European Data Protection Board issue guidelines on contractual processing for online services
When is it appropriate for Information Society Services (ISSs) to process personal data on the basis that it is “necessary for the performance of a contract”?
Article 6(1)(b) of the GDPR states that one of the lawful basis for the processing of personal data is when “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
The European Data Protection Board (EDPB) has published draft guidelines (which are subject to consultation) setting out when ISSs can rely on Article 6(1)(b). The guidelines both clarify and (in some areas) replace the previous Article 29 Working Party Guidelines on this subject.
The guidelines refer to ISSs as both services, which are normally remunerated for by the consumer, but also services, which are financed through advertising. The EDPB recognises that its opinion on the “validity of contracts…is outside [of its] competence”, but otherwise provides advice on the analysis and applicability of the Article.
Analysis of Article 6(1)(b)
- Article 6(1)(b) with the context of the GDPR
Article 5(1)(a) of the GDPR states that “personal data must be processed lawfully, fairly and transparently in relation to the data subject”. In the context of contracts for online services, complying with Article 5(1)(a) means abiding by the relevant contract law; the guidelines give the example that the “Unfair Contract Terms Directive” could be applicable for a consumer contract. In addition, both Articles 5(1)(b) and (c) (purpose limitation and data minimization) apply, as they are pertinent to ISSs who generally have the technological capability to gather and process large amounts of data. Importantly, the guidelines state that the data minimisation duty “complements the necessity assessments”, which will be described below.
- Other lawful bases for processing
The EDPB, contradicting the previous guidelines, advises that where processing cannot be deemed to comply with Article 6(1)(b), there may be a more suitable basis for processing such as giving consent under Article 6(1)(a). However, this legal basis must be signposted at the beginning of the processing to the data subjects. The EDPB has also emphasized the importance of the data controller’s transparency obligations. The guidelines strongly advise to clearly specify whether the lawful basis is under Article 6(1)(a) or (b), as it is possible that a controller might believe that the signature of a contract signifies the consent of the data subject rather than where the legal basis is where it is necessary for the performance of the contract.
The definition of “necessity” not only includes the GDPR principles but also, as it has its own “independent meaning” in Community law, must take into account fundamental privacy and protection of personal data rights.
The guidelines outline that in order to define necessity, you have to ascertain the purpose of processing, which in accordance with the GDPR, must be clear, specified and communicated to the data subject. The test that the guidelines set out is a “fact-based assessment of the processing and of whether it is less intrusive compared to other options for achieving the same goal”. The guidelines suggest that if there are alternative, less invasive ways of processing, then the processing is not “necessary”. It also specifies that Article 6(1)(b) will not apply to any processing which is “useful but not objectively necessary”.
- Contractual necessity
As stated above, Article 6(1)(b) is applicable where processing is necessary for the performance of a contract to which the data subject is party or in order to take pre-contractual steps at the data subject’s request. The guidelines make clear that “merely referencing or mentioning data processing in a contract” does not render the processing “necessary” for the performance of the contract.
Essentially, the purpose of the service should be taken into account when assessing whether Article 6(1)(b) is applicable. The processing should be objectively necessary for a purpose that is crucial to the performance of that service to the individual. The controller should be able to set out how that specific contract cannot be performed without the processing of personal data. When justifying the necessity of the processing, it is important to note that the necessity should be from both the controller’s and the data subject’s perspectives. The EDPB gives the scenario of a retailer processing the data of a buyer’s credit card and billing address for payment or delivery purposes as an example of what might constitute “necessary for the performance” of a contract.
- Taking steps prior to entering into a contract
Article 6(1)(b) states that the processing of personal data may be necessary prior to entering the contract, in order to enable the actual entering into the contract. The EDPB clarifies in the guidelines that unsolicited marketing and other processing undertaken by the data controller or at a third party’s request would not constitute as necessary for the purposes of this section of Article 6(1)(b).
Generally, where a contract, which uses Article 6(1)(b) as a legal basis for processing personal data, is terminated, the processing of the data for the purposes of the contract will not be necessary and therefore processing must stop. Changing the legal basis for processing would not be advised, unless you have obtained consent to process post termination.
In addition, on termination of such a contract, in accordance with Article 17(1)(a), personal data must be deleted as it is no longer necessary for the purposes of performance of the contract. Whilst it is possible to keep processing data for specific purposes set out in Article 17(3), the EDPB states that controllers can only retain data if they ascertain a legal basis at the start of their processing and communicate to the data subjects the length of time that they propose to keep records for these purposes post termination of the contract.
Applicability of Article 6(1)(b)
- Improving or developing a service
The guidelines suggest that the purpose of improving or developing a service would not constitute a legal basis for processing under Article 6(1)(b).
- Fraud prevention
The guidelines also stipulate that processing for fraud prevention purposes would not constitute a legal basis for processing under Article 6(1)(b) but processing for such purposes could still be lawful under other sections such as legal obligations or legitimate interests.
- Online behavioural advertising
The EDPB supports the Article 29 Working Party view that “contractual necessity is not a suitable legal ground for building a profile of the user’s tastes … based on his clickstream on a website and the items purchased”. As data subjects have the right to object to processing of their data for direct marketing purposes in accordance with Article 21, the guidelines state that, as a general rule, Article 6(1)(b) would not apply for the purposes of behavioural advertising as it does not constitute a necessary component of online services.
Moreover, the guidelines explain that the processing of tracking and profiling users in order to target similar audiences cannot be undertaken on the basis of Article 6(1)(b). Given that the processing relates to directing advertisements at other consumers rather than the individual in the contract, the processing would not be necessary for the performance of the contract between the online service and the individual.
- Personalisation of content
Depending on the nature of the services, the importance of the personalisation in delivering the content and the expectations of the average consumer, personalisation of content could constitute an essential element of the services and therefore be deemed as necessary for the performance of a contract.
The guidelines warn controllers against solely stipulating in a contract that processing is necessary for the performance of the contract, instead advising that controllers carefully consider from all perspectives whether the specific contract cannot be performed without the processing.
Any practical tips?
Consider whether your processing really is necessary for the performance of the contract, as the answer will have different implications for data subjects’ rights and expectations. In addition, from the outset consider if there is another legal basis justifying the processing of personal data and setting this out to the consumer. This may prove prudent in the event that termination of the contract results in the deletion of your customers’ personal data.