• What do the terms "personal data" mean, and who is designated by the term "data subject"?
  
• Are the data of legal entities also covered and protected by the GDPR?
  
• How does the GDPR regulate the processing of personal data in marketing campaigns, and what are the legal bases and purposes associated with such processing?
  
• What is meant by direct and indirect marketing?
  
• In your marketing campaigns, who is responsible for data processing?
  
• What is INFOBEL’s role in the processing of data used for your marketing campaigns?
  
• Where do the data that INFOBEL provides to you come from?
  
• What are the rights of the individuals whose data you process?
  
• Why and how must you inform data subjects about your data processing, particularly within the framework of your marketing campaigns?
  
• Who can data subjects contact to exercise their rights?
  

FOREWORD

In a constantly evolving digital environment, the management of personal data has become a key responsibility for every business. As a data broker, we are particularly mindful of the critical importance of handling data with care and in compliance with applicable regulations, in particular the General Data Protection Regulation (hereinafter “GDPR”).

With the aim of ensuring a high level of protection for personal data throughout the entire processing chain, INFOBEL provides you with the present “Best Practices Guide,” presented in the form of a Frequently Asked Questions (FAQ). This tool is designed to support you in implementing GDPR-compliant data processing.

We hope that by relying on this FAQ, you will be able to strengthen the trust of the data subjects involved in your marketing processing activities. This guide will help you respond clearly and consistently to any potential questions or concerns raised by the data subjects to whom your marketing campaigns are addressed.

If you have any further questions, please do not hesitate to send them to us at the following email address: dpo@infobel.com

1. What do the terms "personal data" mean, and who is designated by the term "data subject"?

The GDPR defines “personal data” as "any information relating to an identified or identifiable natural person". In the context of processing for marketing purposes, personal data is understood as follows:

« Information relating to an individual, held in a form in which the individual can be identified, and could include as little as a surname. Some information not containing a surname should be considered as Personal Data and therefore covered by this code. This could be the case, for example, in regard to postal addresses, telephone numbers, faxes or e-mail addresses, or job title, if the person to whom these data relate can reasonably be identifiable ».

This definition is provided by the Federation of European Direct Marketing (FEDMA) in its Code of Conduct regarding the use of personal data in direct marketing, available via the following link:

https://www.fedma.org/wp-content/uploads/2017/06/FEDMACodeEN.pdf

The term “data subject” refers to the natural person to whom the processed data relates. In the context of direct marketing, this may be a customer or a prospect whose information you hold in order to send personalized offers.

“Anonymous data” refers to information that does not relate to an identified or identifiable natural person. To determine whether a natural person is identifiable, all means reasonably likely to be used by the data controller or any other person to identify the individual, directly or indirectly, such as targeting, must be taken into account.

Such anonymous data is not considered personal data. For example, if you collect information for general statistics (such as users’ age or gender) but this information is anonymized so that it is impossible to identify a specific individual, the subject becomes non-identifiable.

However, if this data can be cross-referenced to identify someone[1] (for example, through pseudonyms or identifiers), it remains personal data and must be processed in accordance with the GDPR rules.

2. Are the data of legal entities also covered and protected by the GDPR?

Data relating to a legal entity, such as its name, registered office, or company number, are neither covered nor protected by the GDPR rules, as they are not considered personal data.

Data that can identify natural persons within these legal entities—such as contact details of an employee or executive—are subject to GDPR requirements.

For example, if you use an employee’s professional email address (firstname.lastname@company.com) to send direct marketing offers, such data must be processed in compliance with the GDPR.

Similarly, information relating to a natural person engaged in self-employed activities (such as liberal professions, consultants, or lawyers) is also protected, as it can be directly linked to an individual.

3. How does the GDPR regulate the processing of personal data in marketing campaigns, and what are the legal bases and purposes associated with such processing?

Any data processing must imperatively pursue a specific purpose, called the “purpose”. In its 2025 recommendation concerning data processing for marketing purposes, available in French via the following link (Recommandation-01-2025), the Data Protection Authority (DPA) provides several examples of purposes:

• Inform customers about new products or services;
• Initiate the sale of products and/or services;
• Establish customer profiles;
• Offer personalized promotions on customers’ birthdays;
• Keep customers informed about promotional campaigns;
• Promote brand image to the general public;
• Invite customers or prospects to events organized for promotional purposes;
• Send targeted offers to customers that are likely to match their interests;
• Approach new customers, subscribers, or affiliates.

