Guidelines 02/2019 on processing of personal data under 6(1)(b) GDPR in the context of the provision of online services to data subjects

Section 2.5  Necessary for performance of a contract with the data subject

26. A controller can rely onthe first option of Article 6 (1)(b) to process personal data whe nit can, in line with its accountability obligations under Article 5 (2), establish both that the processing takes place in the context of a valid contract with the data subject and that processing is necessary in order that the particular contract with the data subject can be performed. Where controllers cannot demonstrate that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) that the processing is objectively necessary for the performance of the contract, the controller should consider another legal basis for processing.

27. Merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6 (1)(b). On the other hand, processing may be objectively necessary even if not specifically mentioned in the contract.In any case, the controller must meet its transparency obligations. Where a controller seeks to establish that the processing is based on the performance of a contract with the data subject, it is important to assess what is objectively necessary to perform the contract. ‘Necessary for performance’ clearly requires something more than a contractual clause. This is also clear in light of Article 7 (4). Albeit this provisiononly regards validity of consent, it illustratively makes a distinction between processing activities necessary for the performance of a contract, and clauses making the service conditional on certain processing activities that are not in fact necessary for the performance of the contract.

28. In this regard, the EDPB endorses the guidance previously adopted by WP29 on the equivalent provision under the previous Directive that ‘necessary for the performance of a contract with the data subject’:

• … must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller. Also the fact that some processing is covered by a contract does not automatically mean that the processing is necessary for its performance. […] Even if these processing activities are specifically mentioned in the small print of the contract, this fact alone does not make them ‘necessary’ for the performance of the contract.

29. The EDPB also recalls the same WP29 guidance stating:

• There is a clear connection here between the assessment of necessity and compliance with the purpose limitation principle. It is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance.

30. When assessing whether Article 6 (1)(b) is an appropriate legal basis for processing in the context of an online contractual service, regard should be given to the particular aim, purpose, or objective of theservice. For applicability of Article 6 (1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of that contractual service to the data subject. Not excluded is processing of payment details for the purpose of charging for the service. The controller should be able to demonstrate how the main subject-matter of the specific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not occur. The important issue here is the nexus between the personal data and processing operationsconcerned,and the performance or non-performance of the service provided under the contract.

31. Contracts for digital services may incorporate express terms that impose additional conditions about advertising, payments or cookies, amongst other things. A contract cannot artificially expand the categories of personal data or types of processing operation that the controller needs to carry out for the performance of the contract within the meaning of Article 6 (1)(b).

32. The controller should be able to justify the necessity of its processing by reference to the fundamental and mutually understood contractual purpose. This depends not just on the controller’s perspective, but also a reasonable data subject’s perspective when entering into the contract, and whether the contract can still be considered to be ‘performed’ without the processing in question. Although the controller may consider that the processing is necessary for the contractual purpose, it is important that they examine carefully the perspective of an average data subject in order to ensure that there is a genuine mutual understanding on the contractual purpose.

33. In order to carry out the assessment of whether Article 6 (1)(b) is applicable, the following questions can be of guidance:

• What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?

• What is the exact rationale of the contract (i.e. its substance and fundamental object)?

• What are the essential elements of the contract?

• What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?

34. If the assessment of what is ‘necessary for the performance of a contract’, which must be conducted prior to the commencement of processing, shows that the intended processing goes beyond what is objectively necessary for the performance of a contract, this does not render such future processing unlawful per se. As already mentioned, Article 6 makes clear that other lawful bases are potentially available prior to the initiation of the processing.

35. If, over the lifespan of a service, new technology is introduced that changes how personal data are processed, or the service otherwise evolves, the criteria above need to be assessed anew to determine if any new or altered processing operations can be based on Article 6 (1)(b).

Example 1 A data subject buys items from an online retailer. The data subject wants to pay by credit card and for the products to be delivered to their home address. In order to fulfil the contract, the retailer must process the data subject’s credit card information and billing address for payment purposes and the data subject’s home address for delivery. Thus, Article 6 (1)(b) is applicable as a legal basis for these processing activities. However, if the customer has opted for shipment to a pick-up point, the processing of the data subject’s home address is no longer necessary for the performance of the purchase contract. Any processing of the data subject’s address in this context will require a different legal basis than Article 6 (1)(b).

Example 2 The same online retailer wishes to build profiles of the user’s tastes and lifestyle choices based on their visits to the website. Completion of the purchase contract is not dependent upon building such profiles. Even if profiling is specifically mentioned in the contract, this fact alone does not make it ‘necessary’ for the performance of the contract. If the on-line retailer wants to carry out such profiling, it needs to rely on a different legal basis.

36. Within the boundaries of contractual law, and if applicable, consumer law, controllers are free to design their business, services and contracts. In some cases, a controller may wish to bundle several separate services or elements of a service with different fundamental purposes, features or rationale into one contract. This may create a ‘take it or leave it’ situation for data subjects who may only be interested in one of the services.

37. As a matter of data protection law, controllers need to take into account that the processing activities foreseen must have an appropriate legal basis. Where the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another, the question arises to which extent Article 6 (1)(b) can serve as a legal basis.The applicability of Article 6 (1) (b) should be assessed in the context of each of those services separately, looking at what is objectively necessary to perform each of the individual services which the data subject has actively requested or signed up for. This assessment may reveal that certain processing activities are not necessary for the individual services requested by the data subject, but rather necessary for the controller’s wider business model. In that case, Article 6 (1)(b) will not be a legal basis for those activities. However, other legal bases may be available for that processing, such as Article 6(1)(a) or (f), provided that the relevant criteria are met. Therefore, the assessment of the applicability of Article 6 (1)(b) does not affect the legality of the contract or the bundling of services as such.

38. As WP29 has previously observed, the legal basis only applies to what is necessary for the performance of a contract. As such, it does not automatically apply to all further actions triggered by non-compliance or to all other incidents in the execution of a contract. However, certain actions can be reasonably foreseen and necessary within a normal contractual relationship, such as sending formal reminders about outstanding payments or correcting errors or delays in the performance of the contract. Article 6 (1)(b) may cover processing of personal data which is necessary in relation to such actions.

Example 3 A company sells products online. A customer contacts the company because the colour of the product purchased is different from what was agreed upon. The processing of personal data of the customer for the purpose of rectifying this issue can be based on Article 6 (1)(b).

39.Contractual warranty may be part of performing a contract, and thus storing certain data for a specified retention time after exchange of goods/services/payment has been finalised for the purpose of warranties may be necessary for the performance of a contract.