Earlier this month the European Data Protection Board adopted the final version of its Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (Guidelines) which provide further guidance on the circumstances in which controllers are able to rely upon the legal ground for processing set out in GDPR Article 6(1)(b).
GDPR Article 6(1)(b) provides a legal basis for controllers to process personal data where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. This legal basis is often generally relied upon where a controller processes personal data in connection with the performance of its contracts (e.g. perhaps a customer contract) and, as the EDPB notes, reflects the fact that sometimes contractual obligations towards data subjects cannot be performed without the data subject providing certain personal data.
The EDPB cautions against the incorrect application of Article 6(1)(b), reminding us that the scope is relatively narrow and controllers ought to give consideration to each of the core elements of this legal basis before opting to rely upon it to process personal data. It may be, for example, that another legal basis is more appropriate instead.
The Guidelines focus on the need to assess whether processing of personal data is necessary in the performance of the relevant contract (assuming first that a binding contract exists between controller and data subject). The EDPB notes that a controller should be able to demonstrate that the main subject matter of the specific contract with a data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not occur. It appears that there is a sense amongst the EDPB that controllers are looking to rely on this legal basis for processing personal data where the processing activity is simply related to or part of a contract with a data subject rather than fundamental to its performance.
To illustrate the need for precision in this area, the Guidelines consider a number of examples, many of which remind of the link with other principles within the GDPR, such as purpose limitation and data minimisation. Consider, for example, in an online retail context, where a customer (data subject) opts for shipment of goods to a separate delivery address, rendering the processing of the data subject’s home address no longer necessary for the performance of the purchase contract. Continued processing of the customer’s home address is likely to require a different legal basis than Article 6(1)(b) and, where no basis is apparent, the controller may have to consider whether such data can be retained.
The Guidelines also consider the second part of Article 6(1)(b), which applies where processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. There may for example, be circumstances in which a controller will need to process a data subject’s personal data to facilitate actually entering into a contract. The Guidelines note that this should not cover unsolicited marketing or other processing carried out solely at the initiative of the controller or at the request of a third party – it must be at the request of the data subject and in the context of potentially entering into a contract.