Amidst the outbreak of the coronavirus (COVID-19), the Belgian Data Protection Authority ("DPA") has very recently issued guidance on a number of recurring questions. The guidance concerns preventive measures taken by companies and employers to prevent the further spread of the virus and the conditions under which personal data - and in particular health data - may be processed in this context.
Previously, the DPA had already issued extensive guidance concerning the processing of personal data for direct marketing purposes and adopted a very strict approach to cookie practices by imposing a 15,000 EUR fine on a website operating company for its negligent privacy and cookie practices.
Our Belgian Data Protection Team made the following overview to give you the highlights of each topic.
DPA issues statement on dealing with the COVID-19 health emergency
With the Coronavirus pandemic still growing every day in Belgium and across the EU, the DPA joins a range of other authorities that issued guidelines to companies on how to deal with this global health emergency.
First and foremost, the DPA stresses that the general principle – which states that any processing of personal data requires the preliminary identification of an adequate legal basis among those listed in Article 6(1) – of the General Data Protection Regulation (“GDPR”) continues to apply at all times. This includes the situation of companies and employers taking preventive health measures in the face of the COVID-19 pandemic.
According to the DPA however, at this stage and based on the latest information published by the FPS Health on COVID-19, there is no reason to systematically rely on the legal ground for processing contained in Article 6(1)(d) GDPR in the context of preventive measures taken by companies and employers. This advice is notably the legal ground of processing necessary to protect the vital interests of the data subject or another natural person.
This applies all the more to the processing of health data, which is in principle prohibited by Article 9(1) GDPR. The DPA notes that companies and employers can only rely on the lawful ground listed in Article 9(2)(i) GDPR (processing necessary for reasons of public interest in the area of public health) for the processing of health-related data when implementing express guidelines imposed by competent authorities.
Furthermore, any assessment of health risks should not be carried out by the companies and employers themselves but by the occupational physician. He or she is responsible for detecting infections and informing the employer and the persons who came into contact with an infected person. This information is provided by the occupational physician on the basis of Articles 6(1)(c) and 9(2)(b) GDPR.
The DPA goes on to state that the general principles on personal data processing should be respected at all times, including the principles of data minimization and storage limitation. Companies must also be transparent about any measures taken, adequately informing their employees and visitors about the purposes of processing and the retention period of the personal data collected in this context. Security measures should also be put in place.
Finally, the DPA provides the following answers to specific questions that it received over the past few weeks:
- General and systematic testing of employees and visitors, e.g. of their body temperature, cannot be carried out by an employer or company but only by the occupational physician;
- Employers cannot compel employees to complete medical questionnaires or questionnaires about their recent travel. They may only request employees to provide this information spontaneously;
- An employer may not reveal the names of any infected employees and may only inform other employees of the situation without mentioning the identity of the data subject concerned.
On 16 March 2019, the European Data Protection Board (“EDPB”) also issued a statement to organisations engaged in the processing of personal data in containing and mitigating COVID-19. The EDPB reiterates that data protection rules do not hinder measures, which aim to contain and mitigate COVID-19. However, personal data processing must be lawful, and personal data must be protected. The GDPR provides for legal grounds in Articles 6 and 9 of the GDPR, other than consent, to enable companies and public health authorities to process personal data in the context of epidemics. In this respect, we note that, in light of the statement by the Belgian DPA, it is possible that not all lawful grounds listed by the EDPB for such processing will currently be considered acceptable in Belgium.
Furthermore, the EDPB states that requirements stemming from the e-Privacy Directive (2002/58/EC) should be upheld when processing electronic communication data (e.g. mobile location data). In general, location data should only be used by the operator when they are made anonymous (i.e. processing data aggregated in a way that it cannot be reversed to personal data), or with the individuals’ consent. Exceptionally, such data may also be processed on the basis of emergency legislation introduced by Member States, on condition that the legislation provides for adequate safeguards to protect the data subjects.
