Transparency Is Non-Negotiable: The Belgian DPA’s Draft Recommendation on Direct Marketing

On 15 February 2025, the Belgian Data Protection Authority (DPA) published its updated draft Recommendation 01/2025 on Direct Marketing, currently open for consultation until 10 May 2025. This long-anticipated update follows years of evolving case law, regulatory developments, and mounting pressure on transparency in digital advertising.

What has Changed? Transparency, Precision and Accountability

Unlike the original 2020 Recommendation, which left room for interpretation, the new draft introduces detailed legal expectations. The DPA no longer accepts vague references to “direct marketing” as a lawful purpose. Instead, organisations must (i) specify the types of marketing (e.g., newsletters, behavioural targeting), (ii) detail the channels used (e.g., social media, email), and (iii) identify data sources, including how and why the data was collected.

This reflects the Belgian DPA’s firm view – backed by recent case-law – that transparency under Articles 13–14 GDPR must enable a genuine exercise of data subject rights.

Key Legal Focus Areas in the 2025 Draft

Third-Party and Brokered Data

Companies must now disclose (i) the source of the data, (ii) the legal basis for initial collection, (iii) the method used (e.g., inferred, declared, scraped), and (iv) contact details of the original collector.

Crucially, businesses relying on data brokers must not rely solely on contractual terms. Active due diligence is now required-such as reviewing privacy policies, obtaining audit reports, or validating legal grounds for processing.

Expanded Scope of Direct Marketing

The DPA now classifies several “grey zone” practices as direct marketing (i) profiling and segmentation, (ii) mixed-content messages (e.g., support emails suggesting upgrades) and (iii) dynamic pricing based on user behaviour.

Retention Periods

Retention must reflect both the relationship strength (e.g., loyal customer vs. prospect) and product lifecycle (e.g., car vs. snack). Prospect data must be kept for a shorter period than customer data.

Legitimate Interest? Only If Expected

Cold outreach is on thin legal ice. If the recipient has no relationship with the sender, legitimate interest will rarely apply. A legitimate interest assessment (LIA) is required in all cases and must be documented.

Data Subject Requests

Even vague or informal requests (e.g., a one-line question buried in a long email) may count as valid GDPR requests under the DPA’s interpretation. Controllers must recognise and act on them-even when non-standard or incomplete.

Allegiance Law’s Perspective

For companies relying on purchased lists, inbound leads, or digital ad targeting, this Recommendation is a compliance reset. We see three urgent priorities (i) update your privacy notices with granular marketing descriptions, (ii) train staff-especially in marketing and customer support-on recognising access requests and fulfilling Article 14 transparency and (iii) audit your data sources and broker relationships; assume enforcement will target opacity first.

At Allegiance Law, we are already helping SMEs and tech companies: (i) revise consent flows and cookie policies, (ii) document LIAs, (iii) renegotiate marketing vendor contracts with robust guarantees, and (iv) submit consultation feedback where the DPA’s expectations are unrealistic.

The DPA’s draft is demanding but not inflexible. The consultation window is an opportunity-especially for small and mid-sized businesses-to push back where burdens are disproportionate.

Read the full draft Recommendation (NL/FR)

Dutch version (Aanbeveling 01/2020)

French version (Recommandation 01/2020)