In a decision issued on May 29, 2020, the Belgian data protection authority (DPA) turned its attention to the practices of non-profit organizations when it imposed a fine for violations of the EU’s General Data Protection Regulation (GDPR).  The DPA’s decision responded to an individual who complained that he continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing. He had also requested that the organization delete his data from its database.

The DPA stated that under the GDPR, unsolicited postal communications sent by non-profit organizations to promote their services and to fundraise qualify as “direct marketing.”  It found that the non-profit organization breached the GDPR when it processed the individual’s data because the organization did not:

  • immediately stop processing the individual’s data for direct marketing after he objected.  The DPA cited Article 21(2) of the GDPR, which provides that individuals have the right to object to processing, and Article 17 (1)(c), which establishes the right to be forgotten.  Instead of complying with the individual’s request, the organization continued processing data for at least five months, even after it was notified that the complaint had been submitted to the Belgian DPA.
  • have a valid legal basis for processing the complainant’s personal data for direct marketing. The GDPR requires that organizations cite a legal basis for processing data.  Instead of obtaining consent, one legal basis for processing provided for in the GDPR, the non-profit organization relied on the legitimate interest ground set forth in Article 6(1)(f) to process the former donor’s contact details for sending communications aimed at fundraising and promoting its services.

To establish legitimate interest as the legal basis for processing, the GDPR requires that processors balance that interest with the rights and freedoms of the individual.  The DPA was of the opinion that the legitimate interests pursued by the non-profit organization were overridden by the rights and freedoms of the individual.

It questioned whether individuals would reasonably expect that their data would be processed for direct marketing seven years after they had made a donation.  It also stated that the non-profit organization had not put in place sufficient safeguards to mitigate the impact of the data processing on individuals.  In this regard, it cited specifically that the non-profit organization had not provided an effective right to object to processing – which is essential for companies that rely on legitimate interests – nor had it clearly informed individuals of its right to object.  It stated that referring to the right only in the privacy policy did not sufficiently inform the consumer

In light of these findings, the DPA ordered the non-profit organization to honor the individual’s request to erase his personal data and to impose an administrative fine of €1,000.

The Belgian DPA’s action in this case is a reminder that the GDPR does not apply only to businesses – any organization, including non-profits – are subject to the law.  Achieved Compliance helps organizations of all kinds, and of all sizes, understand their obligations and take steps to meet them in a way that is right for their business and their budget.