For an overview of guidance from other data protection authorities regarding COVID-19 in the workplace, we kindly refer to our Privacy & Data Protection COVID-19 page.
DPA issues extensive guidance concerning the processing of personal data for direct marketing purposes
On 17 January 2020, the DPA published its Recommendation No 01/2020 on the processing of personal data for direct marketing purposes. The main purpose of the Recommendation is to clarify the conditions and requirements for direct marketing under the GDPR. The Recommendation answers the most frequently asked questions and contains many useful examples for all those involved in direct marketing. The recommendation is part of the implementation of the Strategic Plan 2019-2025, which identified direct marketing as one of the priorities of the DPA.
Direct marketing, what are we talking about?
In the absence of a legal definition, the DPA defines the term "direct marketing" as:
"Any communication, in whatever form, solicited or unsolicited, from an organisation or person, and aimed at the promotion or sale of services, products (whether or not for payment), as well as brands or ideas, addressed by an organisation or person acting in a commercial or non-commercial context who is directly addressed to one or more natural persons in a private or professional context and which the involves the processing of personal data."
The scope of this definition is broad, and it will, in principle, not only include communication drafted with a commercial or lucrative purpose. Consequently, communications from non-commercial organisations (e.g. political parties, interest groups, etc.) may also constitute direct marketing. The DPA, however, clarifies that strictly personal communications, Season's greetings, polls or satisfaction surveys do in principle not constitute direct marketing.
Determine the purpose of your processing activities
The recommendation sets out the obligation for organisations or individuals to determine which initial and future purposes they want to achieve by processing the obtained personal data. Some examples provided by the DPA of legitimate processing purposes related to direct marketing are:
(i) informing clients on new products or services;
(ii) creating client profiles;
(iii) allowing third parties to use their clients’ data to create voter profiles;
(iv) proposing personalised offers on the birthdays of their client;
(v) keeping track of their clients’ various actions;
(vi) promoting their brand to the public;
(vii) inviting clients or prospects to events (to promote their organisation);
(viii) disseminating targeted offers to clients with a view to meet their interests;
(ix) attracting new clients, subscribers, or members.
Particular attention should be given to organisations specialised in aggregating, reselling, renting or trading data (e.g. so-called "data brokers"). Such processing will, in principle, require the prior informed consent of the data subjects. Companies using such partners must also inform the data subjects themselves and have an obligation to check whether the data have been collected and processed by the partner in a GDPR-compliant manner. If not, they can also be sanctioned for non-compliance with the GDPR.
Identify the data needed to pursue your purposes
The DPA reminds organisations that data should only be processed if they are adequate, relevant and limited to what is necessary in relation to the direct marketing purposes (cf. 'data minimization principle' pursuant to Article 6(1)(c) GDPR).
Moreover, these data may not be kept longer than necessary to keep control over its data management and to identify data that has become obsolete or can no longer be processed (cf. 'storage limitation principle' pursuant to Article 6(1)(e) GDPR). However, the DPA does not go as far as to recommend a standard retention period for all personal data processed for direct marketing purposes since such period should be determined on a case-by-case basis.
Ensure you have an appropriate legal basis
Direct marketing as defined by the DPA always involves the processing of personal data and is therefore only allowed on the basis of one of the six legal grounds as defined under Article 6 of the GDPR. In practice, organisations will either have to rely on the explicit consent of the data subjects (Article 6(1)(a) GDPR) or on their legitimate interests (Article 6(1)(f) GDPR, see also Recital 47 GDPR in that regard).
In case of electronic marketing communications for direct marketing purposes, however, consent will in principle be required under the ePrivacy Directive 2002/58/EC. That said, organisations could send marketing communications to their existing customers, without consent, if soft opt-in conditions are met.
The DPA explains in detail how to determine the applicable legal basis and, where appropriate, how to obtain valid consent. For example, consent for direct marketing will not be free if it is a condition for using a service or obtaining benefits and discounts.
