EDPB Guidelines on the processing of personal data in the context of the provision of online services
The European Data Protection Board (EDPB) adopted draft guidelines on the processing of personal data in the context of the provision of online services, aiming at clarifying Article 6 (1) (b) GDPR.
Whenever we buy a car or a house, we are well-aware of the necessity of a contract. However, how does this apply when it comes to online services? Not interacting with the vendor, filling up the shopping cart ourselves and sometimes even enjoy apps and services for free make us feel no legal terms govern the transaction, but nothing could be further from the truth.
EDPB guidelines do not express a view on the validity of contracts for online services generally but explain the role of data protection as one of the main rules that impacts the provision of these services. Pursuant to GDPR, the processing of personal data can only take place when it is based on one of the six legal bases described in article 6 GDPR. Specifically, article 6 (1) (b) states that “Processing shall be lawful only if and to the extent that at least one of the following applies […] processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. Therefore, controllers can process personal data on a contractual necessity basis, irrespective of how the services provided are financed.
What scenarios does the contractual necessity basis comprise?
Article 6(1)(b) applies where either of two conditions are met: the processing in question must be objectively necessary for the performance of a contract with a data subject, or the processing must be objectively necessary in order to take pre-contractual steps at the request of a data subject. Accordingly, two elements are required:
-The processing taking place in the context of a valid contract with the data subject.
-The processing being necessary in order that the particular contract with the data subject can be performed.
How is “necessity” defined for this purpose?
The concept of necessity has an independent meaning in European Union law, as it must reflect the objectives of data protection law plus involve the requirements of the relevant principles including, notably, the fairness and the purpose limitation principles. This means that where other less intrusive alternatives could be adopted, or the processing is useful but not objectively necessary for performing the contractual service, then the “necessity” concept would not justify the processing.
EDPB endorses the guidance previously adopted by WP29 and warns that “‘necessary for the performance of a contract with the data subject’ must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller.”
How should the “necessity” be assessed?
An assessment should be put in place prior to the commencement of processing. Regard should be given to the particular aim, purpose or objective of the service. Additionally, one should consider the data subjects’ expectation and perspective when entering into the contract. EDPB refers the following questions as guidance:
-What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
-What is the exact rationale of the contract (i.e. its substance and fundamental object)?
-What are the essential elements of the contract?
-What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
Where the contract consists of several separate services or elements of a service, the applicability of Article 6 (1) (b) shall be assessed separately.
Termination of contract
As general rule, the processing should stop once the contract has come to an end in full, thus the data should be erased pursuant to article 17 (1) (a) GDPR. However, sometimes it is possible to swap to a new legal basis, e.g. where data subjects have given their consent to processing after termination or the processing is necessary for complying with legal purposes. The data subject should be properly provided with this information before entering into the contract.
-Improvements and modifications to a service: such processing usually cannot be regarded as being objectively necessary for the performance of the contract with the user.
–Fraud prevention: in the view of the EDPB, such processing is likely to go beyond what is objectively necessary for the performance of a contract. However, it could still be lawful under another basis in Article 6, such as legal obligation or legitimate interests.
–Online behavioural advertising: according to WP29, contractual necessity is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his clickstream and the items purchased. Furthermore, in line with ePrivacy requirements, prior consent should be obtained to place the cookies necessary to engage in behavioural advertising.
–Personalisation of content: where the function of the service directly relates to personalised content, then it can be deemed as objectively necessary for the performance of the contract. Otherwise the controller should rely on a different basis to process the data.
The EDPB welcomes comments on the Guidelines, comments should be sent to EDPB@edpb.europa.eu by the 24/05/2019 at the latest.