Belgian court overturns data fine in direct marketing ruling

A Belgian appeals court overturned a data protection authority reprimand on December 17, 2025, determining that a direct marketing campaign offering health screenings to specific age groups satisfied legitimate interest requirements under the General Data Protection Regulation. The Brussels Market Court's decision establishes new precedent for evaluating reasonable expectations and legitimate interest balancing when personal data processing serves both commercial and potential health purposes.

The Court of Appeal Brussels annulled Belgian Data Protection Authority decision 76/2025, which had imposed reprimands on two companies for violating GDPR Articles 5.1(a), 6, and 24.1, according to judgment 2025/AR/987 issued December 17. The case stemmed from a complaint filed October 18, 2023, after a Belgian resident received unsolicited direct mail from a company with which he had no prior relationship.

The marketing campaign involved sending postal advertisements to individuals in specific age groups, inviting participation in health screening programs. One company obtained address data through intermediary organizations, ultimately sourced from Belgian public records. The complainant challenged the lack of consent and questioned how the companies obtained his personal data.

Belgium's Litigation Chamber ruled April 24, 2025, that both companies violated fundamental GDPR principles. The authority determined the companies failed to demonstrate their interests outweighed the complainant's fundamental rights. The Litigation Chamber based its finding partly on the campaign letter's title, which it characterized as potentially misleading because recipients might believe the sender performed tasks in the public interest. Additionally, the authority concluded that targeting individuals based on age group membership created feelings that could be perceived as "invasive."

The Brussels Market Court rejected both elements of the Belgian DPA's reasoning. The appeals court found the letter's wording, when examined in context, did not create impressions of government agency affiliation. The court stated the letter was not of such nature as to mislead average consumers about its commercial character or the sender's capacity.

The court disagreed more fundamentally with characterizing age-targeted health campaigns as invasive. Targeting advertising to specific age groups represents standard marketing practice, the judges noted. The court cited examples including universities contacting school graduates, banks writing to customers' children about youth accounts, and health organizations reaching age-appropriate populations. The court emphasized that the letter served not only commercial interests but could produce positive consequences for recipients by offering early detection of health conditions.

Article 6.1(f) GDPR permits processing when necessary for legitimate interests pursued by controllers or third parties, except where data subjects' interests or fundamental rights and freedoms override those interests. The provision requires three cumulative conditions: legitimate interest existence, processing necessity for that interest, and confirmation that data subjects' interests do not override controller interests, according to Court of Justice of the European Union judgment C-394/23 from January 9, 2025.

The balancing test involves weighing conflicting rights and interests based on specific case circumstances. Data subjects' interests and fundamental rights may outweigh controller interests particularly when personal data are processed in circumstances where data subjects do not reasonably expect such processing, the CJEU established. GDPR Recital 47 explicitly states that processing personal data for direct marketing purposes may be considered meeting legitimate interest requirements.

The Brussels court determined the Litigation Chamber failed to account for all specific circumstances when concluding the company had not demonstrated its interests outweighed the complainant's rights. The judges found that beyond mere reasonable expectations, the processing must be evaluated considering scope, consequences, and potential risks to fundamental rights.

The court established that reasonable expectations alone cannot automatically ensure controller legitimate interests outweigh data subject rights, particularly when processing might infringe fundamental rights guaranteed by the EU Charter of Fundamental Rights. However, the mere absence of reasonable expectations—such as when no contractual relationship exists between parties—proves insufficient to ensure data subject interests automatically outweigh controller interests.

This becomes especially relevant when no fundamental right or freedom infringement has been proven, when processing scope remains limited, when no sensitive information is processed, and when consequences for data subjects may be positive, the court stated. The health benefits offered through early detection represented a crucial distinguishing factor that the Belgian DPA had not adequately weighed.

The ruling addresses persistent tensions in data protection enforcement across European advertising regarding legitimate interest assessments for marketing purposes. The decision follows increased scrutiny of cookie consent mechanisms and data access rights enforcement by Belgian authorities throughout 2024 and 2025.

The court also annulled findings that the companies violated Article 24 GDPR accountability requirements. The Belgian DPA had determined the companies failed to implement appropriate technical and organizational measures to ensure processing complied with GDPR, specifically criticizing failure to verify lawfulness of original data processing when obtaining data from third parties.

The appeals court held that Article 24 cannot be interpreted as imposing formal obligations on controllers to independently verify lawfulness of original processing and conditions under which personal data may be further processed by third parties. The judges emphasized that Article 24 requires "appropriate" measures considering nature, scope, context, purposes of processing, and risks to natural persons' rights and freedoms.

