- The EDPB has published guidance on the ability of online service providers to rely on the fact that processing is necessary for the performance of a contract in order to legitimise their processing of personal data.
- Although aimed specifically at online services, the guidance will nonetheless be useful for all controller organisations looking to rely on this processing condition.
- The guidance adopts a fairly narrow approach to interpretation with an objective assessment of “necessity” being required as opposed to relying on what is permitted under or required by the terms of a contract.
Lawful bases for processing under the GDPR
All processing of personal data must satisfy one of the six lawful bases for processing under Article 6(1) of the GDPR. Article 6(1)(b) applies where the processing “is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract“.
What does the guidance say?
The guidance focusses the application of Article 6(1)(b) to online service providers and is intended to ensure that the “contractual necessity” basis is only relied upon in the context of online services where such reliance is appropriate.
In short, the guidance provides that whether processing is “necessary” for the purposes of Article 6(1)(b) will depend on whether one of the following conditions is met:
- the processing must be objectively necessary for the performance of a contract with a data subject; or
- the processing must be objectively necessary in order to take pre-contractual steps at the request of a data subject.
It is important to note that “necessity” in this context does not simply mean what is permitted under or required by the terms of a contract. In particular, the guidance indicates that where there are “realistic, less intrusive alternatives” than the processing which would achieve the same purpose, then such processing will not be deemed necessary for the purposes of Article 6(1)(b), regardless of the terms of the contract. Further, the guidance makes it clear that Article 6(1)(b) will not apply to processing which is “useful but not objectively necessary for performing the contract“, even where the processing is necessary for the data controller’s other business purposes.
Necessary for the performance of a contract
In order to rely on this limb of Article 6(1)(b), a controller will need to demonstrate the existence of a valid contract between it and the data subject, and be able to show that the processing in question is necessary in order for that particular contract to be performed.
As noted above, “necessary” in this context will require something more than a contractual condition: the processing must be in some way essential, or fundamental, such that objectively, the main purpose of the specific contract cannot be performed if the specific processing of the specific personal data does not occur.
For example, it is objectively necessary for an online service provider to process personal details such as credit card information and billing address in the context of taking payment, or for an online retailer to obtain a data subject’s home address for the purposes of delivery. However, where a data subject opts for “click and collect” delivery, it would not be objectively necessary for an online retailer to obtain the data subject’s home address (save, of course, where the home address happens to be the same as the billing address).
Other processing activities are likely to fall within a grey area. For example, the guidance notes that profiling for the purposes of tailoring or personalisation may be deemed objectively necessary in some circumstances, such as where such personalisation is an essential or expected feature of the service, but this will not always be the case.
Necessary for pre-contractual steps
To rely on this limb, the controller must be able to show that the contract in question could not be entered into without the pre-contractual processing having taken place. The controller must also be able to show that the pre-contractual steps are carried out at the request of a data subject – i.e. this limb will not apply to unsolicited marketing activities or processing carried out in the controller’s discretion.
For example, a data subject may enter their postcode on a particular company’s website to check whether a particular service is available in their area. Processing that postcode would be objectively necessary to take pre-contractual steps at the data subject’s request.
In contrast, processing for the purposes of targeted advertising would not be deemed objectively necessary for pre-contractual steps: it would be difficult to argue that no contract could be entered into in the absence of targeted advertising, or that the advertising was carried out at the data subject’s request. In particular, the guidance notes that this is the case even where such advertising funds the services, because such advertising would be separate from the objective of any contract between the controller and the data subject.
Impact for businesses
The guidance confirms a fairly narrow interpretation and objective assessment of necessity. It is helpful in the examples given but acknowledges that there will be many grey areas, for which the guidance provides no practical solution. In light of the narrow approach to interpretation, controllers may however wish to adopt a cautious approach when navigating such grey areas.