The Belgian Data Protection Authority (DPA) has recently updated its Guidelines on Direct Marketing (the Guidelines) - originally published in 2020 - to account for evolving legal interpretations, case law, and industry practices.
Accompanied by a practical checklist, the Guidelines are open for consultation until 10 May 2025, providing businesses with an opportunity to comment on the DPA's notably stricter interpretations.
Key points
Expanded definition of direct marketing
The updated Guidelines consider regulatory and industry developments to broaden their definition of direct marketing. It now explicitly intends to include:
- Preparatory data-processing activities, such as audience profiling, segmentation, and automated decision-making (such as dynamic pricing algorithms). For example, an e-commerce platform analysing user behaviour to adjust prices in real-time would now be considered as direct marketing, even if no final promotional communication is sent.
- Mixed-content communications: any communication combining informational and promotional content - such as a customer service email subtly promoting a premium subscription or a newsletter highlighting paid features – would be considered as direct marketing.
Retention periods
The DPA notes that organisations still struggle to apply the principle of proportionality when setting personal data retention periods. It emphasises that retention periods must be evaluated individually and based on concrete, context-specific factors.
The DPA shares two overlooked factors that should in its view influence an appropriate retention period: the nature of the relationship between the data controller and the data subject and the life cycle of the product or service originally purchased by the data subject.
- Nature of the relationship: if a data subject is a long-term client who regularly interacts with the business of the data controller, a longer retention period may be justifiable, as commercial communications from the data controller are more likely to present an interest to the data subject. However, if they are a one-time purchaser or merely a prospect, retention should generally be shorter. The DPA explicitly states that prospect data should not be retained as long as customer data, reinforcing the principle that weaker relationships warrant shorter retention periods.
- The life cycle of a product or service also plays a role in defining retention limits. For example, marketing communications regarding cars and related services may remain relevant for a longer period compared to those concerning short-lifespan consumer goods. Data controllers must factor in product longevity when determining data retention policies.
Legitimate interest
The updated Guidelines reaffirm that legitimate interest remains a potentially valid legal basis for direct marketing, as recently recognised by the CJEU.
- Reasonable expectations: the DPA states that data subjects’ reasonable expectations of the processing are a key factor to determine whether the conditions for legitimate interest are met. It then notes that individuals generally do not expect marketing from organisations with which they have had no prior relationship. Consequently, pure ‘cold outreach’ is generally not justifiable under legitimate interest – and may therefore be prohibited in practice, as other legal bases are also unlikely to apply.
- Contextual exceptions: data subjects’ expectations can vary depending on previous interactions. For example, if a prospect contacts a business for information or a quote, they may reasonably anticipate subsequent marketing communications, depending on the information provided at the moment of data collection.
- Documentation via LIA: data controllers must conduct rigorous legitimate interest assessments (LIAs) to demonstrate that their interests outweigh the data subjects’ rights and freedoms. This is particularly true in cases involving minimal prior engagement.
Emphasis on transparency
Throughout the Guidelines, the DPA insists on transparency obligations, specifically:
- Purpose specification: the DPA considers that simply indicating that the processing purpose is "direct marketing" is insufficient - organisations must specify the nature and extent of their marketing activities with sufficient detail to allow a prima facie assessment of proportionality of the processing. The DPA provides examples of purpose descriptions that meet this demanding standard.
- Data sources: the DPA also places renewed emphasis on transparency regarding personal data sources when personal data are not obtained directly from the data subject. Referencing its own case law, the DPA maintains that the obligation to inform data subjects under Article 14 GDPR extends beyond merely naming the data source. According to it, controllers must provide all available information concerning the source, including the legal basis relied upon for the initial data collection, how the data was collected, and the contact details of the source, ensuring data subjects can exercise their rights directly with the original source.
Due diligence on data brokers
The DPA requires that data controllers relying on data brokers conduct thorough due diligence to ensure they are GDPR compliant. They must verify:
- the origin of the data;
- how it was obtained;
- the legal basis for collection;
- by whom and for what purposes it was collected;
- the retention periods that apply.
The DPA makes it clear that data controllers cannot simply rely on contractual assurances obtained from data brokers. Instead, they must take active steps to verify compliance, ensuring that personal data they obtain from brokers was lawfully obtained and processed under an appropriate legal basis. The inclusion of contractual clauses alone does not absolve controllers of liability in case of GDPR breaches.
Responding to data subject requests regardless of format
The DPA emphasises that data controllers must respond to Data Subject Access Requests (DSAR) even when they are incomplete or imprecisely formulated - reflecting a strict interpretation of this obligation.
The DPA's litigation chamber has enforced this principle in a recent decision (not explicitly referenced in the Guidelines). In this case, the DPA found a GDPR violation when a controller failed to respond to a DSAR that appeared as a single sentence within a multi-page email. The request was neither explicitly labelled as a DSAR nor submitted through designated channels. This suggests that businesses should adopt a broad approach to recognising and processing data subject requests.
Conclusion
With the consultation period open until 10 May 2025, data controllers should review their current practices, identify areas requiring clarification, and consider providing feedback.
Affected data controllers might wish to highlight practical concerns if they believe some aspects of the Guidelines exceed typical compliance expectations. Organisations seeking advice in adapting to or understanding these Guidelines are welcome to contact us.