be noted that the per­son respon­si­ble for pro­ce­s­sing for direct mar­ke­ting can­not refer to a cor­re­spon­ding inte­rest of the data sub­ject himself.
    • Fur­ther­mo­re, the aut­ho­ri­ty points out that. Spe­cial legal con­sent requi­re­ment (as in Switz­er­land accor­ding to Art. 3 para. 1 lit. o UWG).
    • The aut­ho­ri­ty fur­ther points to dif­fe­rent forms of pro­fil­ing, in par­ti­cu­lar pro­fil­ing in the con­text of a auto­ma­ted indi­vi­du­al decis­i­on. This would be the case, for exam­p­le, if a com­pa­ny trans­mits clas­si­fi­ca­ti­ons of data sub­jects to an insu­rance com­pa­ny based on pro­fil­ing and the insu­rance com­pa­ny sub­se­quent­ly trans­mits cer­tain offers only to per­sons in cer­tain cate­go­ries (or the same offers to dif­fe­rent cate­go­ries at dif­fe­rent conditions).
    • Fur­ther expl­ana­ti­ons rela­te to the very com­mon direct mar­ke­ting Invol­vement of pro­ces­sors, becau­se the Aut­ho­ri­ty points out that the same com­pa­ny may act both as a con­trol­ler and as a pro­ces­sor (which will often be the case, for exam­p­le, with intra-group ser­vice companies).
    • Fur­ther­mo­re, the aut­ho­ri­ty points out that the data sub­ject must be infor­med about the pos­si­bi­li­ty of trans­fer­ring per­so­nal data to third par­ties, e.g. in the case of intra-group data trans­fers or an out­si­der in the case of Cor­po­ra­te tran­sac­tions. In the event of a mer­ger, it is the respon­si­bi­li­ty of the par­ty that obta­ins access to per­so­nal data in the cour­se of the mer­ger to inform the per­sons concerned.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be

Sub­scri­be to news →