EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
The European Data Protection Board has released guidelines for public consultation on the processing of personal data pursuant to contracts for online services under Article 6(1)(b) of the General Data Protection Regulation (GDPR).
The EDPB expresses a concern about the risk that data controllers may use contracts specifying broad purposes to maximize their possible data collection and uses.
In its guidance, the EDPB discusses and clarifies the intersection between consent (Article 6(1)(a)) and contractual necessity (Article 6(1)(b)). It requests that controllers make clear the applicable legal basis from the start to data subjects.
It also makes clear that special categories of data that do not fall within one of the Article 9(2) exceptions require explicit consent for processing. There is no exception under Article 9(2) for processing necessary for the performance of a contract.
The standard for determining whether processing is necessary for the performance of a contract or to take pre-contractual steps is an objective one. It is “a combined, fact-based assessment of the processing ‘for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal’.” Realistic, less intrusive alternatives render the processing not necessary.
The necessity of processing depends “not just on the controller’s perspective, but also a reasonable data subject’s perspective when entering into the contract.” Processing must fall within the fundamental and mutually understood contractual purpose if Article 6(1)(b) is to be relied upon by a controller.
The controller should be able demonstrate both that there is a valid contract with the data subject and that the processing is necessary to the particular contract’s performance. It is not sufficient if it is necessary for other business purposes of the controller. If the controller can not demonstrate a valid contract and processing that is objectively necessary, another legal basis should be considered.
The EDPB recommends the following questions guide a controller in its assessment of the applicability of Article 6(1)(b):
– What is the nature of the service being performed to the data subject? What are its distinguishing characteristics?
– What is the exact rationale of the contract (i.e. its substance and fundamental object)?
– What are the essential elements of the contract?
– What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
Certain reasonably foreseeable and necessary acts within a normal contractual relationship may also be covered incident to execution of a contract or triggered by noncompliance, such as sending formal reminders of nonpayment. However, the legal basis “does not automatically apply to all further actions triggered by non-compliance or to all other incidents in the execution ….”
If a controller bundles services into one contract where the services could be reasonably performed independently, the controller can still rely on Article 6(1)(b) as a legal basis for the services which the data subject actively requests.
If an organization relies on Article 6(1)(b) in order to process data and the contract is terminated, it is generally not permitted to swap in a new legal basis for processing. However, if a data subject gives consent for processing after termination, it could be a valid basis for continued processing.
If an organization is going to retain records for legal purposes after the termination of a contract, it should identify it as a legal basis at the outset of processing.
Other Specific Situations
The EDPB also discusses processing for certain specific situations, including service improvement, fraud prevention, online behavioral advertising, and content personalization. It does not consider service improvement, fraud prevention or online behavioral advertising likely to fall within this lawful basis.
Other Relevant Posts:
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Dutch DPA Says No Cookie Walls Because of GDPR Consent
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent