Skip to main content

Guidelines on Data Processing in Contractual Relationships

| Categories: General Obligations; Enforcement;

Data Processing in Contractual Relationships

Every processing of personal data requires a legal basis such as consent, legitimate interests or legal obligations. In October 2019, the European Data Protection Board (“EDPB”), an advisory body that consists of the data protection supervisory authorities in the EU, issued guidelines for public consultation on data processing based on Art. 6(1)(b) of the GDPR in the context of online services. They clearly indicate that the EDPB will impose stringent requirements for relying on data processing required for the performance of a contract.

Art. 6(1)(b) allows data processing to the extent necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Typical scenarios include processing of inquiries by prospective customers, transfer of postal addresses to parcel services for product delivery, or storage of the employees’ bank details for the purpose of processing salary payments.

Limitations of contract design regarding data processing

The EDPB emphasizes that the concept of “necessity” stems from a perspective of data protection as a fundamental right, leading to the conclusion that it would not cover processing which is useful but not objectively necessary for performing the contractual service, even if it is necessary for the controller’s other business purposes. In order to assess whether a certain processing is “objectively necessary”, “the exact rationale of the contract, i.e. its substance and fundamental objective” must be determined. Controllers may not “artificially” extent the scope of Art. 6(1)(b) by imposing additional conditions about advertising, payments or cookies, amongst other things.

For example, an online roadmap provider may process the customer’s location data for the purpose of a navigation function that the customer wants to use. On the contrary, using this data to create a motion profile of the customer in order to provide him or her with ads on restaurants located between the home address and the workplace is not covered by Art. 6(1)(b), even in case that such processing is included as a contractual condition within the terms and conditions of the service.

This differentiation endorsed by the EDPB leaves room for interpretation. However, it seems clear that authorities accept Art. 6(1)(b) as a legal basis only with regard to processing operations directly relating to the services the customer signs up to. In other words: The EDPB objects to the idea of ‘paying’ for a service by sharing personal information, as it explicitly states that “personal data cannot be considered as a tradeable commodity”.

Service improvement, online behavioural advertising, personalisation of content

The EDPB provides several examples on what kind of processing purposes may or may not be covered by Art. 6(1)(b). With regard to the purpose of “service improvement”, it states that “collection of organisational metrics relating to a service, or details of user engagement” cannot be justified as being necessary for the performance of a contract. However, other legal basis such as legitimate interest or consent may apply.

“Online behavioural advertising, and associated tracking and profiling of data subjects” may, according to the EDPB, also not be justified under Art. 6(1)(b), even if such advertising indirectly funds the provision of the service. In this context, the EDPB reiterates its position that placement of cookies necessary to engage in behavioural advertising requires the data subject’s prior consent.

Processing for the purpose of personalisation of content may constitute an essential or expected element of certain online services and, therefore, may be justified under Art. 6(1)(b). Whether that is the case or not “will depend on the nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalisation”. Hence, where personalisation is a core feature of the service, it may be necessary for performance of the contract.

GDPR Updates for non-EU companies

Are you compliant with the GDPR?

Under Art. 27 of the GDPR, many non-EU companies must appoint an EU GDPR Privacy Representative. To find out now if your company is subject to this obligation

take the test

Who is EU-REP.Global?

We are data protection service provider based in Germany, focused on compliance services under the EU General Data Protection Regulation. If you want to know more,

go to FAQ

Brexit: Implications on Privacy Compliance

Almost four years after the citizens of the United Kingdom have voted in favor of leaving the European Union in a referendum, Brexit is finally approaching on 31 January 2020. Since the General Data Protection Regulation (GDPR) is part of the EU legal framework which will, in principle, cease to...

Continue reading
International Applicability

Applicability of the EU GDPR to Non-EU Companies

The General Data Protection Regulation (GDPR), a major EU privacy law introduced in May 2018, not only shook up data-driven startups from London to the Silicon Valley but keeps affecting businesses of any size and in almost any industry. Many executives, IT managers and compliance professionals of...

Continue reading
Access requests

Access Requests under the GDPR

So-called "data subjects", including consumers and employees of B2B business partners, have several rights under the EU Data Protection Regulation (GDPR). In practice, one of the most relevant of these is the right to access under Art. 15 GDPR. It entitles natural persons in the EU to request...

Continue reading