The European Data Protection Board (the “EDPB”) has published draft guidelines concerning the scope and application of the contractual legal basis for processing personal data under Article 6(1)(b) of the General Data Protection Regulation (the “GDPR”). The guidelines, which can be found here, were adopted by the EDPB on 9 April 2019 and are open for consultation until 24 May 2019. The EDPB notes that the previous guidance published by the Article 29 Working Party remains relevant and any processing of personal data must comply with the GDPR as a whole.
Legitimate basis for processing personal data
Under the Charter of the Fundamental Rights of the European Union, personal data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law”. Article 6(1) of the GDPR provides six specific conditions which may be relied upon as a legitimate basis for processing personal data:
- where specific consent has been given by the data subject;
- where processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- where processing is necessary for compliance with a legal obligation;
- where processing is necessary in order to protect the vital interests of the data subject;
- where processing is necessary for the performance of a task carried out in the public interest; or
- where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
The application of the contractual legal basis in relation to online services
In the draft guidelines, the EDPB considers the application of the contractual legal basis for the processing of personal data in relation to the provision of online services. Also known as ‘information society services’, this is defined as “any service normally provided for remuneration, by electronic means and at the individual request of a recipient of services”. This includes online services in the fields of social media, e-commerce, internet search, communication and travel. The EDPB has clarified that services not paid for by the recipient are included, for example, all the services funded through advertising.
Relying on the contractual legal basis
- Necessity: This is a prerequisite for relying on the contractual legal basis. The data processing must be objectively necessary for the performance of a contract with a data subject, or for taking pre-contractual steps at the request of a data subject. The EDPB clarifies that if there are realistic, less intrusive alternatives for achieving the same goal, the processing will not be considered ‘objectively necessary’.
- Necessary for the performance of a contract with a data subject: Data controllers will need to ensure that if they wish to rely on the contractual legal basis for processing personal data, that it takes place in the context of a valid contract with the data subject and that the processing is objectively necessary for the performance of such contract. The EDPB provides for a narrow interpretation, clarifying that the processing must be objectively necessary for a purpose that is integral to the delivery of the contractual service to the data subject. Where this is not the case, the EDPB states that the controller should consider relying on another legal basis for processing. Merely referencing data processing within a contract will not suffice, according to the draft guidelines.
- Necessary in order to take pre-contractual steps at the request of a data subject: Article 6(1)(b) GDPR covers the processing of personal data necessary for taking steps prior to entering into a contract. This may be beneficial where the processing assists the facilitating of the contract, before it is entered into. The EDPB clarifies that this will not apply to any unsolicited marketing or processing driven by a third party request or solely on the initiative of a data controller.
- Termination of a contract: As a general rule, on the termination of a contract, processing of data will no longer be necessary for the performance of the contract. The controller will therefore need to stop processing. The draft guidelines also state that it is “generally unfair to swap a new legal basis when the original basis ceases to exist.” However, in certain situations, the EDPB recognises that a new legal basis may be relied upon where a contract is terminated, for example, where a data subject has provided consent to continue processing post-termination.
Application of the contractual legal basis in certain scenarios
The EDPB provides guidance on the application of the contractual legal basis in the following scenarios:
- Processing for ‘service improvement’: The EDPB considers that it would not generally be appropriate to rely on the contractual legal basis for processing for the purposes of improving a service or developing new functions within an existing service. The EDPB suggests that such processing would not be objectively necessary for the performance of the contract with the user (which would relate to the current service provisions rather than any improvements).
- Processing for ‘fraud prevention’: The EDPB notes that the processing of personal data for fraud prevention purposes is likely to go beyond what is objectively necessary for the performance of a contract with a data subject.
- Processing for online behavioural advertising: The EDPB considers that as a general rule, online behavioural advertising does not comprise a ‘necessary’ element of online services as it is separate from the objective purpose of the contract, even though the advertising may support the delivery of the service.
- Processing for personalisation of content: The EDPB acknowledges that processing for personalisation of content may comprise an essential element of certain online services and may therefore be viewed as necessary for the performance of the contract. However this will not be the case if the personalisation is aimed at increasing user engagement rather than forming an integral part of using the service.
If the draft guidelines are adopted in their current form, service providers seeking to rely on the contractual legal basis for processing data in relation to online services will need to ensure the processing is integral to the performance of the contract. For example, processing of credit card information for payment purposes and address details for delivery purposes will be considered to be justified under Article 6(1)(b). Personalisation of individuals may be justified in some circumstances according to the EDPB, for example where a news aggregation service provides news based on a profile created by an individual of their interests. However personalisation would not be considered to be justified, for example, where a hotel search engine monitors past hotel bookings to profile user expenditure and recommend particular hotels when returning search results.
The EDPB’s narrow interpretation of the contractual legal basis may require service providers to consider relying on an alternative basis under Article 6 for their processing, however this may not be without its challenges. For example, relying on consent can be problematic both in terms of obtaining valid consent and the fact that consent can be withdrawn at any time. Similarly, processing on the basis of legitimate interests must permit individuals the right to object.
The EDPB’s draft guidelines are open for consultation until 24 May 2019.