October 26, 2020

Volume X, Number 300


October 23, 2020

Subscribe to Latest Legal News and Analysis

Belgian Data Protection Authority Imposes Fine on Non-Profit Organization for Unlawful Direct Marketing Practices

On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of €1,000 on a non-profit organization. The decision followed a complaint filed by an individual who continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing purposes and had requested that the organization erase his data from its database.

In its decision, the Litigation Chamber confirmed that unsolicited postal communications sent by non-profit organizations for promoting their services and fundraising qualify as “direct marketing” under the GDPR. According to the Belgian DPA’s Litigation Chamber, the non-profit organization’s processing of the complainant’s data for direct marketing purposes in the case at hand was in breach of the GDPR, as the organization did not:

  • immediately stop the processing of the complainant’s data for direct marketing purposes after he had exercised his right to object under Article 21(2) of the GDPR and his right to be forgotten under Article 17(1)(c) of the GDPR, but instead continued the processing for (at least) five months after the individual’s request and three months after being notified of the complaint submitted to the Belgian DPA in this respect;
  • have a valid legal basis for processing the complainant’s personal data for direct marketing purposes. Instead of obtaining consent, the non-profit organization relied on the legitimate interest ground set forth in Article 6(1)(f) of the GDPR to legitimize the processing of the former donor’s contact details for sending communications aimed at raising more funds and promoting its services. The Litigation Chamber, however, took the view that the legitimate interests pursued by the non-profit organization were overridden by the rights and freedoms of the concerned individual as:
    • it is questionable whether individuals could reasonably expect that their data would be processed for direct marketing purposes for a period of more than seven years after making a donation; and
    • the non-profit organization did not implement sufficient additional safeguards to mitigate the impact of the data processing on the individuals. In particular, the Litigation Chamber indicated that the non-profit organization did not provide a real and effective right to object, which is essential when relying on the legitimate interest ground. In this respect, the Litigation Chamber further emphasized that individuals should be clearly informed about their right to object, using plain and unambiguous language, in the first and every subsequent marketing communication. According to the Litigation Chamber, merely referring to the right to object in the privacy policy is not sufficient.

In light of the above, the Litigation Chamber decided to order the non-profit organization to honor the complainant’s request to erase his personal data and to impose an administrative fine of €1,000.

The decision can still be appealed at the Market Court.

Read the Belgian DPA’s decision (in Dutch).

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 156



About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct