On March 10, 2025, the Belgian Data Protection Authority (BDPA) updated its 2020 guidance on the processing of personal data for direct marketing purposes (see the updated guidance here in French and in Dutch). The BDPA reviewed its original guidance to help companies from all sectors navigate applicable EU privacy and data protection law requirements in view of recent technological and legal developments.
What’s New?
The BDPA’s 2025 guidance provides new definitions and specifies how GDPR obligations apply to companies participating in complex direct marketing schemes. Below is a summary of the key changes:
- In 2020, the BDPA proposed a definition of the concept of “direct marketing”, in the absence of such a definition in the GDPR and local laws. Five years later, the authority has enacted an even broader interpretation, which now encompasses all the activities undertaken to communicate solicited or unsolicited promotional messages (including prior preparatory processing steps such as profiling before sending targeted advertising messages). This is irrespective of the technical means used (e.g., postal services, microtargeting, or “Real Time Bidding” operations) or whether the communication is addressed to a person in a private or professional capacity. The BDPA clarifies that the identity of the person/entity whose services, goods, or activities are being promoted is irrelevant to determine whether an operation should be considered as “direct marketing.” This means that parties facilitating a marketing operation without promoting their own goods will also bear their share of responsibility from a privacy and data protection standpoint (e.g., data brokers that supply personal data to other companies so that they can send targeted advertising to specific individuals).
- Mixed content—which includes the promotion of products, services, ideas, branding, events, and informational content—falls under the umbrella of “direct marketing.” However, market studies, surveys, and satisfaction polls, when not accompanied by promotional or mixed content, are not considered “direct marketing” communications.
- EU privacy and data protection law requirements apply based on the roles of the parties involved in direct marketing operations. The BDPA provides clear guidance, bolstered by significant recent case law which aims to help companies determine their GDPR roles and obligations. The BDPA emphasizes the potential for certain parties to act as joint controllers for specific processing purposes, even when these parties are not simultaneously involved in the processing of personal data for direct marketing purposes.
- It is essential for controllers that run direct marketing operations to provide sufficient details to individuals on how their personal data will be used (i.e., which categories of personal data will be used, how direct marketing communications will be addressed, where and for how long personal data will be stored, whether personal data will be further used for other purposes, etc.). The BDPA explicitly states that describing a processing purpose in a Privacy Policy by simply mentioning “direct marketing” is not sufficient.
- The BDPA clarifies the rules that apply to the further processing of personal data (e.g., re-using email addresses to inform former customers of new products or services). The authority reminds controllers that they must perform “compatibility assessments” to determine whether further use of personal data can take place in accordance with GDPR requirements. These assessments require controllers to examine the possible consequences of the intended further processing for individuals and whether appropriate safeguards (such as encryption or pseudonymization) should be implemented to protect individuals’ privacy.
- Personal data can only be kept for limited periods of time. The BDPA emphasizes that when it comes to direct marketing, the nature of the relationship between the controller and the targeted individuals, or the product’s or service’s planned obsolescence, must be taken into account when determining data retention periods. For example, direct marketing communications for cars can be expected to rely on longer personal data retention periods than chocolates that are consumed quickly.
- The BDPA provides clear guidance on GDPR legal bases that controllers can rely on to justify processing personal data for direct marketing. The BDPA emphasizes that the use of electronic communication methods or sensitive personal data (such as political opinions, health-related data, or philosophical beliefs) will trigger the applicability of complementary EU and local laws that restrict the choice of legal basis (e.g., the ePrivacy Directive or local GDPR transposition laws). The BDPA also confidently outlines the limitations of the “consent” legal basis. This includes situations where consent is not sufficiently granular, where it is obtained from minors, where it is used to fulfil a contract (e.g., where there is an obligation to accept targeted advertising to access a service), or where it is used by controllers that exert an unbalanced influence on individuals. The BDPA further confirms that the “legitimate interest” legal basis can also be used to justify direct marketing operations (including to prospect new customers), provided controllers can pass the purpose, necessity, and balancing tests of a “legitimate interest assessment” that must be performed under the GDPR.
- Controllers are only allowed to process personal data in a transparent manner. This means that they are required to provide detailed information to targeted individuals about the processing of their personal data. The GDPR exempts controllers from this transparency obligation in two specific situations: a) if they have not obtained personal data directly from individuals, or b) if the provision of such information proves impossible or would require disproportionate effort. However, the BDPA emphasizes that this exception applies in exceptional circumstances only.
- Individuals whose personal data is processed to send them direct marketing communications have significant privacy and data protection rights. The BDPA’s 2025 guidance illustrates with concrete examples how individuals can exercise these rights and how companies must handle them. The BDPA explains, for instance, how the rights of restriction of processing and erasure apply when personal data is processed for direct marketing purposes, triggering the obligation for controllers to notify all recipients of erasure requests (e.g., to other participants in a direct marketing scheme).
- The BPDA emphasizes the “accountability” obligations of controllers, who must implement appropriate technical and organizational measures to ensure compliance with GDPR requirements. Controllers relying on personal data sets provided by data brokers cannot contractually exempt themselves from their obligations by claiming they did not obtain the data directly from individuals.
Takeaways
The BDPA’s new guidance is relevant to any company that conducts marketing operations in the EU. They should assess whether their activities could be viewed as “direct marketing” and, if so, whether they should implement specific measures to ensure compliance with applicable requirements. In addition, direct marketing activities may be subject to complementary laws and regulations at EU Member State level (e.g., consumer protection laws). These should also be considered before launching an advertising campaign that involves the processing of individuals’ personal data for direct marketing purposes.
