Your marketing strategy must comply with the applicable rules of the General Data Protection Regulation (GDPR). Please note that even an automated response to a request may qualify as direct marketing if it invites someone to visit your website to view the latest products or services!

Definition direct marketing

That’s in fact how broad the BDPA interprets the concept of direct marketing. More precisely, the BDPA gives the following definition of direct marketing:

“Any communication, in whatever form, solicited or unsolicited, originating from an organisation or individual and which is aimed at the promotion or sale of services, products (whether in return for payment or free of charge), as well as brands or ideas, addressed by an organisation or individual acting in a commercial or non-commercial context, which is directly addressed to one or more natural persons in a private or professional context and which involves the processing of personal data”.

The full recommendation is approximately 80 pages long and contains extensive information and considerations that organisations should take into account when conducting or commissioning a direct marketing activity. Topics such as the roles in direct marketing (controller, processor, joint controller) and the legitimacy grounds under the GDPR (such as consent, legitimate interests, etc.) are covered.

In particular, the recommendation includes the following topics:

  • Definition of direct marketing (what does and does not fall under direct marketing);
  • The roles of organisations in direct marketing (when is the organisation a controller, processor or joint controller?);
  • Processing purposes (the BDPA gives examples of applicable purposes and gives tips on how your organisation can best inform the data subject about them);
  • Processing operations (the BDPA provides examples of applicable processing operations);
  • Identifying personal data that are necessary for the pursuit of your purposes (recommendations regarding the identification of personal data, information on data minimisation and control of your data management);
  • Legal grounds for direct marketing activities (information on which legal grounds you can invoke);
  • Transparency (information on how best to inform those concerned about direct marketing activities).

For the complete document we refer you to the website of the BDPA (Dutch or French only):


It appears that the BDPA has opted for a far-reaching interpretation of the GDPR and introduces with this recommendation new requirements regarding the content and functionalities of the privacy statements, marketing e-mail and cookie banners & statements.

This means that most organisations now have to revisit their marketing campaigns.

Unfortunately, we cannot promise that this will be the last time the BDPA will make a statement on direct marketing, because direct marketing is one of the action priorities in the strategic plan 2020-2025.

We therefore recommend that you critically consider how far your organisation wants to go in implementing these new requirements resulting from the BDPA’s recommendation. As a sparring partner in this exercise, you can always contact us at

Written by: Duygu Öztürk, Legal Adviser & Data Protection Agent deJuristen, en Kris Seyen, Partner deJuristen