The European Data Protection Board has adopted final Guidelines on the processing of personal data using the “necessary perform a contract” lawful basis under Article 6(1)(b) of the GDPR, in the context of the provision of online services.
Article 6(1)(b) of the GDPR provides a lawful basis for the processing of personal data to the extent that the processing is:
- Necessary for the performance of a contract to which the data subject is a party; or
- In order to take steps at the request of the data subject prior to entering into a contract.
The Guidelines outline the elements of lawful processing under Article 6(1)(b) and focus in particular on the concept of ‘necessity’. They begin by examining the interaction between this lawful basis and other obligations under the GDPR.
Lawful, Fair and Transparent Processing
The Guidelines explain that in order for the processing of personal data in reliance on this ground to be ‘lawful’, the contract to provide the online services must be valid. For example where children are involved, ensuring compliance with the national laws relating to the capacity of children to enter into contracts.
The requirement for processing to be fair and lawful also requires the controller to satisfy other related legal obligations, such as those relating to unfair terms in consumer contracts.
In order to comply with the transparency obligations under the GDPR, controllers need to ensure that they avoid confusion as to what the legal basis is, in particular making sure that data subjects are not under the erroneous impression that they are giving their consent to process their personal data under Article 6(1)(a) GDPR, when they sign a contract or accept terms of service. The Guidelines remind us that these are two entirely different concepts with different requirements and consequences.
How to Satisfy Article 6(1)(b) and Necessity
The test for assessing whether Article 6(1)(b) is satisfied as a lawful basis, is whether the processing is “objectively necessary” for (i) the performance of a contract with the data subject; or (ii) in order to take pre-contractual steps at the request of the data subject.
The Guidelines adopt a narrow interpretation of “necessity” which involves a “combined, fact-based assessment of the processing” for the objective pursued and a consideration of whether there is any less intrusive way of achieving the same goal. If there is, then the processing is not ‘necessary’ to perform the contract or take pre-contractual steps.
Building-in references to the processing of personal data into contract terms, is not sufficient to bring the processing within the scope of Article 6(1)(b) and conversely processing may be objectively necessary to perform a contract, even if it is not mentioned in the contract. A contract cannot artificially expand the categories of personal data or types of processing that are needed to perform a contract under Article 6(1)(b), for example by incorporating terms that impose additional conditions relating to advertising or cookies. The key question is whether the processing is objectively necessary for a purpose that is integral to the delivery of the contractual service to the data subject.
The controller needs to be able to demonstrate that the main subject matter of the specific contract with the data subject cannot, as a matter of fact, be performed without the specific processing of the personal data in question. The reasonable expectations of the data subject should be taken into account – would an ordinary user of the service reasonably expect the processing to take place in order to provide the service?
If several separate services or elements of a service are bound together in one contract, but they can reasonably be performed independently, then when assessing whether Article 6(1)(b) is satisfied as a legal basis, each service or element needs to be assessed separately, to determine what processing is objectively necessary to perform that service or element.
The Guidelines provide some more specific guidance on the application of Article 6(1)(b) to certain processing, such as:
- Online behavioural advertising and associated tracking and profiling of data subjects is generally not necessary to perform a contract for online services, as it will normally be difficult to argue that a contract could not be performed without serving behavioural ads. Article 6(1)(b) cannot be relied on, on the basis that online advertising indirectly funds the service. Although it may support the delivery of the service, this is not sufficient to establish that it is necessary to perform the contract.
- Personalisation – The personalisation of content may be necessary to perform a contract, where it is an intrinsic and expected element of an online service, rather than where it is merely intended to increase engagement with the service. This depends on the nature of the service and the expectations of an average data subject, in light of the terms of service, how it is promoted to users and whether the service can be provided without the personalisation.
- Contractual Warranties – Storing certain data for a specified retention time after the exchange of goods or services for the purposes of contractual warranties may be necessary to perform a contract;
- Service Improvement – Processing personal data in order to improve services will not generally be necessary to perform a contract, as the service could be delivered without collecting that information. The controller may, however, be able to rely on an alternative legal basis, such as legitimate interests or consent.
- Fraud Prevention – Processing personal data for fraud prevention purposes is likely to go beyond what is objectively necessary to perform a contract. However, this processing may be in the legitimate interests of a controller, or may be necessary for them to comply with a legal obligation.