When determining the legal basis, the individual or organisation processing personal data should always take into account individuals' right to object to the processing of personal data for direct marketing purposes (Article 21(2) GDPR). They must also respect data subjects' right to withdraw consent to the processing of his or her personal data for direct marketing purposes (Article 7(3) GDPR). Furthermore, all other requests for the exercise of rights (e.g. right of access, right to rectification, etc.) must also be appropriately followed up.
The DPA reminds organisations that data subjects should receive all information required by Articles 13 and 14 of the GDPR. This information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The purposes of the processing must be precisely described in the privacy notice, as well as in the register of the processing activities. The mere reference to 'direct marketing purposes' will not suffice in most cases. In the case of re-use of data for direct marketing purposes, it must be verified whether this is in accordance with the purpose for which it was originally collected and whether there is a valid legal basis for the subsequent processing.
The full text of recommendation No 01/2020 of the DPA of 17 January 2020 on the processing of personal data for direct marketing purposes can be found here (in French) and here (in Dutch).
DPA adopts a very strict approach to cookie practices
In other news, on 17 December 2019, the Belgian DPA imposed an administrative fine of €15,000 on a website operating company for its negligent privacy and cookie practices. The website, which attracts approximately 35,000 monthly visitors, provides legal news and information to legal practitioners. It was deemed to have committed numerous violations of both the GDPR and the Belgian implementation of the e-Privacy Directive (2002/58/EC). The lengthy decision in this case, which was initiated by the DPA’s inspection service, is so strict that many websites in their current state risk a similar sanction.
The main part of the decision relates to the website’s cookie practices. The company, which initially deployed cookies without asking for consent, later changed its practice by asking for consent through pre-ticked boxes. We note that under Belgian law, user consent is required before placing and consulting cookies on their devices, except in case of mere technical storage of information or when cookies are strictly necessary for the provision of a service expressly requested by the user. In this respect, the DPA clarified that the term "necessary" is to be interpreted in accordance with the protection objectives of European data protection law. This means that the exception may only be invoked in the interest of the data subjects (i.e. the website visitors) and not in the exclusive interest of the providers of the information service. Under this strict interpretation, even if a website operator considers that these cookies are indispensable for the provision of its service, they are not necessarily indispensable for the provision of the information service requested by the website visitor.
In light hereof, the DPA held that first-party analytical cookies do not fall within the exception of "strictly necessary" cookies and therefore require valid consent. Referring to the Planet49 judgment of the Court of Justice of the EU, the DPA went on to hold that the pre-ticked boxes cannot constitute valid consent as they do not qualify as ‘active consent’, which expressly precludes “silence, pre-ticked boxes or inactivity”. Moreover, it stressed that consent must be specific, and that it must be obtained per cookie or per category of cookie.
Additionally, it was held that the company adopted a negligent approach as regards various aspects of its transparency obligations pursuant to the GDPR. Violations included (among others) the fact that the text of its privacy statement did not correspond to reality, that no means were provided to make the privacy statement easily available (e.g. through a link), that the language in which the information was provided did not correspond to the languages of the target groups and that the website contained an erroneous statement about certain data processing operations being carried out anonymously while in fact only pseudonymisation was achieved.
Interestingly, the decision also offers insight into the calculation of the administrative fine. The amount was determined by taking into account the duration of the infringement (several infringements were resolved only after a second notification from the DPA’s Inspection Service), the number of data subjects affected, the intentional or negligent character of the infringement (among others the repeated carelessness of the defendant), the fact that subsequent improvements to the privacy statement made by the defendant do not affect the original findings of breaches and finally the defendant’s turnover for the previous financial year (€1.7 million).
The full text of the decision of 17 December 2019 can be found here (in French) and here (in Dutch).
This decision is an important one, as it is the first time the DPA (successor of the Privacy Commission) takes an official stance on cookie practices. It is in line with the DPA’s strategic plan for 2020-2025, which outlines that this will be one of the focal points of the DPA in the coming years. Website operators are therefore advised to take this decision to heart and carefully review their own cookie practices.