The purpose must be explicit, specific, and based on one of the legal grounds exhaustively listed in Article 6(1) of the GDPR.

For each purpose, the data controller must choose a single legal basis for processing.

In the context of direct marketing, the two most commonly used legal bases are the following:

• Consent:
  
  

  It is necessary to obtain the prior consent of the data subject in a clear and explicit manner before using their data.

  The user must have given their consent actively (opt-in), and this consent must be freely given, specific, informed, and revocable at any time.

  Under all circumstances, if the data were collected based on consent, any subsequent processing—even for marketing purposes—must also rely on the same consent, respecting its specific scope.

  • The data subject must have the ability to withdraw their consent at any time. If this occurs, you must cease processing their data for direct marketing purposes and inform INFOBEL.
  • Consent for direct marketing will, for example, not be considered freely given if it is made a condition for using a service or obtaining benefits and discounts.
  • In principle, when direct marketing takes the form of electronic communication, the legal basis must be consent, in accordance with the requirements of the e-Privacy Directive, Article 13.

• Legitimate interest:
  
  

  Legitimate interest can also serve as a valid legal basis for processing personal data for marketing purposes, provided it does not infringe on the rights and freedoms of the data subjects.

  This legal basis can apply, for example, to sending marketing communications or newsletters to existing customers, provided they have already expressed an interest in similar products or services, the data was obtained in the context of a sale, and they can object to such processing easily and free of charge. This is known as the "soft opt-in" principle.

  If you ground your processing on legitimate interest, you are required to carry out a “Legitimate Interest Assessment” (LIA), which entails:

  • Identify the pursued interest (e.g., promoting products to existing customers);
  • Verify the necessity of the processing (could the same objective be achieved by less intrusive means?);
  • Conduct a balancing test between the pursued interest and the rights of the data subjects (considering reasonable expectations).

  The data subject must be able to object from the very first contact. If they do so, you must immediately cease processing their data for direct marketing purposes and inform INFOBEL.

  Under all circumstances, it is essential to respect the fundamental principles of the GDPR, including transparency and data minimization, and to integrate data protection by design into your marketing campaigns.

  For example, under the principle of data minimization, when sending newsletters only, it is not necessary to collect the subscriber’s postal address. Limit yourself to requesting only the information necessary to achieve the objective of your campaign.

4. What is meant by direct and indirect marketing?

The Data Protection Authority (DPA) proposes to define this notion as follows:

• “All activities resulting in direct communication to one or more identified or identifiable natural person(s) of messages with promotional content.”

However, service emails (for example, order confirmations, emails regarding order tracking, emails requesting feedback from data subjects about their orders, etc.) are not considered direct marketing since the legal basis justifying the sending of these emails is the execution of the contract between the seller and the buyer.

5. In your marketing campaigns, who is responsible for data processing?

You are the "data controller" when you alone or jointly determine the purposes and means of processing personal data.

Below is a non-exhaustive and illustrative list of your obligations as a data controller:

• Ensure that personal data is processed lawfully, fairly, and transparently, collected for specific, explicit, and legitimate purposes, and kept in a form that allows identification of data subjects for no longer than necessary for those purposes.

  E.G.: If you send promotional offers by email, only collect the necessary email addresses and retain them solely for the duration of your promotional campaign.

• Guarantee transparency: clearly and understandably inform data subjects about the collection and processing of their personal data.

  E.G.: When subscribing to a newsletter, provide a detailed privacy policy explaining how email addresses will be used and stored.

• According to the 2020 recommendation of the Belgian Data Protection Authority (DPA)[2] regarding direct marketing, organizations that collect data — for example, by purchasing data lists from other organizations— must be especially vigilant in complying with the transparency obligation, which includes the duty to identify the source of the data. Failure to comply with this obligation constitutes a breach of Article 14 of the GDPR.
• Obtain explicit and informed consent from the data subjects when processing is based on consent and provide the possibility to withdraw this consent at any time.

