EDPB provides guidance on ‘contractual necessity’ as a lawful ground for processing
The European Data Protection Board (EDPB) has issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects.
The guidance discusses the meaning of ‘necessity’. Article 6(1)(b) of the GDPR provides a legal basis for processing when the processing in question is necessary for the performance of a contract with a data subject, or in order to take pre-contractual steps at the request of a data subject.
Merely referencing or mentioning data processing in a contract is not enough to bring the processing in question within the scope of Article 6(1)(b), the DPAs say. The data controller needs to ensure that the processing is objectively necessary, i.e. integral to the delivery of that contractual service, for example, processing payment details.
"Although the controller may consider that the processing is necessary for the contractual purpose, it is important that they examine carefully the perspective of an average data subject in order to ensure that there is a genuine mutual understanding on the contractual purpose," the DPAs say.
With regard to pre-contractual processing, organisations are not entitled to carry out unsolicited marketing or other processing solely on the initiative of the data controller, or at a request of a third party.
However, the DPAs describe a scenario where processing could be objectively necessary in order to take pre-contractual steps: A data subject provides their postal code to see if a particular service provider operates in their area. This can be regarded as processing necessary to take steps at the request of the data subject prior to entering into a contract pursuant to Article 6(1)(b).
The guidance document also provides other useful examples of real life situations.
EDPB Chair, Andrea Jelinek, will speak at PL&B’s 32nd Annual International Conference in Cambridge on 1 July 2019. See the complete programme.