When, as a company, you set up a marketing campaign, you not only have to send the right message to the right person at the right time. You will also have to do this in the right way! Wherever personal data are involved, the GDPR comes into play. Direct marketing as such is certainly not forbidden in GDPR country, but you have to think about a few things. In this blog we explain how best to approach direct marketing. But first: what exactly is “direct marketing”?
Step 1 Ask yourself the question: “Am I doing direct marketing?”
Direct marketing is interpreted very broadly. Direct marketing is:
- Any communication, solicited or unsolicited;
- Aimed at promoting an organisation or a person, services, products, both paid and free, as well as brands or ideas;
- Issued by an organisation (of any type) or a person;
- Aimed at natural persons(one or more) who are identified or identifiable.
The form in which the communication takes place is not important. It therefore makes no difference whether the communication takes place by e-mail, post, telephone call, text message, door-to-door visit, a social media account, etc.
This must be interpreted very broadly! The communication does not necessarily have to have a direct commercial or lucrative purpose (e.g. advertising certain goods or services). If you want to use the message to get people excited about a public company event, or to send people tips for a healthier lifestyle, then you could end up in the realm of direct marketing.
Starting from an organisation (whatever the type) or person
This is also open to broad interpretation. The communication may come from an organisation or person within the commercial sector or outside the commercial sector. Non-profit organisations or political parties therefore do not escape this criterion.
Aimed at identified or identifiable persons
Actually, the main consideration is: “Are personal data processed in the communication?
What is NOT direct marketing?
- Communication whereby the initiative lies solely with the person concerned:
A potential customer requests more information about a certain service you offer via the form on your website. You then send the requested information to the specified e-mail address. This is not direct marketing!
Be careful here! Once a data subject shows initiative, this is not simply a licence to send them newsletters, advertising or other forms of direct marketing!
- A marketing message that does not involve any processing of personal data:
You place advertising on your company’s website. This advertising appears to every visitor to your website. This is not direct marketing!
You advertise (in any way you can) in which you needed personal data beforehand in order to reach the target audience for that advertisement. This is direct marketing!
- If people are contacted for market research, polls or satisfaction surveys, provided the contact is solely for that purpose:
After finishing a large project with a customer, you ask this customer via e-mail to answer some questions about how the cooperation went. This is not direct marketing!
In the meantime, you add a passage in the same e-mail recommending another service that you think the customer might be interested in. Handy, right? However, this is direct marketing!
- If the message is only conveyed for private purposes:
You send wedding invitations to your friends and family. You even provide a database to keep track of attendance. This is not direct marketing!
- Communications by government agencies in the light of their legal obligations or their public service duties:
The government conducts public health vaccination campaigns under Covid-19. This is not direct marketing!
What if you, as a company, send the same offer of a product or service via e-mail to everyone in your customer base, without making a selection?
To speak of direct marketing, it does not matter in itself whether you make a conscious selection to determine the target audience of your message.
The decisive question here is: does the message involve the processing of personal data? For sending e-mails, you will in any case need e-mail addresses. Consequently you have to check whether these e-mail addresses are personal data.
Do they lead to an individual person? Then they are personal data and we are talking about direct marketing! Do they only lead to a legal person (e.g. firstname.lastname@example.org)? No personal data and therefore no direct marketing!
What if a non-profit association fighting pollution sends a newsletter to its members informing them of actions taken for this purpose in neighbouring countries? Is this a form of direct marketing?
The message of the communication assumes that you want to promote something. However, it is not necessary to have a commercial or profitable objective in mind in order to speak of promotion. The fact that members were contacted in this example implies that contact details were needed to get the message across. In order to speak of direct marketing, one will again have to verify whether those contact details constitute personal data.
Step 2. Ensure transparency
Provide information to data subjects
Data subjects should know that their personal data are being processed. They should also know for what purposes they are being processed. You should therefore be transparent about the fact that you process their personal data for direct marketing purposes.
You will therefore have to clearly inform those involved in one way or another. And more specifically, before you start direct marketing. The form in which you do this is not important according to the GDPR, but a privacy statement is an excellent way!
Best describe the direct marketing purposes as specifically as possible. The use of the words “We process your data for direct marketing purposes” will not suffice for the GBA. After all, the data subjects will not be able to understand sufficiently what is meant by it.