  E.G.: Ensure that every communication includes an easy and clear mechanism to unsubscribe, guaranteeing that consent can be withdrawn at any time.

• Facilitate the exercise of data subjects' rights: ensure access, rectification, erasure, restriction of processing, data portability, and the right to object.

  E.G.: Allow your subscribers to update their communication preferences or unsubscribe from your mailing list via a link included in every marketing email.

• Implement appropriate security measures by establishing technical and organizational safeguards to protect data against security breaches, such as unauthorized access, loss, or destruction.
• Notify the Data Protection Authority (DPA) and, where applicable[3], the data subjects in the event of a personal data breach, within 72 hours of becoming aware of the breach.
• Maintain a detailed record of processing activities, including the purposes of the processing, categories of data, recipients, and the security measures in place.

6. What is INFOBEL’s role in the processing of data used for your marketing campaigns?

INFOBEL is a global digital platform specialized in the purchase and sale of personal data, offering a wide range of B2B solutions, including products and services designed to enhance, acquire, or leverage data for direct marketing purposes.

Its role as a data controller is reflected at several levels:

• Acquisition and sale of data: INFOBEL collects, validates, and sells databases containing personal information. These data may include contact details, demographic data, and other information relevant to direct marketing.
• Data processing and management: INFOBEL processes data with a focus on quality and relevance. This includes regular updates, data accuracy improvements, and consent management to ensure compliance with legal requirements, particularly the GDPR.
• Segmentation and targeting: INFOBEL enables data segmentation to help businesses precisely target their marketing campaigns. It provides tools based on statistical assessments and algorithms to filter and segment data according to various criteria, optimizing the relevance of communications and improving return on investment.

As a reminder, in your marketing campaigns, you act as the data controller.

In all circumstances, INFOBEL ensures that the processing of the data it sells complies with the GDPR. Thus, INFOBEL fulfills its transparency obligation by providing information on the origin and validity of the data. Furthermore, it has adopted a set of measures that ensure smooth handling of data subjects’ rights, including, notably, requests for deletion or rectification.

7. Where does the data that INFOBEL provides to you come from?

The data that INFOBEL provides to you comes from indirect collections. They are collected from data brokers, who themselves collect data either:

• Following contests and promotions: Data can be collected during contests, promotions, or newsletter sign-ups, where participants provide their personal information in exchange for participation or to receive rewards.
• By purchasing databases from partners or third-party suppliers.

INFOBEL has implemented a regular mechanism to verify and control data quality and the validity of the legal basis for processing. In this respect, INFOBEL ensures, notably, that postal addresses are always correct. Another example of control consists of verifying that the data subjects do not appear on lists such as the Robinson list or the "do not call me" (DNCM) list.

8. What are the rights of the individuals whose data you process?

In accordance with the GDPR, it is your responsibility as the data controller to respond to the requests of the data subjects whose data we have sold to you.[4]

These rights are as follows:

• The right of access (Article 15 of the GDPR): this right allows an individual to know if personal data concerning them is being processed and, if so, to obtain a copy in the format in which the request is made, as well as clear information about the processing, such as the source of the data, the legal basis for the processing, and the purpose.

  E.G.: A subscriber to your newsletter may request a copy of the information you hold about them, such as their email address and communication preferences.

• The right to rectification(Article 16 of the GDPR): this right allows any data subject to request the correction of inaccurate personal data concerning them. They can also request the completion of incomplete data.

  E.G.: If a client informs you that their email address was entered incorrectly during registration for a promotion, they can request correction of this information.

• The right to erasure(Article 17 of the GDPR): this right allows a person to request the deletion of their personal data, notably when it is no longer necessary or has been processed unlawfully. It also includes the right to be forgotten, aimed at removing information disseminated online from search engines (right to delisting).

  E.G.: A client who no longer wishes to receive advertising emails can request the deletion of their email address from your mailing list.

