Guidelines 02/2019 on processing of personal data under 6(1)(b) GDPR in the context of the provision of online services to data subjects

Section 2.1  General observations

11. The lawful basis for processing on the basis of Article 6(1)(b) needs to be considered in the context of the GDPR as a whole, the objectives set out in Article 1, and alongside controllers’ duty to process personal data in compliance with the data protection principles pursuant to Article 5. This includes processing personal data in a fair and transparent manner and in line with the purpose limitation and data minimisation obligations.

12. Article 5 (1)(a) GDPR provides that personal data must be processed lawfully, fairly and transparently in relation to the data subject. The principle of fairness includes, inter alia, recognising the reasonable expectations of the data subjects, considering possible adverse consequences processing may have on them, and having regard to the relationship and potential effects of imbalance between them and the controller.

13. As mentioned, as a matter of lawfulness, contracts for online services must be valid under the applicable contract law. An example of a relevant factor is whether the data subject is a child. In such a case (and aside from complying with the requirements of the GDPR, including the ‘specific protections’ which apply to children), the controller must ensure that it complies with the relevant national laws on the capacity of children to enter into contracts. Furthermore, to ensure compliance with the fairness and lawfulness principles, the controller needs to satisfy other legal requirements. For example, for consumer contracts, Directive 93/13/EEC on unfair terms in consumer contracts (the “Unfair Contract Terms Directive”) may be applicable. Article 6(1)(b) is not limited to contracts governed by the law of an EEA member state.

14. Article 5 (1)(b) of the GDPR provides for the purpose limitation principle, which requires that personaldata must be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

15. Article 5 (1)(c) provides for data minimisation as a principle, i.e. processing as little data as possible in order to achieve the purpose. This assessment complements the necessity assessments pursuant to Article 6 (1)(b) to (f).

16. Both purpose limitation and data minimisation principles are particularly relevant in contracts for online services, which typically are not negotiated on an individual basis. Technological advancements make it possible for controllers to easily collect and process more personal data than ever before. As a result, there is an acute risk that data controllers may seek to include general processing terms in contracts in order to maximise the possible collection and uses of data, without adequately specifying those purposes or considering data minimisation obligations. WP29 has previously stated:

• The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards applied. For these reasons, a purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will – without more detail – usually not meet the criteria of being ‘specific’.