The Belgian regulator, in a document dated January 2020 Recommendations on the processing of personal data for direct marketing purposes published. The recommendations provide guidance on how to comply with the GDPR when processing data for direct marketing purposes.
The recommendations are quite extensive (almost 80 pages, containing various examples and further references). Among other things, the following notes are noteworthy on cursory perusal:
-
- No direct marketing are pure Service bulletins such as the confirmation of an order (unless this is also associated with an advertising message). Also not included are Market research or a Satisfaction surveyprovided that the relevant communications serve this purpose exclusively and no personal data is collected in the process that also serves advertising purposes.
- If several group companies set up a joint direct marketing platform and agree on the essential parameters of data processing (e.g., the categories of personal data collected), this would involve jointly responsible.
- At the Determination of the purpose direct marketing” is not enough (which is also the Austrian BVwG sees it this way). Examples of corresponding purposes are the following:
- informer vos clients quant à vos nouveaux produits ou services;
- établir le profil de vos clients ;
- permettre à des tiers d’utiliser les données de vos clients pour établir des profils d’électeurs ;
- proposer des offres personnalisées pour l’anniversaire de vos clients ;
- tenir informé vos clients de vos différentes actions ;
- faire la promotion de votre image de marque envers le grand public;
- inviter vos clients ou prospects à des évènements (pour la promotion de votre organization) ;
- communiquer à vos clients des offres ciblées susceptibles de rencontrer leurs intérêts ;
- démarcher de nouveaux clients, abonnés ou affiliés.
- It is not possible in the course of the data processing to Change processing basis. if data processing is based on consent, this processing must be stopped if consent is revoked.
- It is not possible to perform data processing on more than a legal basis support.
- (This view is not necessarily surprising and is not alone. However, it is in clear contradiction to Art. 6 (1) DSGVO (“Processing is lawful only if at least one of the following conditions is met: […]”) and to Art. 17(1)(b) of the GDPR (obligation to erase: “The data subject revokes his consent […] and lack of any other legal basis for processing”).
- With reference to Art. 6 (1) lit. f DSGVO, the authority excludes an appeal to the legitimate interest for direct marketing is not sufficient. In the necessary balancing of interests, however, it should be noted that the person responsible for processing for direct marketing cannot refer to a corresponding interest of the data subject himself.
- Furthermore, the authority points out that. Special legal consent requirement (as in Switzerland according to Art. 3 para. 1 lit. o UWG).
- The authority further points to different forms of profiling, in particular profiling in the context of a automated individual decision. This would be the case, for example, if a company transmits classifications of data subjects to an insurance company based on profiling and the insurance company subsequently transmits certain offers only to persons in certain categories (or the same offers to different categories at different conditions).
- Further explanations relate to the very common direct marketing Involvement of processors, because the Authority points out that the same company may act both as a controller and as a processor (which will often be the case, for example, with intra-group service companies).
- Furthermore, the authority points out that the data subject must be informed about the possibility of transferring personal data to third parties, e.g. in the case of intra-group data transfers or an outsider in the case of Corporate transactions. In the event of a merger, it is the responsibility of the party that obtains access to personal data in the course of the merger to inform the persons concerned.