Guidance on data processing for online service providers

That is one of the central messages the businesses can take from new guidance issued by an EU data protection watchdog.

The guidance helps to clarify when online service providers can proceed with the processing of personal data on the legal basis that the processing is necessary for the performance of a contract, and it offers concrete examples to inform that assessment.

The legal context

There is a common misconception that businesses can only process personal data if they have obtained the consent of data subjects to such processing.

The General Data Protection Regulation (GDPR) sets out six lawful bases for processing personal data, of which consent is only one.

Article 6(1)(b) of the GDPR provides that the processing of personal data is lawful where the processing is either necessary:

• for the performance of a contract to which the data subject is a party, or;
• in order to take steps at the request of the data subject prior to entering into a contract.

It is this section of the GDPR that the EDPB has addressed in its new guidance.

Assessing 'necessity'

The EDPB explored the concept of 'necessity' in some depth in its new guidance.

The guidance stated that necessity is to be assessed objectively, according to the perspective of a reasonable data subject, and relates to the nature and purpose of the service being provided. It also involves consideration of the fundamental right to privacy and protection of personal data, as well as the GDPR's so-called fairness principle – which demands that the processing is not only lawful but 'fair' too.

The precise wording of the contract is less determinative of whether the processing can be classed as necessary for the performance of a contract, according to the EDPB. It further confirmed that if there are "realistic, less intrusive alternatives" that would achieve the same objective being pursued through the data processing then the processing can definitely not be considered 'necessary'.

Necessity at the pre-contract stage

The EDPB explained in its guidance that the law does not require online service providers to be certain that customers wish to enter into a contract with them to rely on the second strand of article 6(1)(b) to process their personal data at the pre-contract stage.

Processing of the data will be considered necessary in order to take steps at the request of the data subject prior to entering into a contract in cases where it is for the purpose of responding to a prospective customer's enquiry that seeks details of the provider's service offerings, the EDPB.

However, the concept of 'necessity' at the pre-contract stage does not apply to unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party, the EDPB said.

Necessity cannot be written into contracts

The EDPB's guidance explored the interaction between the concept of consent under the GDPR and the concept of processing being necessary for the performance of a contract.

In doing so, it explained that the practice of making access to services conditional on personal data processing is not sufficient on its own to make the processing necessary.

There is a distinction to be made "between processing activities necessary for the performance of a contract, and clauses making the service conditional on certain processing activities that are not in fact necessary for the performance of the contract", the EDPB said.

Online service providers must assess what is objectively necessary to perform the contract, the EDPB said. Inserting a clause into the contract concerning data processing will not of itself be sufficient to show that the processing is necessary for the performance of that contract, it confirmed.

Example – online retail

The EDPB listed examples of data processing activities that it said can be considered as necessary for the performance of a contract, as well as those that cannot.

Its guidance confirmed that online retailers can rely on article 6(1)(b) of the GDPR for processing credit card information and billing addresses for payment purposes, and also for processing a data subject’s home address for the purposes of home delivery. However, it said the retailer would have to rely on a different legal basis for processing the customer's data if it wanted to build a profile of the user's tastes and lifestyle choices, since such profiles are not necessary to carry out the contract.

Examples – service improvement, fraud prevention and behavioural advertising

The EDPB also considered whether personal data processing could be considered necessary for the performance of a contract where the processing is for the purpose of improving services, for fraud prevention or for online behavioural advertising.

In each of these cases the EDPB said the processing could not be objectively considered as necessary for the performance of a contract and that businesses would therefore need to find an alternative lawful basis for proceeding with those processing activities.

Example – personalisation

The EDPB acknowledged, however, that the personalisation of content may be regarded as necessary for the performance of some contracts. It said that it would depend on "the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation".

It said that content personalisation would not be objectively necessary for the purpose of the underlying contract where personalised content delivery is intended to increase user engagement with a service but is not an integral part of using the service.

Questions businesses can ask themselves

According to the EDPB, there are a number of questions online service providers can ask themselves to help them understand whether their processing is 'necessary for the performance of a contract'. Those questions are:

• What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
• What is the exact rationale of the contract (i.e. its substance and fundamental object)?
• What are the essential elements of the contract?
• Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?

Demonstrating compliance

In line with the GDPR's increased emphasis on accountability, the EDPB explained that online service providers seeking to rely on the 'necessary for the performance of a contract' basis for processing personal data must be able to demonstrate that:

• a contract exists between themselves and the data subject, and that there is a genuine mutual understanding on the contractual purpose;
• the contract is legally valid, and;
• how the main object of the contract cannot, as a matter of fact, be performed without the proposed data processing activities going ahead

Other data protection considerations

Beyond the steps outlined in the EDPB's guidance, online service providers must ensure that they comply with all the basic data protection principles set out in the GDPR.

This means, among other things, ensuring the processing of personal data is fair and transparent, and that the data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, and that the data is also adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Those principles are particularly relevant in contracts for online services.