Out-Law Analysis 5 min. read
31 Oct 2019, 10:24 am
That is one of the central messages the businesses can take from new guidance issued by an EU data protection watchdog.
The guidance helps to clarify when online service providers can proceed with the processing of personal data on the legal basis that the processing is necessary for the performance of a contract, and it offers concrete examples to inform that assessment.
There is a common misconception that businesses can only process personal data if they have obtained the consent of data subjects to such processing.
The General Data Protection Regulation (GDPR) sets out six lawful bases for processing personal data, of which consent is only one.
Article 6(1)(b) of the GDPR provides that the processing of personal data is lawful where the processing is either necessary:
It is this section of the GDPR that the EDPB has addressed in its new guidance.
The EDPB explored the concept of 'necessity' in some depth in its new guidance.
Inserting a clause into the contract concerning data processing will not of itself be sufficient to show that the processing is necessary for the performance of that contract
The guidance stated that necessity is to be assessed objectively, according to the perspective of a reasonable data subject, and relates to the nature and purpose of the service being provided. It also involves consideration of the fundamental right to privacy and protection of personal data, as well as the GDPR's so-called fairness principle – which demands that the processing is not only lawful but 'fair' too.
The precise wording of the contract is less determinative of whether the processing can be classed as necessary for the performance of a contract, according to the EDPB. It further confirmed that if there are "realistic, less intrusive alternatives" that would achieve the same objective being pursued through the data processing then the processing can definitely not be considered 'necessary'.
The EDPB explained in its guidance that the law does not require online service providers to be certain that customers wish to enter into a contract with them to rely on the second strand of article 6(1)(b) to process their personal data at the pre-contract stage.
Processing of the data will be considered necessary in order to take steps at the request of the data subject prior to entering into a contract in cases where it is for the purpose of responding to a prospective customer's enquiry that seeks details of the provider's service offerings, the EDPB.
However, the concept of 'necessity' at the pre-contract stage does not apply to unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party, the EDPB said.
The EDPB's guidance explored the interaction between the concept of consent under the GDPR and the concept of processing being necessary for the performance of a contract.
In doing so, it explained that the practice of making access to services conditional on personal data processing is not sufficient on its own to make the processing necessary.
There is a distinction to be made "between processing activities necessary for the performance of a contract, and clauses making the service conditional on certain processing activities that are not in fact necessary for the performance of the contract", the EDPB said.
Online service providers must assess what is objectively necessary to perform the contract, the EDPB said. Inserting a clause into the contract concerning data processing will not of itself be sufficient to show that the processing is necessary for the performance of that contract, it confirmed.
The EDPB listed examples of data processing activities that it said can be considered as necessary for the performance of a contract, as well as those that cannot.
the personalisation of content may be regarded as necessary for the performance of some contracts
Its guidance confirmed that online retailers can rely on article 6(1)(b) of the GDPR for processing credit card information and billing addresses for payment purposes, and also for processing a data subject’s home address for the purposes of home delivery. However, it said the retailer would have to rely on a different legal basis for processing the customer's data if it wanted to build a profile of the user's tastes and lifestyle choices, since such profiles are not necessary to carry out the contract.
The EDPB also considered whether personal data processing could be considered necessary for the performance of a contract where the processing is for the purpose of improving services, for fraud prevention or for online behavioural advertising.
In each of these cases the EDPB said the processing could not be objectively considered as necessary for the performance of a contract and that businesses would therefore need to find an alternative lawful basis for proceeding with those processing activities.
The EDPB acknowledged, however, that the personalisation of content may be regarded as necessary for the performance of some contracts. It said that it would depend on "the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation".
It said that content personalisation would not be objectively necessary for the purpose of the underlying contract where personalised content delivery is intended to increase user engagement with a service but is not an integral part of using the service.
According to the EDPB, there are a number of questions online service providers can ask themselves to help them understand whether their processing is 'necessary for the performance of a contract'. Those questions are:
In line with the GDPR's increased emphasis on accountability, the EDPB explained that online service providers seeking to rely on the 'necessary for the performance of a contract' basis for processing personal data must be able to demonstrate that:
Beyond the steps outlined in the EDPB's guidance, online service providers must ensure that they comply with all the basic data protection principles set out in the GDPR.
This means, among other things, ensuring the processing of personal data is fair and transparent, and that the data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, and that the data is also adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Those principles are particularly relevant in contracts for online services.