• The right to restriction of processing(Article 18 of the GDPR): this right allows data subjects to request the restriction of the processing of their personal data in the following cases:
  • If they contest the accuracy of this data, pending the assessment of the interests involved before exercising their right to object to the processing of certain personal data.
  • If the processing of their personal data is unlawful, but they do not wish to exercise their right to erasure.
  • If you no longer need their personal data, but they require it for the establishment, exercise, or defense of legal claims.

  E.G.: If a subscriber contests the accuracy of their personal data used for a marketing campaign, they can request to restrict its use until the issue is resolved.

• The right to data portability(Article 20 of the GDPR): this right allows a person to receive their personal data in a readable format and transfer it to another organization. It applies when processing is automated and based on consent or a contract.

  E.G.: A client may request to receive their contact information and communication preferences in a readable format to transfer them to another marketing service they wish to engage with.

• The right to object(Article 21 of the GDPR): this right allows any person to object at any time, for reasons related to their particular situation, to the processing of their personal data when it is based on the legitimate interests of the data controller, especially when processing is for direct marketing purposes.

  E.G.: If you send a newsletter to your clients based on your legitimate interest, they must be able to easily object to this processing. It is therefore your responsibility to include a clear statement allowing them to unsubscribe, such as an unsubscribe link in every email.

• The right to lodge a complaintbefore the Data Protection Authority (Article 77 of the GDPR).
• You are required to inform us if it is necessary to rectify or erase the data of a data subject. Data subjects can always withdraw their consent on our website via the following link: https://dpo.infobel.com/
• It is important to note that these rights are not absolute and may be subject to certain exceptions and conditions. For example, the right to erasure may not apply if the processing is necessary, notably to comply with a legal or contractual obligation, for the exercise or defense of legal claims, or if your legitimate interests or the legitimate interests of third parties prevail.

9. Why and how must you inform data subjects about your data processing, particularly within the framework of your marketing campaigns?

In accordance with the recommendation of the Data Protection Authority (DPA) concerning direct marketing, data controllers must provide transparent and clear information to data subjects, whether they collect data directly from them or indirectly from different sources.

Here is how you can do it:

• Direct collection (Article 13 of the GDPR): When you collect data directly from data subjects, you must provide clear information at the time of collection.

  E.G.: If you ask a customer to fill out a newsletter subscription form on your website, you must include a privacy policy on the collection page.

• Indirect collection (Article 14 of the GDPR): If you obtain data indirectly, for example by purchasing data lists from other organizations, such as from INFOBEL, you must inform data subjects about the source of these data.

  E.G.: If you buy a contact list from INFOBEL, you must inform the data subjects how you will use their data and explain how they can exercise their rights.

• If you cannot provide this information due to one of the exceptions set out in Article 14 of the GDPR, you must be able to justify why. For instance, if informing data subjects would require a disproportionate effort, you must demonstrate that it is technically impossible or unreasonable to do so.

10. Who can data subjects contact to exercise their rights?

Data subjects may exercise their rights or ask any questions regarding the exercise of their rights by completing the form available on the page dpo.infobel.com or by sending us a letter to the following postal address:

DPO – INFOBEL SA
Chaussée de St Job, 506
1180 BRUSSELS (Belgium)

Any ordinary mail or request submitted via the web form must be accompanied by a copy of an identity document and, for requests coming from legal entities, proof of the authority of the person representing them.

We will respond to their request as soon as possible, and no later than within one month following the receipt of the request.

Depending on the complexity of the request or the number of requests we receive from other individuals, this period may be extended by two months. In such cases, we will notify the data subject of this extension within one month of receiving their request.

If the data subject wishes to update the personal data published about them on the website www.infobel.com, they are invited to click on the following link: "update my personal data".

We cannot be held responsible for the removal of data displayed on other websites or digital media to which we do not provide data. It is the responsibility of the data subject to contact the owners of the concerned sites directly.

[1] This is what is called pseudonymized data.

[2] For your reference, the Belgian Data Protection Authority (APD) published an initial recommendation on direct marketing in 2020, followed by a second one in 2025.

[3] If the breach is likely to result in a high risk to the rights and freedoms of the data subjects.

[4] The response must be provided within one month from the receipt of the request. If the request is complex and requires an extended deadline, the organization must inform the data subject of the extension and the reasons for the additional delay within one month following the receipt of the initial request.