Draft Guidelines 2/2019- What personal data processing may be considered as intrinsic to a contract?

AUTHOR: María Bardají

DATE: 26.04.2019

The European Data Protection Board (hereinafter “EDPB”), which first priority is to contribute to the consistent application of data protection rules throughout the European Union has published a call for comments concerning Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects.

Article 6 establishes the grounds on which the processing may be based to be considered lawful. Among other grounds, like consent of the data subject, letter b) of paragraph 1 mentions the possibility of basing the processing of personal data on the fact that such processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request if the data subject prior to entering into a contract.

Controllers may have the temptation to substantiate different personal data processing on this legal basis turning it into a hodgepodge where every processing fits even though the link to the contract is just incidental and may even been forced.

The EDPB wants to set clear rules of how this legal basis shall be understood in order to ban practices, especially in the on- line sector, that tend to include certain personal data processing as intrinsic to the execution and development of the contract when they are absolutely independent from it.

According to these Guidelines the processing of personal data must be necessary for the performance of the contract or for taking relevant pre- contractual steps. If less intrusive alternatives exist that could achieve the same objective the processing may not be considered as necessary and therefore it would need to be based in other legal grounds from those stated in art. 6 of the GDPR, like the consent of the user or the legitimate interest, after of course having assessed its applicability.

Processing like “service improvement”, “prevention of fraud” and unsolicited “online behavioural advertisement” are not considered as necessary by the EDPB.
In order to help controllers to determine if the processing is necessary or not the Guidelines provide 4 questions:

  • What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?;
  • What is the exact rationale of the contract (i.e. its substance and fundamental object)?;
  • What are the essential elements of the contract?;
  • What are the mutual perspectives and expectations of the parties to the contract? How is the service promoted or advertised to the data subject? Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?

What is clear is that secondary processing that until now has been included as part of the contract or has been considered as pre- condition to celebrate the contract will be very much looked into in the future.