On 9 April 2019, the European Data Protection Board ("EDPB"), an independent European body which contributes to the consistent application of data protection rules throughout the European Union, published draft guidelines on the interpretation of 'contractual necessity' as grounds for processing personal data (the "Guidelines").
The Guidelines relate to Article 6(1)(b) of the General Data Protection Regulation ("GDPR") as applied to contracts for online services provided by online retail shops, news aggregation service providers, hotel search engines and the like. While some of these online services are financed by user payments, the services are often for free but funded by advertising which targets data subjects. One of the reasons why the EDPB adopted these guidelines is that users are not always aware that their behaviour is tracked by the service providers for the purposes of advertising.
Article 6 of the GPDR sets out the lawful bases for processing personal data. Article 6(1)(b) of the GDPR specifically relates to the processing 'necessary for the performance of a contract'. This covers both situations in which a contract was concluded with the data subject and those in which specific information is needed before it is possible to enter into a contract.
If a contract was concluded, the EDPB interprets this 'necessity' narrowly and finds that merely referencing or mentioning data processing in a contract is not enough to bring that processing within the scope of Article 6(1)(b). The 'necessity' requirement points to something more than a contractual condition. Regard should be given to the particular aim, purpose and objective of the service.
The Guidelines refer to a 'fundamental and mutually understood contractual purpose' in order to justify this necessity. The data controller should examine carefully the perspective of an average data subject in order to ensure that there is such a genuine mutual understanding on the contractual purpose.
For instance, an online retailer will be able to rely on Article 6(1)(b) of the GDPR to process credit card information and the home address if the data subject (i.e., the customer) opted for payment by credit card and delivery at home. By contrast, processing the data subject's home address will not be necessary for the performance of the purchase contract if the customer opted for shipment to a pick-up point. If the online retailer still wishes to receive the customer's home address, this would require a different legal basis than Article 6(1)(b) of the GDPR. For instance, the retailer may have to request the data subject's freely given consent (Article 6(1)(a) of the GDPR). However, the EDPB clarifies that the legal basis must be identified at the outset of the processing, and, in line with Articles 13 and 14 of the GDPR, information given to data subjects must specify the legal basis.
As mentioned, Article 6(1)(b) of the GDPR also permits processing personal data in a pre-contractual phase. This will apply when the personal data are necessary in order to facilitate the actual conclusion of that contract. This may be the case if a data subject provides his or her postal code to permit verification if a particular service provider operates in that area. By contrast, unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party, is not covered by Article 6(1)(b) of the GDPR.
Finally, the Guidelines assess some specific situations, such as processing: (i) to improve a service; or (ii) for online behavioural advertising. When it comes to the first situation, the EDPB considers that this can usually not be regarded as objectively necessary for the performance of the contract with the user, even though the possibility of improvements and modifications to a service may routinely be included in contractual terms. As to the second situation, the EDPB refers to the general rule that behavioural advertising does not constitute a necessary element of online services. This is supported by Article 21 of the GDPR, which gives data subjects an absolute right to object to processing of their data for direct marketing purposes.
Comments on the Guidelines can be submitted until 24 May 2019. The text of the Guidelines can be consulted here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.