The European Data Protection Board (EDPB) met for its ninth plenary session on 9 and 10 April 2019. The EDPB discussed a number of issues concerning the application of the General Data Protection Regulation 2016/679 (GDPR), outlined in the agenda.
One of the key developments was the adoption of draft guidelines by the EDPB on the scope and application of GDPR Article 6(1)(b) which is largely known as ‘contractual necessity’ or ‘performance of a contract’ legal basis. GDPR Article 6(1)(b) provides a lawful basis for processing where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”.
The guidelines offer important clarification on what may be considered “necessary”, as well as useful guidance for processing in the context of online services to ensure that this legal basis is only relied upon when appropriate.
The starting point for a controller is to determine the purpose of the processing. The processing must be objectively necessary either for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject. If there are realistic, less intrusive alternatives, the processing is not necessary and another legal basis under GDPR Article 6(1) will need to be relied upon.
Necessary for the performance of a contract with the data subject
A controller must establish that the processing takes place in the context of a valid contract and the processing is necessary to enable that particular contract to be performed.
The guidelines make clear that merely referencing or mentioning data processing in a contract will not itself be sufficient to establish necessity. This means that any term that makes providing the service conditional on processing may not always be relied upon, especially if the term is unilaterally imposed on the individual.
In the context of online services, the EDPB emphasises that the processing must be objectively necessary for a purpose that is integral to the delivery of that contractual service, for example processing of payment details for the purpose of charging for the service.
Where Article 6(1)(b) is being relied upon, a controller should anticipate what happens if that contract is terminated. As a general rule, once the contract is terminated, the processing of personal data will need to cease as it will no longer be necessary for the performance of that contract. The EDPB acknowledges, however, that there may be instances where it is fair to rely on a new legal basis after termination, for example where the data subject has provided their consent to further processing or where there is a legal obligation to retain personal
data. In such circumstances, controllers will need to identify the alternative legal basis at the outset of processing and communicate clearly to the individual how long they plan to retain records after termination of a contract.
Necessary for taking steps prior to entering into a contract
The guidelines clarify that “necessity to take pre-contractual steps” would not cover unsolicited marketing or any other processing that is carried out solely on the initiative of the data controller or at the request of a third party.
Applicability of Article 6(1)(b) in specific situations
The guidelines also discuss the use of Article 6(1)(b) for certain purposes in the context of online services, namely service improvement, fraud prevention, online behavioural advertising and personalisation of content. Processing for service improvement is unlikely to satisfy the necessity threshold. Similarly, processing for fraud prevention will also be unnecessary, but could be carried out under another basis such as legal obligation or legitimate interest.
Personalisation of content may, in some instances, be necessary, depending on whether the personalisation of the content is objectively necessary for the purpose of the underlying contract.
The guidelines offer some helpful clarification on a widely relied upon legal basis for the processing of personal data. The EDPB is accepting comments on these guidelines until 24 May 2019.
In the meantime, keep an eye on our blog for a summary of the other areas covered in the EDPB’s ninth plenary session.