The European Data Protection Board (EDPB) at the end of its ninth plenary session held on April 9 and 10th, 2019, released draft guidelines on the contractual necessity legal basis for processing personal data in the context of the provision of online services to data subjects (Guidelines 2/2019 on “the processing of personal data under Article 6 (1) (b) GDPR in the context of the provision of online services to data subjects”). The guidelines highlight the narrow scope of the contractual necessity legal basis. In particular the guidelines concern with the applicability of Article 6 (1)b) GDPR to processing of personal data in the context of contracts for online services. The scope of the guidelines is to outline the elements of lawful processing under Article 6 (1)(b), but particularly to clarify the concept of “necessity” since Article 6(1)(b) GDPR provides a lawful basis for processing where “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. Article 6(1) (b) GDPR applies where either of two conditions are met: the processing is objectively necessary for the performance of a contract with a data subject, or the processing is objectively necessary in order to take pre-contractual steps at the request of a data subject. The EDPB specifies, “assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal”. If there are realistic, less intrusive alternatives, the processing is not ‘necessary’”. Therefore, Article 6(1) (b) GDPR will not be an appropriate legal basis for processing which is useful but not objectively necessary for performing the contractual service or for taking relevant pre-contractual steps at the request of the data subject, even if it is necessary for the data controller’s other business purposes. With respect to the first of the two alternative abovementioned conditions, the processing is necessary for performance of a contract with the data subject, the EDPB underlines that a data controller can rely on the legal basis of Article 6 (1)(b) GDPR only if he can establish that the processing takes place in the context of a valid contract with the data subject and overall that processing is necessary in order for the specific contract with the data subject to be performed. Where a data controller cannot demonstrate such necessity, he needs to consider another legal basis for processing personal data. As clearly pointed out in the EDBP guidelines, merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b). In order to establish that the processing is based on the performance of a contract with the data subject, it is essential to assess what is objectively necessary to perform the contract. For applicability of Article 6(1)(b), it is required that the processing is objectively necessary for a purpose that is integral to the delivery of the contractual service to the data subject. The data controller should be able to demonstrate how the main object of the specific contract with the data subject cannot be performed if the specific processing of the personal data does not occur. The provision that the processing is necessary in order to take pre-contractual steps at the request of a data subject is the second conditions for applicability of Article 6 (1)(b) GDPR as legal basis for the processing of personal data. Referring to this condition, the EDBP explains that it is a provision which reflects the possibility, in some cases, for preliminary processing of personal data to be necessary before entering into a contract in order to facilitate the actual entering into a contract, but it stresses that in any case, this provision would not cover unsolicited marketing or other processing which are carried out solely on the initiative of the data controller, or at the request of a third party. At the end of these guidelines, the EDPB deals with the applicability of Article 6 (1)(b) GDPR in some specific situations, namely: (i) processing for service improvement, (ii) processing for fraud prevention, (iii) processing for online behavioural advertising and (iv) processing for personalization of content. According to EDPB, processing for service improvement is unlikely to satisfy the “necessity threshold”. In most cases, the collection of information on how users engage with the service cannot be considered as necessary for the provision of the service because the service can be delivered without the processing of such personal data. Similarly, processing for fraud prevention will also be unnecessary, but could be carried out under another basis in Article 6 GDPR, such as legal obligation or legitimate interest. The Board considers that behavioural advertising does not constitute a necessary element of online services. The EDPB points out it would be hard to argue that the contract had not been performed because there were no behavioural ads, bearing in mind, in particular, that data subjects have the right under Article 21 GDPR to object to processing of their data for direct marketing purposes. Further to this, the Board stresses that “Article 6(1) (b) cannot provide a lawful basis for online behavioural advertising simply because such advertising indirectly funds the provision of the service. Although such processing may support the delivery of a service, it is separate from the objective purpose of the contract between the user and the service provider, and therefore not necessary for the performance of the contract at issue.” Referring to processing for personalization of content, the EDPB acknowledges that personalization of content may, but does not always, be an essential element of certain online services and therefore considered as necessary for the performance of a contract. However, the Board highlights that whether such processing can be regarded as an intrinsic aspect of an online service depends on many factors such as the…
Read More
