The EDPB has released new draft guidelines 2/2019 on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects. The guidelines emphasise the narrow scope of the contractual necessity legal basis. A controller must be able to demonstrate that the processing is ‘objectively necessary’ for a purpose that is ‘integral’ to the delivery of a contractual service to the data subject in order to rely on this legal basis. If a controller cannot demonstrate such necessity it must consider another legal basis for processing the personal data. This note considers the key highlights of the guidelines.

Background

Article 6(1) of the GDPR provides that processing shall be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). Article 6(1)(b) of the GDPR sets out the contractual necessity legal basis. It provides that the processing of personal data shall be lawful to the extent that “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. This legal basis reflects the fact that sometimes contractual obligations cannot be performed without the data subject providing certain personal data.

Scope of the Guidelines

The EDPB notes that ‘online services’ as used in the guidelines refers to ‘information society services’, which are defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” (Directive (EU) 2015/1535 and Article 8 GDPR). The EDPB confirms that this definition extends to services that are not paid for directly by the persons who receive them, such as online services funded through advertising (see also Recital 18 of the e-Commerce Directive 2000/31/EC).

The Article 29 Working Party has previously expressed views on the contractual necessity legal basis under the Data Protection Directive 95/46/EC in its opinion on the notion of legitimate interests of the data controller (opinion 06/2014), and the EDPB has indicated that opinion remains relevant when assessing the application of Article 6(1)(b) of the GDPR.

Compliance with the GDPR as a whole

The contractual necessity legal basis in Article 6(1)(b) must be considered in the context of the GDPR as a whole, including the data protection principles. The EDPB highlights that the fair and transparent processing, purpose limitation and data minimisation obligations are particularly relevant in contracts for online services, insofar as technological advancements make it possible for controllers to easily collect and process more personal data than ever before.

Where processing is not considered ‘necessary for the performance of a contract’, the EDPB recognises that another lawful basis may be applicable, such as consent or legitimate interests. However, the EDPB warns that where a controller is relying on consent as a legal basis, it is important to distinguish between entering into a contract and consent to the processing of personal data under Article 6(1)(a). Data subjects should not be given the impression that they are giving their consent in line with Article 6(1)(a) when signing a contract or accepting terms of service.

Necessity of Processing

When assessing whether Article 6(1)(b) is an appropriate legal basis for an online contractual service, regard must be given to the particular aim, purpose, or objective of the service. Article 6(1)(b) will not cover processing which is “useful but not objectively necessary” for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes. Other legal bases, such as the controller’s legitimate interests, may be available for those other business purposes.

(i) Necessary for the performance of a contract with the data subject

Where a controller seeks to establish that the processing is necessary for the performance of a contract with the data subject, the EDPB expects the controller to be able to demonstrate how the main object of the specific contract with the data subject cannot be performed if the specific processing of the personal data in question does not occur.

The EDPB suggests online services ask the following questions, when assessing whether Article 6(1)(b) is applicable:

  1. What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
  2. What is the exact rationale of the contract (i.e. its substance and fundamental object)?
  3. What are the essential elements of the contract?
  4. What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?

The guidelines provide examples of when it is or is not appropriate for online services to rely on Article 6(1)(b) to process personal data. Example 1 (in italics below), illustrates the narrow scope of this legal basis.

“A data subject buys items from an online retailer. The data subject wants to pay by credit card and for the products to be delivered at home. In order to fulfil the contract, the retailer must process the data subject’s credit card information and billing address for payment purposes and the data subject’s home address for delivery. Thus, Article 6(1)(b) is applicable as a legal basis for these processing activities. However, if the customer has opted for shipment to a pick-up point, the processing of the data subject’s home address is no longer necessary for the performance of the purchase contract and thus a different legal basis than Article 6(1)(b) is required.”

(ii) Necessary for taking steps prior to entering into a contract

The alternative condition for the application of Article 6(1)(b) is where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. This provision reflects the fact that preliminary processing of personal data may be necessary prior to entering into a contract in order to facilitate actually entering into that contract.

Example 5 (in italics below) demonstrates when processing would not fall within the remit of the contractual necessity legal basis.

In some cases, financial institutions have a duty to identify their customers pursuant to national laws. In line with this, before entering into a contract with data subjects, a bank requests to see their identity documents. In this case, the identification is necessary for a legal obligation on behalf of the bank rather than to take steps at the data subject’s request. Therefore, the appropriate legal basis is not Article 6(1)(b), but Article 6(1)(c)”.

Applicability of Article 6(1)(b) in Specific Situations

(i) Processing for ‘service improvement’

The EDPB does not consider that Article 6(1)(b) would generally be an appropriate lawful basis for processing for the purposes of improving a service, as such processing cannot usually be regarded as being objectively necessary for the performance of the contract with the user.

(ii) Processing for ‘fraud prevention’

In the EDPB’s view, processing for fraud prevention purposes is likely to go beyond what is objectively necessary for the performance of a contract with a data subject. Such processing could however still be lawful under another basis in Article 6(1), such as compliance with a legal obligation or legitimate interests.

(iii) Processing for ‘online behavioural advertising’

The EDPB does not view Article 6(1)(b) as providing a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. The EDPB states that: “Although such processing may support the delivery of a service, it is separate from the objective purpose of the contract between the user and the service provider, and therefore not necessary for the performance of the contract at issue.” Furthermore, in line with the e-Privacy requirements, controllers must obtain data subjects’ prior consent to place the cookies necessary to engage in behavioural advertising.

(iv) Processing for ‘personalisation of content’

The EDPB notes that personalisation of content may constitute an essential element of certain online services, and therefore may be regarded as necessary for the performance of the contract with the service user in some cases.