Guidelines 02/2019 on processing of personal data under 6(1)(b) GDPR in the context of the provision of online services to data subjects

Section 1.2  Scope of these guidelines

7. These guidelines are concerned with the applicability of Article 6(1)(b) to processing of personal data in the context of contracts for online services, irrespective of how the services are financed. The guidelines will outline the elements of lawful processing under Article 6(1)(b) GDPR and consider the concept of ‘necessity’ as it applies to ’necessary for the performance of a contract’.

8. Data protection rules govern important aspects of how online services interact with their users, however, other rules apply as well. Regulation of online services involves cross-functional responsibilities in the fields of, inter alia, consumer protection law, and competition law. Considerations regarding these fields of law are beyond the scope of these guidelines.

9. Although Article 6(1)(b) can only apply in a contractual context, these guidelines do not express a view on the validity of contracts for online services generally, as this is outside the competence of the EDPB. Nonetheless, contracts and contractual terms must comply with the requirements of contract laws and, as the case may be for consumer contracts, consumer protection laws in order for processing based on those terms to be considered fair and lawful.

10. Some general observations on data protection principles are included below, but not all data protection issues that may arise when processing under Article 6(1)(b) will be elaborated on. Controllers must always ensure that they comply with the data protection principles set out in Article 5 and all other requirements of the GDPR and, where applicable, the ePrivacy legislation.