The European Data Protection Board ("EDPB") published on April 12, 2019 the draft Guidelines 2/2019 (the "EDPB Guidelines") on the processing of personal data under Article 6(1)(b) of the General Data Protection Regulation (the "GDPR")1 in the context of the provision of online services to data subjects (available here). These Guidelines clarify the applicability of one of the legal basis for processing laid down under GDPR which justifies the processing of personal data necessary for the performance of a contract.
The EDPB Guidelines are mainly focused on the online services sector.
The performance of a contract legal basis may be relied upon to process data such as contact information, purchase history, location data or payment data where such data is necessary to provide an online service. The legal basis may authorize the processing of data in the context of services provided upon payment by the data subject but also in the context of services which are free for the user.
Processing activities which take place before the contract is actually entered into, at the request of the data subject, may also be covered by the performance of a contract legal basis. This would be the case, for instance, where contact information or location data is processed in order to verify whether the service requested by the data subject is available in the area.
The performance of a contract legal basis should be understood within the broader framework laid down by the GDPR. Article 5 contains a reference to two key principles in this regard: purpose limitation and data minimization. Under the purpose limitation principle, data should be collected for "specified, explicit and legitimate purposes" and such data may not be "further processed in a manner that is incompatible with those purposes".2 Consequently, the data processed under the performance of a contract legal basis should be clearly specified and distinguished from the data processed pursuant to other legal basis. In addition, the data minimization principle requires that processing should only involve as much data as necessary to fulfil those purposes.3 Although there is a potential to collect vast amounts of personal data for a variety of purposes when providing online services this must be balanced against the above principles imposed by the GDPR.
The necessity test
The GDPR indicates that the performance of a contract legal basis covers the processing of data which "is necessary for the performance of a contract" (emphasis added). Following this definition, the necessity test is the key element to determine whether or not this legal basis is applicable in a specific case. The necessity test essentially involves comparing the service provided under the contract with the types of data which will be processed. If the service could not be provided without the data, processing of this data would be justified under the performance of a contract legal basis.
To carry out this assessment, it is important that contracts are sufficiently clear about the objectives pursued by the service (e.g., delivery of a good to a specific address, payment for the service, etc.) as well as about the data processed to fulfill each objective (e.g., home address, contact information, payment information, etc.). The EDPB, following WP29's Opinion, indicates that the necessity test is a "facts-based assessment". It may not matter that the contract itself claims that certain processing activities are necessary to perform the obligations entered into. The performance of a contract legal basis can only be used if the substance of the contract requires that data to be processed.
The necessity test should take place before the contract is entered into and, therefore, before the data is processed. This also satisfies the principle of accountability.4
The EDPB Guidelines lay down several elements which may offer further clarity when conducting the necessity test:
- Analyze the counter-factual. To determine whether the processing is necessary, the EDPB requires that alternative ways of performing the contract should be considered. If there are "realistic, less intrusive" alternatives to comply with the contract without collecting the data, then the processing may not be necessary.
- Consider the point of view of the data subject. The necessity test should consider what the data subject may "reasonably expect". Hence, if an average data subject would not reasonably foresee that the contract involves a specific processing activity, the processing would not be necessary for the contract.
- Assess bundled contracts separately. If a contract involves several services or obligations which could be performed separately, the necessity test must be carried out individually for each of them. If a business decides to offer a wide array of services jointly, it may need to process data under different legal bases in each case.
The EDPB Guidelines provide useful examples of activities related to the provision of the online service that may pass the necessity test. For instance, the processing of data for the purposes of personalizing a service may pass the necessity test if the personalization is an important element of the service (e.g., a news aggregation service is based on selecting relevant news following the users' preferences). Conversely, the necessity test might not be met when data is collected for the purposes of improving the services. Ordinarily, the user is entering into the contract to receive the service as it is, therefore, potential improvements are unlikely to be considered as necessary for the performance of the contract with the user.
A contract's life cycle
Businesses may need to process data in different stages of the contractual relationship: from the activities which take place before the contract is entered into, through the performance of the contract and including those activities which take place post-termination. The following list indicates the activities which could be covered by the performance of a contract at each stage of the contractual life cycle:
- Pre-contractual processing. The legal basis covers processing activities which take place at the request of the data subject before entering into a contractual relation. The processing must still be necessary to "facilitate the actual entering into the contract".5 For instance, this would cover the processing of contact information when verifying that the requested service is available in the data subject's area.
- Performance of the contract. During the execution of the contract, the legal basis may cover processing activities which are necessary to fulfil relevant contractual obligations. This includes, for example, the processing of personal data necessary to comply with the agreed warranty (e.g., purchase history, product description and payment details) or to process recurrent payments.
- Termination of the contract. In principle, the performance of a contract legal basis may not cover processing which takes place once all the contractual provisions have been complied with. Nevertheless, other provisions of the GDPR may permit the retention of the data, inter alia, for the establishment of legal claims or to comply with applicable legal requirements (e.g., a legal obligation to retain information for accounting purposes).6
Performance of a contract legal basis or consent?
When deciding whether the performance of a contract legal basis could cover a processing activity, it may be useful to consider whether other legal bases may be more appropriate.
Two further elements should be taken into account concerning the choice of legal basis:
- Special categories of data. Performance of a contract cannot be relied upon as a legal basis to process special categories of personal data under Article 9 of the GDPR. This includes political opinions, data which reveals ethnicity, genetic data or data concerning an individual's sex life or sexual orientation. Explicit consent could be an appropriate legal basis in these cases.7
- Data processed under the e-Privacy Directive. Directive 2002/58/EC (the "e-Privacy Directive") contains rules that require organisations to obtain the user's consent before placing behavioural cookies in terminal equipment. In these cases, the performance of a contract legal basis would not be appropriate.8
The EDPB Guidelines were shared for public consultation on April 12, 2019.
Stakeholders are now invited to submit their views and concerns to the EDPB before the public consultation ends on May 24, 2019. Comments should be sent by e-mail directly to the EDPB at firstname.lastname@example.org including the following subject line: "Reply to public consultation – [your company's name] – Guidelines 02/2019."
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
8See Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, in particular Article 5(3)