Some examples of clearly defined direct marketing purposes:
“informing customers about new products or services”
“Making personalised offers for customers’ birthdays”
“keeping customers informed about various promotions”
“Promote our brand image to the general public”
“Invite customers to events”
“Recruit new customers, subscribers or members”
Transparent processing register
If the GDPR requires you to keep a processing register, don’t forget to keep it up-to-date. Under the processing purposes you will have to include direct marketing purposes as accurately as possible.
Being transparent in a privacy statement does not give you permission!
Watch out! Just because you are transparent in your privacy statement does not mean you automatically have a legal basis for direct marketing. Not even if you ask for permission with that privacy statement (which, by the way, is not required at all).
Step 3. Check whether you have a legal basis
Because you are processing personal data in direct marketing, under the GDPR you must always have an appropriate legal basis for doing so.
If you have used ‘sensitive’ personal data for your marketing campaign, you will need to check whether you can rely on one of the legal exceptions.
In most cases, however, this will involve ‘normal’ personal data. In that case, you should check whether you can rely on one of these 6 grounds for processing:
- Necessary to fulfil a contractual obligation?
- Is it necessary in order to comply with a legal obligation?
- Necessary to protect the vital interests of the data subject?
- Necessary for a task carried out in the public interest?
- Necessary for a legitimate interestof you or your organisation?
- Has consent been given?
Usually, you will not be able to fall back on the first four grounds for direct marketing. Moreover, if you are doing direct marketing for commercial purposes, then the justified interest will not offer a solution either. After all, this ground for processing requires you to weigh up your interests against the fundamental rights and freedoms of those involved. However, the GBA considers a commercial purpose to be subordinate to personal rights and freedoms.
Organisations can, however, invoke the legitimate interest of their existing customers, with whom they already have a relationship. To these customers, they may send direct marketing messages to promote similar products or services that the customer has purchased in the past.
Attention: When sending the direct marketing message, you will always have to inform the persons concerned about their right to object in case they do not want to receive any more direct marketing. You can do this for instance by always sending an objection form or by including a link to unsubscribe.
In most cases, therefore, consent will be the best method to act correctly according to the GDPR. This means that you have obtained an explicit, informed and free consent from the data subject to receive direct marketing messages.
A question we often get: are you allowed to contact potential customers to offer your services using the data you have collected from them via the Crossroads Bank for Enterprises (Kruispuntbank van Ondernemingen, KBO)?
Here, only permission is a possible ground for processing. However, it is not because data is publicly accessible (whether it comes from the CBE or elsewhere) that you can just use it for direct marketing.
The GDPR applies just as much to publicly disclosed personal data. So you also need a valid legal basis.
So was there no consent when they disclosed those personal data? No! A valid consent is indeed purpose-related. You will therefore have to check whether they have given permission to be subjected to direct marketing in this way. In the context of the KBO, for example, that is not the case!
A possible alternative in this case could be to only contact companies via contact data that cannot be traced back to an individual. Watch out for sole traders, freelancers and professionals such as doctors. The data that you find here will often carry the name of the person himself and will therefore be qualified as personal data!
If you have not used personal data to address the message, make sure that you do not process personal data in the message itself either.
You call upon a marketing agency to improve your marketing campaigns. This agency provides you with additional personal data that you did not have at your disposal. What do you do now?
As the person responsible for processing you, you must ensure that the personal data were collected by the marketing agency in a lawful and fair manner. So be sure to check whether the marketing agency has the right legal basis!
It depends on how you look at it
Having to comply with all these rules to be able to reach people and attract them to your services or goods, many find it a difficult threshold.
You can also look at it from a different angle: it is an opportunity to build a relationship of trust with your customers, members, subscribers, voters or potential candidates. You create that by transparently communicating how you process their personal data and showing that you respect their right to data protection. In fact, you can see it as a way to positively distinguish your company from others.
The broad interpretation confirms that there are many initiatives that will be considered as direct marketing. The big impact: although it is allowed in principle, it will not always be that simple in practice!
If personal data are processed in your marketing strategy, please be transparent and make sure you have the right legal basis.
If you have any questions about this, you can always contact us at email@example.com.
Written by Larissa De Keyser , Trainee theJurists, and Kris Seyen, Partner theJurists