Skip to main content

Customer Data: GDPR Compliance in Contractual Relationships

| Categories: General Obligations; Enforcement;

Data Processing in Contractual Relationships

Every processing of personal data requires a legal basis such as consent, legitimate interests or legal obligations. In October 2019, the European Data Protection Board (“EDPB”), an advisory body that consists of the data protection supervisory authorities in the EU, issued guidelines for public consultation on data processing based on Art. 6(1)(b) of the GDPR in the context of online services. They clearly indicate that the EDPB will impose stringent requirements for relying on data processing required for the performance of a contract.

Art. 6(1)(b) allows data processing to the extent necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Typical scenarios include processing of inquiries by prospective customers, transfer of postal addresses to parcel services for product delivery, or storage of the employees’ bank details for the purpose of processing salary payments.

Limitations of contract design regarding data processing

The EDPB emphasizes that the concept of “necessity” stems from a perspective of data protection as a fundamental right, leading to the conclusion that it would not cover processing which is useful but not objectively necessary for performing the contractual service, even if it is necessary for the controller’s other business purposes. In order to assess whether a certain processing is “objectively necessary”, “the exact rationale of the contract, i.e. its substance and fundamental objective” must be determined. Controllers may not “artificially” extent the scope of Art. 6(1)(b) by imposing additional conditions about advertising, payments or cookies, amongst other things.

For example, an online roadmap provider may process the customer’s location data for the purpose of a navigation function that the customer wants to use. On the contrary, using this data to create a motion profile of the customer in order to provide him or her with ads on restaurants located between the home address and the workplace is not covered by Art. 6(1)(b), even in case that such processing is included as a contractual condition within the terms and conditions of the service.

This differentiation endorsed by the EDPB leaves room for interpretation. However, it seems clear that authorities accept Art. 6(1)(b) as a legal basis only with regard to processing operations directly relating to the services the customer signs up to. In other words: The EDPB objects to the idea of ‘paying’ for a service by sharing personal information, as it explicitly states that “personal data cannot be considered as a tradeable commodity”.

Service improvement, online behavioural advertising, personalisation of content

The EDPB provides several examples on what kind of processing purposes may or may not be covered by Art. 6(1)(b). With regard to the purpose of “service improvement”, it states that “collection of organisational metrics relating to a service, or details of user engagement” cannot be justified as being necessary for the performance of a contract. However, other legal basis such as legitimate interest or consent may apply.

“Online behavioural advertising, and associated tracking and profiling of data subjects” may, according to the EDPB, also not be justified under Art. 6(1)(b), even if such advertising indirectly funds the provision of the service. In this context, the EDPB reiterates its position that placement of cookies necessary to engage in behavioural advertising requires the data subject’s prior consent.

Processing for the purpose of personalisation of content may constitute an essential or expected element of certain online services and, therefore, may be justified under Art. 6(1)(b). Whether that is the case or not “will depend on the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation”. Hence, where personalisation is a core feature of the service, it may be necessary for performance of the contract.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

EU Commission Sets Timeline for New SCCs after the “Schrems” Judgement

In a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs held in Brussels today, EU Commissioner Didier Reynders delivered remarks on what to expect for the future of international data transfers after the European Court of Justice has ruled the EU-US Privacy...


Data Mapping & the GDPR: "Records of Processing Activities"

Any privacy law implementation program is based a proper data mapping. But is it even a legal obligation? Under the GDPR, the answer is a clear "yes" for most of modern businesses. Article 30 requires companies to maintain so-called "records of processing activities" (also known as RPA or ROPA) with...


GDPR Enforcement: The Real Risks of Non-Compliance

Whereas public supervisory authorities granted an informal grace period to implement the new provisions of the EU General Data Protection Regulation (GDPR) and allocated many resources to awareness-raising campaigns in 2018, their focus clearly shifted towards enforcement in 2019. The risk of...