GDPR's risk-prevention focus and controller accountability principles pursue teleological approaches striving for effective results rather than formalistic compliance with specific procedures, the court stated, citing Advocate General Pitruzzella's conclusions in CJEU case C-340/21. Controllers relying on Article 6(1)(f) justification must prove the three cumulative conditions are met, demonstrating processing bases itself on valid legal grounds without requiring formal verification of upstream data lawfulness.

The Belgian Data Protection Authority represented by attorneys Joos Roets and Timothy Roes must pay legal costs totaling €1,883.72 plus a €26 contribution to the Budgetary Fund. As a public body, the Belgian DPA is exempt from court fees under joint application of Articles 279 and 161 of the Code of Registration Fees.

Two additional companies intervened in the appeal proceedings. The first voluntary intervening party, represented by attorney Peter Alexander Craddock, argued in support of the appeal. The company had participated in administrative proceedings before the Litigation Chamber after being informed of intervention opportunities. The second voluntary intervening party also joined the appeal in protective capacity.

The appeals court ruled that voluntary intervention was admissible despite Belgian DPA arguments that interveners only qualify when directly subject to contested decisions. The court found that voluntary intervention serves to protect intervening parties' interests or support positions of parties to proceedings. The fact that intervening parties advanced arguments differing from Belgian DPA positions did not affect intervention admissibility.

The case demonstrates complexities facing legitimate interest assessments in direct marketing contexts. While recent enforcement actions have emphasized consent requirements and data subject rights, the Brussels ruling confirms that legitimate interest remains viable for marketing when processing serves dual purposes including potential benefits to recipients.

The decision arrives as European institutions debate major GDPR amendments through digital omnibus packages scheduled for 2025. The European Commission has proposed establishing that processing personal data for artificial intelligence development constitutes legitimate interest, though privacy advocates warn the changes could undermine fundamental protections.

The Brussels Market Court emphasized that controllers must conduct comprehensive balancing tests examining all relevant factors when claiming legitimate interest. Age discrimination concerns do not automatically arise from targeting health campaigns to age-appropriate populations when those campaigns serve genuine health benefits. Courts must evaluate whether processing risks fundamental rights infringements rather than applying categorical rules based solely on presence or absence of reasonable expectations.

The judgment creates precedent for marketing professionals navigating legitimate interest requirements under Article 6(1)(f). Controllers must document thorough assessments of processing necessity, scope limitations, and balancing tests weighing their interests against data subject rights. The ruling confirms that data protection authorities cannot impose blanket prohibitions on legitimate interest processing without examining specific circumstances including potential positive outcomes for data subjects.

Belgian DPA decisions have faced multiple appeals reversals in recent years. The authority's March 2022 ruling that the Transparency and Consent Framework violated GDPR Article 6 sparked industry-wide controversy over consent management practices. IAB Europe challenged that decision, arguing the Belgian DPA exceeded its authority.

The December 17 ruling does not establish automatic acceptability for all age-targeted marketing campaigns. Controllers must still demonstrate legitimate interests, processing necessity, and favorable balancing of conflicting rights on case-by-case bases. The decision clarifies that data protection authorities bear burden of explaining why specific processing violates GDPR rather than requiring controllers to prove negative propositions about absence of fundamental rights violations.

Marketing organizations increasingly require written legitimate interest assessments documenting their compliance frameworks. Estonian courts confirmed June 2025 that data protection authorities can order such documentation during enforcement proceedings under Article 58(2)(d) GDPR powers. The assessments must address suitability of claimed interests, justification of processing necessity, weighing of impacts on individuals, security measures implementation, and final conclusions about processing admissibility.

The Brussels judgment distinguished between commercial marketing lacking broader social benefits and campaigns offering health screening opportunities. This distinction may influence future cases involving wellness programs, preventive healthcare initiatives, and age-appropriate public health communications. Courts will examine whether processing serves only profit motivations or provides genuine value to targeted populations.

Data protection enforcement has intensified across multiple European jurisdictions. Dutch authorities issued reprimandsfor surveillance systems capturing public spaces without adequate legitimate interest documentation. German courts have expanded interpretations of sensitive data categories to include inferred health information from purchase patterns.

The Belgian DPA retains authority to investigate the case's other dimensions. The Litigation Chamber split the original complaint into separate proceedings. Decision 76/2025 addressed only certain companies and violations. Additional enforcement actions may target other parties involved in the data supply chain, including intermediary organizations that facilitated data transfers.

