Guidelines 02/2019 on processing of personal data under 6(1)(b) GDPR in the context of the provision of online services to data subjects
Section 2.4 Necessity
23. Necessity of processing is a prerequisite for both parts of Article 6(1)(b). At the outset, it is important to note that the concept of what is ‘necessary for the performance of a contract’ is not simply an assessment of what is permitted by or written into the terms of a contract. The concept of necessity has an independent meaning in European Union law, which must reflect the objectives of data protection law. Therefore, it also involves consideration of the fundamental right to privacy and protection of personal data, as well as the requirements of data protection principles including, notably, the fairness principle.
24. The starting point is to identify the purpose for the processing, and in the context of a contractual relationship, there may be a variety of purposes for processing. Those purposes must be clearly specified and communicated to the data subject, in line with the controller’s purpose limitation and transparency obligations.
25. Assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the samegoal”. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’. Article 6 (1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the controller’s other business purposes.