The EDPB Offers Guidelines for Lawful Basis of Processing Based on the Necessity for the Performance of a Contract

By Michael A. Shapiro, Esq., CIPP/US/E, attorney with XPAN Law Group

Article 6 of the General Data Protection Regulation (GDPR) requires that processing must be “lawful” on the basis of six specified conditions set forth in Article 6(1)(a) to (f).   One of the basis for lawful processing is the “necess[ity] for the performance of a contract to which the data subject is party or . . . to take steps at the request of the data subject prior to entering into a contract.” Art. 6(1)(b).   The European Data Protection Board (EDPB) has recently published a final version of its Guidelines on the Processing of Personal Data under Article 6(1)(b) GDPR in the Context of the Provision of Online Services to Data Subjects (Guidelines).  Although the Guidelines are focused on contracts for online services, the principles they articulate are equally applicable to processing of personal data in any contractual context.

The Guidelines require that the lawful basis for processing under Article 6(1)(b) must be considered in the context of the GDPR as a whole.  In this regard, controllers must ensure that the processing is lawful, fair, and transparent with regard to data subjects.  Thus, the contract itself must be valid under applicable contract law, including consumer protection regulations.  The GDPR principles of purpose limitation and data minimization, in turn, require that controllers avoid general processing terms in their contracts designed to maximize possible collection and uses of data.  For example, vague terms such as “improving user experience” or “marketing purposes” would usually not meet the criteria of being “specific.”

In line with their transparency obligations, controllers should also seek to avoid confusion as to the applicable basis for processing.  For example, controllers might erroneously assume that by signing a contract in order to complete a contractual transaction, data subjects are giving consent to processing in line with Article 6(1)(a).  The EDPB cautions that accepting terms of service to conclude a contact and giving consent under Article 6(1)(a) are separate concepts with different legal requirements and consequences.

Necessity for Performance of a Contract with the Data Subject

Consistent with the GDPR general principles, a controller may rely on the “necessity for the performance of a contract” basis for processing where it can establish that (1) processing takes place in the context of a valid contract with a data subject and (2) the processing is necessary in order that the particular contract with the data subject be performed.  The concept of “necessity” is not based on the assessment of what is permitted by the terms of the contract.  Rather, it is fact-based objective assessment of what is genuinely necessary for the performance of the contract.  This, in turn, requires a determination of the substance and fundamental objective of the contract.

For example, a contract for digital services may impose conditions regarding advertising and cookies which are beyond what is objectively necessary for the performance of the contracted services.  In that case, the additional processing requires a different legal basis than Article 6(1)(b).  According to the Guidelines, behavioral advertising is generally not necessary for the performance of the contract for online services, even if advertising indirectly funds the provision of the service.

Online retailers often seek to build profiles of the users’ tastes and lifestyle choices based on their  website visits and might specifically mention profiling in the terms of service. However, if the completion of online purchase is not dependent upon building such profiles, retailers cannot rely on Article 6(1)(b) as the legal basis for profiling.

According to the Guidelines, the metrics compiled by online providers on how users engage with their services would also generally not be regarded as necessary for the provision of services under the contract and therefore would require a separate basis for processing.

On the other hand, personalization of content may in some cases constitute an intrinsic and expected element of online services and thus be regarded as necessary for the performance of the contract in some cases.  Whether such processing may be regarded as an intrinsic aspect of online services depends on the nature of services, the expectations of data subjects (in light of the terms of service and the way service is promoted), and whether the service can be provided without personalization.

Necessity for Taking Steps Prior to Entering into a Contract

Article 6(1)(b) also applies where processing is necessary in order to take steps at the request of data subject prior to entering into a contract.  For example, if a consumer provides their zip code to check what channels a streaming TV provider offers in their town, the processing for purposes of responding to the inquiry can be based on Article 6(1)(b).  On the other hand, Article 6(1)(b) does not apply to unsolicited marketing or other processing initiated by the controller or a third party.

Termination of Contract

Where the processing is bases on Article 6(1)(b), and the contract is terminated in full, the processing is generally would no longer be necessary for purposes of the performance of contract.   Thus, the controller might be required to stop processing and erase personal data in accordance with Article 17(1)(a).  At the same time, a terminated contract may entail certain obligations such as contractual warranty, returning of goods, or payment.  According to the Guidelines, the associated processing may still be conducted pursuant to Article 6(1)(b).

Overall, the Guidelines make clear that companies may not rely on Article 6(1)(b) to justify processing activities however remotely related to the purposes of contractual transactions.  Nor may companies simply list their processing activities in the terms of service and then rely on Article 6(1)(b) as their lawful basis.   The GDPR requires that companies conduct a thorough and documented analysis of what activities are genuinely necessary for the completion of the contractual transaction. Any processing beyond these activities, including profiling, behavioral advertising, and metrics, would likely require data subject’s consent or establishing a controller’s legitimate interest.

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.