The EDPB released a set of guidelines on the contractual legal basis for processing of personal data in the context of provision of online services.1 The scope of these guidelines is to outline the boundaries and the limits to be placed on the legal basis of article 6 (1) (b) of the GDPR, i.e. where processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject2.
Without prejudice to the application of all the fundamental principles of article 5 of the GDPR and the rules on contracts, the guidelines analyse the various purposes of the processing activities in order to help information society services in selecting the most appropriate legal basis and avoid to make everything pass as an activity necessary for the performance of the contract with the data subject.
This is particularly true considering that fair and transparent processing and especially purpose limitation and data minimization principles are relevant in contracts for online services, which are generally not negotiated on an individual basis and include general processing terms. In fact, as already stated by WP29: “the purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is no included within the specified purpose and to allow that compliance with the law can be assessed and data protection safeguards applied. For these reasons, a purpose that is vague or general, such as for instance “improving users’ experience, “marketing purposes”, “IT-security purposes” will-without more detail-usually not meet the
criteria of being “specific”.”3
Article 6 (1) (b) and the Necessity Assessment
For the application of Article 6 (1) (b) GDPR, it must be first assessed whether, in relation to a given purpose, processing is necessary, i.e. whether there are less intrusive and realistic alternatives to achieve the objective. If this is the case, the processing is not necessary.
Should the processing be useful but not objectively necessary it will not be covered by this rule. Nonetheless, this does not imply that the processing activity cannot be lawfully carried out. Rather, it means that the controller shall select another legal basis, such as consent or legitimate interest, and that the processing activity has to be carried out accordingly.
Hence, where the controller cannot demonstrate that a contract exists, the contract is valid under applicable contract laws and that the processing is objectively necessary for the performance of the contract, the controller should resort to another legal basis for processing.
In order to carry out the necessity assessment, the EDPB’s guidelines suggested some questions that can be of guidance according to which, the controller shall evaluate:
- the distinctive features of the online services;
- the exact rational of the contract and its essential elements;
- the mutual perspectives and expectation of the parties;
- how the service is promoted or advertised to the data subject.
Termination of Contract and Right to Erasure
The guidelines also address the issue of termination of contract and the right to erasure.
While the legal basis of article 6 (1) (b) is clearly much more difficult to apply (e.g. where there are still relevant claims or pending payments) as the contract is terminated, certain processing activities, such as storage, can still be legitimate on the basis of legal obligations, pursuant to article 6 (1) (c).In this case, a possible request for erasure pursuant to article 17 (1) may not be followed up, if two conditions are fulfilled: (i) compliance with legal obligations
pursuant to article 17 (1) (b) or, (ii) the establishment, exercise or defence of legal claims, pursuant to article 17 (1) (e).
Article 6 (1) (b) in Specific Cases
Furthermore, the guidelines analyze the applicability of article 6 (1) (b) in specific processing purposes that are strictly related to the performance of a contract: service improvement, fraud prevention, online behavioural advertising and personalization of content.
While service improvement and fraud prevention can be easily linked to a legitimate interest of the controller, behavioural advertising cannot be carried out on the basis of article 6(1)(b) and is unlikely to be legitimate without the explicit content of the data subject.4
Processing for personalization of content, according to EDPB, may be considered necessary for the performance of contractual obligations, such as in the case of an online news aggregation service based on the users’ interests. On the other hand, profiling that is not linked to the request of the service as such and is not an integral part of using the service, could hardly be based on the contractual legal basis of article 6 (1) (b), meaning that alternative legal basis will apply (e.g. an online search engine that monitors users’ past bookings to create a profile).
This obviously has a relevant practical impact because it results in the obligation for controllers to consider whether and how to request consent.
The guidelines represent a useful tool in order to analyze the purposes of the processing activities in the context of online services which nonetheless require that controllers implement appropriate measures to guarantee the respect of data protection principles.
The article was published on the International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel.