On 30 January 2013, the Privacy Commission issued its updated recommendation on direct marketing (its first recommendation was dated 14 October 2009). This is a result of the flood of complaints, which the Commission has received over the past years in relation to direct marketing. This type of marketing usually occurs in the most diverse forms, such as post, fax, e-mail, phone, SMS, etc. In this updated recommendation, the Commission lays down certain rules and guidelines for companies including personal data brokers, and also for consumers that are targets of direct marketing campaigns. The recommendation describes step-by-step how direct marketing should be performed in order to respect the Data Protection Act (DPA). Currently, most direct marketeers violate the DPA, even though the Act applies to anyone and any company that processes personal data for the purpose of direct marketing.
Besides the DPA, the E-Commerce Act of 11 March 2003, the Act of 10 July 2012 pertaining to various provisions regarding electronic communications, and the Market Practices and Consumer Protection Act of 6 April 2010 all need to be taken into account. These Acts prevail over other existing deontological codes such as those of the Belgian Direct Marketing Association.
The Commission states that, among other things, if a company intends to use personal data of minors, it first needs to obtain the consent of the legal representative of the minor. Furthermore, it highlights that companies that sell personal data contained in databases for direct marketing purposes or that conduct viral marketing (i.e., encouraging consumers to provide to the marketing company the data of their friends and relatives via e-mail) need to obtain the explicit and unambiguous consent of the data subject to do so. There are, however, less strict rules for companies that already target their direct marketing campaigns to existing clients or persons who name themselves as prospects. Companies also need to comply with the data subject’s rights to access, rectify, and (as the case may be) oppose the processing of their data.
The Commission further emphasises (i) that all companies must in principle file a notification to the Commission for direct marketing purposes, and (ii) that they may not store personal data for such purposes indefinitely.
Also, companies need to comply with their information obligation. To facilitate the companies to do this, the Privacy Commission gives an example of a concise privacy statement that companies can use to inform the data subject about the processing of their data. (NRO)
The recommendation can be found on http://www.privacycommission.be