On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines on the legal basis for processing personal data that involves providing online services to data subjects (the “Guidelines”). Specifically, they discuss when companies can rely on Article 6(1) – that processing can take place in the context of fulfilling the terms of a contract – and what conditions must be established to do so. The Guidelines make clear that this basis is narrower than it is often interpreted to be, and that companies must take care that they meet certain requirements.

Background

To lawfully process data, companies must establish one of six legal bases articulated in Article 6(1)(a) to (f) of the EU General Data Protection Regulation (“GDPR”). Article 6(1)(b) of the GDPR provides that processing can lawfully take place on the basis of a contract that must be fulfilled. Companies can process data when it is necessary (1) for the performance of a contract to which the data subject is party or (2) to take steps at the request of the data subject prior to entering into a contract.

The Guidelines review how the “contract” legal basis applies in the context of online services or “information society services.” These are defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

The Guidelines note that the Article 29 Working Party’s previous guidance on the “contract” legal basis under the EU Data Protection Directive remains relevant. The new Guidelines focus more closely on when the “contract” legal basis can be relied on in the context of online services. To that end, the Guidelines (1) articulate the general conditions that data controllers must meet in order to rely on the basis and (2) discuss how the contract legal basis applies in specific situations when providing online services.

Conditions for Relying on the “Contract” Legal Basis

The Guidelines set out specific conditions under which the “contract” legal basis will apply.

  • Necessity: For the “contract” legal basis to apply, processing must be objectively “necessary” either for delivering a service or for taking relevant steps – at the request of the data subject – prior to entering into a contract. Data processing will only be considered necessary if no feasible, less intrusive alternatives to achieve the objective are available.
  • Necessary for performance of a contract with the data subject: Where a data controller seeks to establish that the processing is based on the performance of a contract with the data subject, the data controller must be able to demonstrate for accountability purposes that:
    • a contract exists between the parties;
    • the contract is legally valid; and
    • the processing is objectively necessary for a purpose that is integral to delivering the online contractual service to the data subject.

It is not sufficient to simply reference or mention data processing in a contract. The Guidelines reaffirm the guidance previously provided by the Working Party in its Opinion on the notion of legitimate interests under the EU Data Protection Directive; suggesting a narrow interpretation of the “contract” legal basis under the GDPR in the context of online services.

The Guidelines provide four questions to aid businesses in assessing whether relying on the “contract” legal basis for processing in the context of online services is appropriate. Companies must make this assessment before data processing begins, and for each individual service the data subject has actively requested or signed up for if the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another.

  • Necessary for taking steps prior to entering into a contract: The Guidelines make clear that the “necessity to take pre-contractual steps” does not include unsolicited marketing or other data processing motivated solely by the data controller or the request of a third party.

How the “Contract” Legal Basis Applies in Specific Processing Situations

The Guidelines also discuss how the “contract” legal basis applies in the context of online services in the following examples:

  • improving a service or developing new functions within an existing service;
  • fraud prevention;
  • online behavioral advertising; and
  • personalization of content.

According to the Guidelines, in these situations data controllers must ensure that they comply with all the basic data protection principles set out in Article 5 of the GDPR, all other requirements of the GDPR and, where applicable, the ePrivacy requirements. The EDPB is accepting comments on these Guidelines until May 24, 2019.

ACHIEVED COMPLIANCE – HELPING YOU NAVIGATE THE COMPLEX WORLD OF DATA COMPLIANCE.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.