Privacy & Cybersecurity Law Blog

On May 29, 2020, the Litigation Chamber of the Belgian Data Protection Authority (the “Belgian DPA”) imposed a fine of €1,000 on a non-profit organization. The decision followed a complaint filed by an individual who continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing purposes and had requested that the organization erase his data from its database.

In its decision, the Litigation Chamber confirmed that unsolicited postal communications sent by non-profit organizations for promoting their services and fundraising qualify as “direct marketing” under the GDPR. According to the Belgian DPA’s Litigation Chamber, the non-profit organization’s processing of the complainant’s data for direct marketing purposes in the case at hand was in breach of the GDPR, as the organization did not:

• immediately stop the processing of the complainant’s data for direct marketing purposes after he had exercised his right to object under Article 21(2) of the GDPR and his right to be forgotten under Article 17(1)(c) of the GDPR, but instead continued the processing for (at least) five months after the individual’s request and three months after being notified of the complaint submitted to the Belgian DPA in this respect;
• have a valid legal basis for processing the complainant’s personal data for direct marketing purposes. Instead of obtaining consent, the non-profit organization relied on the legitimate interest ground set forth in Article 6(1)(f) of the GDPR to legitimize the processing of the former donor’s contact details for sending communications aimed at raising more funds and promoting its services. The Litigation Chamber, however, took the view that the legitimate interests pursued by the non-profit organization were overridden by the rights and freedoms of the concerned individual as:
  • it is questionable whether individuals could reasonably expect that their data would be processed for direct marketing purposes for a period of more than seven years after making a donation; and
  • the non-profit organization did not implement sufficient additional safeguards to mitigate the impact of the data processing on the individuals. In particular, the Litigation Chamber indicated that the non-profit organization did not provide a real and effective right to object, which is essential when relying on the legitimate interest ground. In this respect, the Litigation Chamber further emphasized that individuals should be clearly informed about their right to object, using plain and unambiguous language, in the first and every subsequent marketing communication. According to the Litigation Chamber, merely referring to the right to object in the privacy policy is not sufficient.

In light of the above, the Litigation Chamber decided to order the non-profit organization to honor the complainant’s request to erase his personal data and to impose an administrative fine of €1,000.

The decision can still be appealed at the Market Court.

Read the Belgian DPA’s decision (in Dutch).