Direct marketing. It seems a difficult concept under the GDPR. However, it does not have to be that way. Direct marketing is useful, and even possible, while you are still in compliance. As long as you, as an entrepreneur and marketeer, are willing to leave behind the obvious “I do what I want”, and above all consider the perspective of the data subject.
The SNCB has also experienced this. In a recent decision, the Data Protection Authority put a stop to the slick marketing talk about general interest and quirks like the execution of an agreement. On top of that, a fine was imposed.
Direct marketing? So what?
We then repeated it some months later in connection with the first fine imposed by the DPA for a violation of the rules on direct marketing. Here, it was made immediately clear that one cannot simply invoke the legitimate interest to engage in direct marketing.
We then repeated it in our advice to the many clients who came to us. A year later in 2021, we summarised it again in our series of dJ Talks.
It often leads to heated discussions with marketeers and entrepreneurs. As much as we try to think along with them, they often do not seem convinced of the necessity to temper their commercial explorations, which they have been able to indulge in unrestrictedly for years. Now too, with this condemnation for the SNCB and a very clear position from the DPA, the surprise will once again be considerable.
So we’ll have to keep knocking on the same nail for a while…
The SNCB “newsletter”: news or advertising?
What has the SNCB done wrong, that they have incurred the wrath of the DPA?
In 2020, the SNCB sends an email to all travellers who use the Hello Belgium Railpass. The railpass itself was an initiative of the federal government to offer a series of free train rides during the corona crisis.
It is evident that the SNCB is responsible for the implementation of this railpass. At the time of application, the name and email address of the applicants were collected and processed in order to guarantee the granting of the railpass.
But for the SNCB, the story did not end there. Applicants for the railpass later received a newsletter by email as well. And apparently that doesn’t go down well …
The aim of the newsletter is to make railpass users aware of the correct use and risks of travelling by train, ensuring a good spread of travellers, for example by diversifying destinations to avoid crowds.
The email communication in question also mentions “more than 500 destinations in Belgium”, which are enthusiastically recommended.
No processing without legal grounds
Let us agree on that? A basic principle for authorised processing of personal data is that there must be a legal ground. And these are exhaustively listed in the GDPR.
Execution of the Agreement
SNCB invokes “the execution of a contract” to send the email. For the fans, this is art. 6.1 (b) of the GDPR.
This legal ground is undoubtedly correct with regard to the assignment of the rail pass as such. But does it also apply to email communication afterwards?
The DPA has a different opinion. After all, the newsletter is much broader than the practical implementation of assigning the railpass. After all, it is about promoting various tourist destinations for the passengers.
In so far as SNCB wanted to communicate the message that large crowds in popular stations could also entail a health risk, it would have been sufficient to communicate this message as such.
On the contrary The SNCB preferred to send a mailing promoting tourist destinations, which can be visited by using the railpass, but also through other formulas offered by the SNCB….
The DPA considers therefore that the sending of these emails is not at all necessary in performance of the execution of the agreement between the railpass applicants and SNCB.
It is especially interesting to mention that the emails in question are not limited to raising awareness of the precarious health situation, but in more general terms, include promotion of interesting destinations provided by SNCB.
The analysis goes even further: the DPA is making an effort on its own to see if otherlegal grounds could be invoked to justify such mailings.
More specifically, it looks at the execution in the context of the public tasks of the SNCB, which would lead to a legal obligation. This argument also fails, as it can at most be linked to the provision of the Railpass as such.
There is no indication that SNCB should also make other announcements to the users of the Railpass.
A popular catch-all is the legitimate interest It is to the DPA’s credit that it has also considered this. Although the exercise is not that difficult. After all, the test has to withstand three elements: 1) the purpose test, 2) the necessity test, and 3) the balancing test.
It is clear that the essence of the emails in question was related to promoting the use of the Railpass. The users were made to feel encouraged to travel. The SNCB was therefore pursuing a commercial interest. Of course, there is nothing wrong with that.
But was it all necessary? Not at all, according to the DPA. The SNCB could have promoted its services through other channels, and therefore did not need to send a mailing to the applicants of the Railpass…
This brings us to the final element, the balancing test. The DPA believes that the applicant for a Railpass could by no means expect to be confronted afterwards with processing that clearly goes beyond the assignment of the Railpass as such.
Incorrect direct marketing
What is more, SNCB clearly does not have a valid legal ground, and moreover, it is indulging in an unauthorised form of direct marketing.
The email in question is not at all limited to bringing to the attention of the public the health risks that might arise from the massive public use of transport to the same destinations during a pandemic.
On the contrary, the email also promotes a wide range of destinations that can be visited by train – whether or not by using the Railpass.
SNCB’s argument that it was not promoting anything at all, and that it was therefore not about direct marketing, does not make sense. Even though there is no legal definition of direct marketing, the DPA already clarified its interpretation in 2020:
“Any communication in any form, solicited or unsolicited, from an organisation or person and aimed at the promotion or sale of services, products (whether or not for payment), as well as brands or ideas, addressed by an organisation or person acting in a commercial or non-commercial context, which is directly addressed to one or more natural persons in a private or professional context and which involves the processing of personal data”. ‘Direct marketing’ therefore includes various forms of promotion, such as newsletters by e-mail, commercial telephone calls or text messages or e-mails, or online advertising, whether or not in a commercial context.”
The fact that SNCB did not want to sell anything directly in this communication is therefore completely irrelevant.
It is, however, all the more important for all entrepreneurs who want to draw attention to their “added value” without immediately wanting to sell something! After all, this is also direct marketing!
Direct marketing requires consent, and the right to object
It is clear that SNCB did not have the required permission to send such emails, which at least had a promotional function.
To the extent, therefore, that it is about direct marketing, it turns out that the data subject could not so easily exercise the right to object at all. After all, there was no mention of it!
It seems like a detail, but it is an essential part of the protection mechanism within the GDPR: the data subject has, in addition to the classic rights of access, rectification and deletion, a separate right of objection. For this, a single click should suffice.
So even if the data subject should never have received the email in the first place, SNCB made things worse by not facilitating the right to object.
Direct marketing is not limited to promoting the sale of products or services.
Many other types of communication also fall under this catch-all term. It is always important to have the correct legal ground. If this is the execution of an agreement, it will be interpreted very restrictively. If, on the other hand, it is consent, then this must be free, informed, active and purpose-related.
The perspective of the data subject is thus the most important, notthe perspective of the company.
As a partner in this delicate exercise, you can always call on our experts at firstname.lastname@example.org.
Written by Kris Seyen, Partner deJuristen