On November 9, 2019, the European Data Protection Board (EDPB) adopted guidelines on the GDPR’s lawful basis for processing. In particular, the EDPB provided guidance on the “contractual necessity basis for processing personal data in the context of online services.” Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.
The Guidelines are open for public consultation until May 24, 2019.
By way of background, the GDPR specifies that processing shall be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f), GDPR, so as to fully respect the principle of fairness.
In particular, Article 6(1)(b), GDPR, provides that a lawful basis for the processing of personal data exists when “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”
With Guidelines 2/2019, the EDPB focused on the “contractual necessity basis for processing personal data in the context of online services” and how the concept of “necessity” applies to the requirement of a processing “necessary for the performance of a contract” relating to online services.
First, the EDPB highlights how contracts for online services must be valid and lawful. Even if on line service contracts are generally not negotiated on an individual basis, they should abide to the purpose limitation principle (which requires that personal data must be collected and processed for specified, explicit, and legitimate purposes, Article 5(1)(b), GDPR) and the data minimization principle (which requires to process as little data as possible to achieve the purpose, Article 5(1)(c), GDPR).
For these reasons, a purpose that is vague or general, such as for instance “improving users’ experience”, “marketing purposes”, “IT-security purposes” or “future research” will – without more detail – usually not be specific enough to comply with the GDPR.
In addition, the EDPB explains that Article 6(1)(b), GDPR, applies where either one of two conditions are met: the processing in question must be objectively necessary for the performance of a contract with a data subject, or in order to take pre-contractual steps at the request of a data subject.
The assessment of whether the processing is “necessary” “involves a combined, fact-based assessment of the processing for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’. Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.”
Also, the processing shall be necessary to perform that particular contract.
In order to asses whether the processing is necessary for the performance of the contract, the EDPB provides the following list of questions for guidance:
– What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
– What is the exact rationale of the contract (i.e. its substance and fundamental object)?
– What are the essential elements of the contract?
– What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject?
– Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
The EDPB also provides several useful examples to guide the controller in establishing the existence of a lawful basis under Article 6(1)(b), GDPR, in the context of the provision of online services.