Consent as a legal basis for direct marketing purposes: Overview of the applicable rules in Rwanda and in Belgium

I. Legal framework

• Belgium

The Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) is directly applicable in Belgium to the processing of personal data, including for direct marketing purposes.

The processing of personal data is also governed by specific laws¹.

With respect to electronic direct marketing in particular, the Royal Decree of 4 April 2003 regulating the sending of advertising by e-mail lays down some important rules (see below).

Note that specific obligations under e-commerce laws also apply in accordance with Article XII.12 and XII.13 Belgian Code of Economic Law (BCEL) when carrying out direct marketing (e.g. transparency obligations).

• Rwanda

In 2021, Rwanda published the law governing data protection (the first of its kind in the country): the Law n° 058/2021 of 13 October 2021 relating to the protection of personal data and privacy (the Data Protection Law), bringing the country in line with international data protection standards such as the GDPR.

This fairly new law applies to local and international companies that process personal data of data subjects located in Rwanda. It lays down an exhaustive list of 8 grounds to process personal data including the consent of the data subject and legitimate interests pursued by the party processing the personal data (Article 46 Data Protection Law).

Other laws govern direct marketing, such as the Law n° 24/2016 of 18/06/2016 governing Information and Communication Technologies (the ICT Law) which contains an obligation to provide, along with the direct marketing communication, an address to which the recipient of the communication may send a request that such communication ceases (Article 223). Spamming is moreover prohibited under the Law nº 60/2018 of 22/8/2018 on prevention and punishment of cyber-crimes (Article 37).

II. Definition of direct marketing

• Belgium

While the GDPR does not contain a definition of “direct marketing”, the Belgian Data Protection Authority (BDPA) provides for a definition in its Guidelines 01/2020 of 17 January 2020 on the processing of personal data for direct marketing purposes². The BDPA defines direct marketing as being “Any communication, whether solicited or unsolicited, for the purpose of promoting an organisation or person, services, products, whether paid for or free of charge, trademarks or ideas, sent by an organisation or person acting in a commercial or non-commercial capacity, directly to one or more natural persons in a private or professional capacity, by any means whatsoever, involving the processing of personal data”.

This broad definition therefore encompasses a wide range of communications (e.g. a company selling products contacts its customers to inform them that its products are environmentally friendly; an association informs its members about its various activities without asking for financial support or offering services or goods; a retail chain sends a message to its customers inviting them to an event in one of its stores, etc.).

• Rwanda

The concept of direct marketing is not defined in the Data Protection Law, the ICT Law, nor in any guidelines of the supervising authority in charge of data protection and privacy in Rwanda, the National Cyber Security Authority (the NCSA).

A definition of the term “marketing” has been provided by the Rwanda Food and Drugs Authority in its Regulations Governing Promotion, Advertisement and Marketing of Regulated products, which came into force on 31 December 2020. Although these Regulations only apply to regulated products³, the definition of marketing it provides can be a useful source of inspiration.

According to these Regulations, the term marketing means “to promote, distribute, sell, or advertise regulated products, or/and creating a relationship of the public and/or with information services regard to regulated products.”

Although this has not been confirmed by case law, one could therefore fairly infer that the concept of “direct marketing” is the act of directly contacting individuals using information services, for one or more of the following purposes:

• promoting, distributing, selling, or advertising products (or services);

• creating a relationship with the public or an individual.

Pending clarification from case law or the NCSA in this regard, it would be advisable that a strict approach be taken when determining the nature of a communication and, in cases of doubt, consider it to be a direct marketing communication.

III. Possible legal bases for direct marketing

• Belgium

Pursuant to Article XII.13 Belgian Code of Economic Law (BCEL), a company must obtain the prior consent as it must provide for an "opt-in" system when considering advertising by electronic mail (e-mail, direct message on social media or other, SMS, etc.) for allowing the addressee to give its prior, free, specific and informed consent to the direct marketing communication.

For electronic direct marketing (e.g. email or SMS), prior consent does not need to be obtained (and a company can therefore rely on its legitimate interest) when direct marketing is addressed to existing customers if all of the following conditions are cumulatively met ("soft opt-in process")⁴:

• the company obtained the contact details for electronic mails directly from a customer as part in the context of a prior sale of a product or a service and to the extent all relevant conditions concerning data protection are complied with (e.g. the information requirements);

• the company uses the contact details only for direct marketing of “similar” products or services that it provides itself;

• when collecting their contact details (and on the occasion of each direct marketing communication in case the customer has not initial refused such use), the company offers to its customers the opportunity to object, free of charge and in an easy way, to such direct marketing (e.g. by providing a "unsubscribe here" link in every electronic mail).

Hence, although the legitimate interest cannot be excluded as a legal basis for direct marketing (see also Recital (47) GDPR and BDPA Guidelines 01/2020 §174), it is to be used with caution under Belgian law.

Regarding non-electronic direct marketing, best practices would require obtaining the prior, informed, free consent (opt-in), although in specific case legitimate interest could be defended as well.

In any event, Article 21(2) GDPR provides that data subjects have the right to object to the processing of their personal data for direct marketing purposes (whether or not carried out electronically).

• Rwanda

Under Rwandan law, prior consent of the data subject currently appears to be the only possible legal basis. There does not seem to be a similar distinction in law as in Belgium between direct marketing not carried out by electronic means and carried out by electronic means.

In its Guidance Note on complaints lodging⁵, the NCSA clearly states that data subjects can lodge a complaint (with the NCSA) when their personal data have been used for direct marketing without their consent.

Hence, according to the National Cyber Security Authority, consent of the data subject must be obtained when processing their personal data for direct marketing purposes.

According to the Data Protection Law, the consent must a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by an oral, written or electronic statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 3(18)). Article 46 specifies that consent must be given only for purposes explained to the data subject.

Note that Article 19 of the Data Protection Law provides a right to object which is similar to what exists under Article 21 GDPR: according to that Article, also in Rwanda, data subjects may at any time, request the data controller or the data processor not to process their personal data that are processed for direct marketing purposes⁶. This might mean that legitimate interest could possibly serve as a legal basis for the processing of personal data for direct marketing purposes. As there is no confirmation from the NCSA in that respect, it is recommended that a strict approach be taken and, where possible, prior consent obtained whenever direct marketing (electronic or otherwise) is carried out.

The NCSA is currently working on a guidance note on consent which should be published in the near future. This guidance will hopefully shed some light on what consent entails, how it should be obtained and on how it should be used in the context of direct marketing.

The implementation of the Data Protection Law is relatively recent in Rwanda and case law will be of great help in determining the scope of its concepts.

We are more than happy to assist you in answering any specific questions you might have.

Please do not hesitate to reach out to our experts on that topic:

• for any question under Belgian law, via ip/it-team@liedekerke.com

• for any question under Rwandan law, via privacy.lgl@liedekerke.com