Privacy advocates maintain that legitimate interest cannot substitute for consent in most direct marketing scenarios. The Brussels ruling's emphasis on health benefits may apply narrowly to similar preventive care campaigns rather than establishing broad precedent for age-targeted commercial advertising. Critics argue the decision could encourage companies to frame purely commercial campaigns as serving public health purposes.

The Market Court did not address whether controllers must verify upstream data lawfulness when obtaining personal data from third parties. The judgment establishes that Article 24 accountability obligations do not impose formal verification requirements but leaves open questions about due diligence standards when processors rely on intermediaries for data sourcing.

Marketing professionals should document comprehensive legitimate interest assessments before launching campaigns targeting specific demographics. Assessments must examine data subjects' reasonable expectations, processing scope and purposes, potential consequences including positive outcomes, absence of sensitive data categories, and implementation of appropriate security measures. Controllers should review assessments periodically and update them when circumstances change.

The Brussels ruling reinforces principles established in European Data Protection Board guidance requiring three-step legitimate interest assessments: identifying genuine legitimate interests, analyzing processing necessity, and balancing interests against fundamental rights. Organizations must involve Data Protection Officers in evaluating assessments and maintain comprehensive documentation available to supervisory authorities.

Timeline

• October 18, 2023: Complainant filed complaint with Belgian Data Protection Authority over unsolicited marketing mail
• October 25, 2023: Belgian DPA First-line Service declared complaint admissible and referred to Litigation Chamber
• December 17, 2024: Hearing held before Litigation Chamber examining the case
• January 3, 2025: Litigation Chamber provided parties with hearing minutes copies
• January 6, 2025: Complainant requested summoning additional parties
• January 31, 2025: Litigation Chamber informed additional party of intervention option
• February 26, 2025: Additional party confirmed intervention as third party
• April 24, 2025: Belgian Litigation Chamber issued Decision 76/2025 imposing reprimands
• May 26, 2025: Company filed appeal petition with Brussels Court of Appeal
• June 19, 2025: First voluntary intervening party filed protective intervention petition
• July 25, 2025: Second voluntary intervening party filed protective intervention petition
• November 12, 2025: Public hearing held before Brussels Market Court
• December 17, 2025: Brussels Court of Appeal issued judgment 2025/AR/987 annulling reprimands

Summary

Who: The Brussels Court of Appeal (Market Court Section, 19th Chamber A) issued a judgment annulling Belgian Data Protection Authority reprimands against two companies conducting age-targeted health screening marketing campaigns. The case involved one company that sent direct mail to specific age groups and intermediary organizations that facilitated data transfers. Privacy advocacy organization noyb has represented complainants in similar Belgian data protection cases throughout 2024 and 2025.

What: The appeals court annulled Belgian DPA Decision 76/2025 dated April 24, 2025, which had imposed reprimands for violating GDPR Articles 5.1(a) (lawfulness, fairness, transparency), Article 6 (lawful processing bases), and Article 24.1 (controller accountability). The court determined the Belgian DPA failed to properly weigh health benefits and other circumstances when evaluating legitimate interest under Article 6(1)(f) GDPR. The judgment established that reasonable expectations alone cannot determine legitimate interest balancing and that absence of contractual relationships does not automatically mean data subject interests outweigh controller interests when processing serves health purposes.

When: The Brussels Market Court delivered judgment 2025/AR/987 on December 17, 2025, following public hearing November 12, 2025. The underlying complaint was filed October 18, 2023, after the complainant received marketing materials in late 2023. The Belgian Data Protection Authority's Litigation Chamber issued Decision 76/2025 on April 24, 2025. The appeal was filed May 26, 2025. The case reflects broader enforcement patterns throughout 2024 and 2025 as Belgian authorities increased scrutiny of legitimate interest claims for marketing purposes.

Where: The judgment was issued by the Court of Appeal Brussels (Markets Court Section, 19th Chamber A) with jurisdiction over appeals from Belgian Data Protection Authority decisions. The case involved data processing activities occurring in Belgium, with address data sourced from Belgian public records and marketing mail sent to Belgian residents. The decision contributes to evolving GDPR jurisprudence across European Union member states addressing legitimate interest requirements for direct marketing.

Why: The case arose because a Belgian resident received unsolicited direct mail from a company with which he had no prior relationship, offering participation in age-appropriate health screening programs. The complainant questioned the legal basis for processing his personal data obtained through intermediary organizations. The Belgian DPA initially found violations because it determined the campaign could be perceived as misleading about government affiliation and invasive due to age-based targeting. The appeals court reversed this decision because it found the Belgian DPA failed to adequately consider health benefits, standard age-targeting marketing practices, limited processing scope, and absence of fundamental rights violations when conducting the required balancing test under Article 6(1)(f) GDPR.