The European Data Protection Board (EDPB) has published draft guidelines on processing personal data in the context of online services, under the legal basis of performance of an online service contract. Processing under the GDPR is permissible only if it is performed under a recognized legal basis. One of those bases is where the processing is necessary for the performance of a contract with the data subject.

The guidelines explain that in order to rely on this legal basis, the controller needs to be able to prove necessity – that the services contract cannot be performed without that particular data processing, and that processing at a lesser degree or scope would not achieve the required contractual performance. Examples of processing that the draft guidelines deem insufficiently necessary for the performance of the contract (and thus impermissible under this legal basis): processing for the purpose of improving the service, for fraud prevention or detection, or for profiling a user’s online behavior in order to deliver targeted ads (even if that processing is the funding basis for the provision of a free online service).

The draft guidelines are open for public comments through May 24, 2019.

CLICK HERE to read the EDPB’s draft guidelines.

This article was published in the Internet, Cyber and Copyright Group’s April 2019 Newsletter.