The European Data Protection Board (EDPB) met for its fourteenth plenary session on 8 and 9 October 2019.
One of the key developments was the adoption of the final version of its guidelines on the contractual lawful basis for the processing of personal data in the context of online services under Article 6(1)(b) of the General Data Protection Regulation (GDPR), more commonly known as ‘performance of a contract’ legal basis.
The final version of the guidelines has not changed from the previous draft which we discussed here in our blog in April.
As a reminder, we have outlined below some of the key points from the guidelines.
Scope of the guidelines
EDPB notes that the guidelines relate to the applicability of Article 6(1)(b) to the processing of personal data in the context of contracts for online services. Online services are any information society services, also defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services”. This definition extends to the fields of social media and e-commerce. It also covers services that are not paid for directly by the recipients, such as online services funded through advertising.
Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data where either of the two conditions are met: (1) the processing is necessary for the performance of a contract with a data subject or (2) the processing is necessary for pre-contractual steps at the request of a data subject.
The EDPB clarifies that the previous guidance published by the Article 29 Working Party remains relevant, and any processing of personal data must comply with the GDPR as a whole.
Processing necessary for the performance of a contract with the data subject
Necessity is a prerequisite for reliance on Article 6(1)(b). EDPB reminds controllers that the concept of necessity involves consideration of the fundamental right to privacy and protection of personal data under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
The data processing must be necessary for the performance of a contract with the data subject. EDPB notes that if there are less intrusive alternatives compared to other options for achieving the same goal, the processing is not “necessary”. As such, EDPB clarifies that Article 6(1)(b) will not cover processing which is useful but not objectively necessary.
EDPB recommends that controllers carry out an assessment of whether Article 6(1)(b) is applicable by asking the following questions:
- What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the exact rationale of the contract (that is, its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
Processing necessary for pre-contractual steps at the request of a data subject
The second part of Article 6(1)(b) GDPR covers the processing of personal data necessary for taking pre-contractual steps prior to entering into a contract with the data subject. This addresses the situation where processing personal data is necessary to facilitate the actual entering into a contract. EDPB clarifies that this provision would not cover unsolicited marketing or other processing which is carried out on the initiative of the data controller or at the request of a third party.
Termination of contract
EDPB notes that where Article 6(1)(b) is used as the legal basis for the processing of personal data, the controller should anticipate what happens when the contract is terminated.
Upon termination, as a general rule, the processing of personal data will no longer be necessary for the performance of the contract. As such, the controller will need to stop processing. While EDPB recognises that “it is generally unfair to swap to a new legal basis when the original basis ceases to exist”, there are instances when this may apply if there is a legal obligation to retain certain records.
Applicability of Article 6(1)(b) in specific situations
The guidelines also address the applicability of Article 6(1)(b) in specific situations, such as processing for service improvement, fraud prevention, online behavioral advertising, and personalisation of content.
Processing for service improvement is unlikely to satisfy the necessity threshold. Similarly, processing for fraud prevention will also be unnecessary, but could be carried out under another basis, such as legal obligation or legitimate interest.
Personalisation of content may, in some instances, be necessary, depending on whether the personalisation of the content is objectively necessary for the purpose of the underlying contract.
The basis for processing personal data must rest on one of the six legal bases provided for in Article 6(1)(a) – (f) of the GDPR. These guidelines are a welcome clarification on the correct practice for circumstances in which it is appropriate to use Article 6(1)(b) as the lawful basis for processing personal data. We expect EDPB will publish further guidelines in the future to address other lawful bases for processing personal data to correct overly broad application of the Article 6(1) legal bases. In the meantime, keep an eye on our blog for updates.