EDPB Guidelines Explain ‘Necessary for the Performance of a Contract’ Data Processing BasisOctober 17, 2019 – Alerts
The European Data Protection Board (EDPB) has issued final guidelines on the General Data Protection Resolution's (GDPR) legal basis of "Necessary for the Performance of a Contract" (Article 6(1)(b).
Key Takeaways for Using This Legal Basis
- Just because it is permitted by the terms of the contract does not mean it is necessary for performance.
- Just because it is beneficial to the company's business model does not mean it is necessary for performance.
- In determining necessity, you need to consider (i) the fundamental right to privacy as well as (ii) the principle of fairness.
You Need to Show:
- The processing is carried out in the context of a valid contract with the individual (Note: validity to be determined pursuant to EU laws including consumer protection laws and other contract laws);
- The purpose for the processing in question is clearly specified and communicated to the relevant individual, in line with the company's purpose limitation and transparency obligations (even if not in the body of the contract);
- The processing needs to be objectively necessary to achieve this particular purpose; and
- There are no realistic, less intrusive processing alternatives to achieve this purpose.
- Processing which is useful but not objectively necessary for the specific purpose will not be covered (even if necessary for the company's other business purposes).
- You need to show that the main subject matter of the specific contract with the individual cannot be performed without the processing of the information. For this, consider the perspective of a reasonable individual when entering into the contract, not just that of the company.
- Actions that can be reasonably foreseen and necessary within a normal contractual relationship may be deemed necessary.
- When assessing if a processing is necessary for a particular online service, consider the particular aim, purpose, or objective of the service.
Questions to Ask:
- What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the exact rationale of the contract (i.e. its substance and fundamental object)?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the parties to the contract?
- How is the service promoted or advertised to the data subject?
- Would an ordinary user of the service reasonably expect that, considering the nature of the service, the envisaged processing will take place in order to perform the contract to which they are a party?
- When introducing new features or technology that affect the processing of information, analyze whether the additional processing is necessary.
- Where the contract consists of several separate services or elements of a service (even if bundled together from a commercial perspective), assess whether the processing is objectively necessary in the context of each of those services separately.
Examples of Processing That May Be Necessary for the Performance
- credit card information and billing address for payment purposes
- home address for delivery to home (but not to pickup point)
- formal reminders about outstanding payments
- correcting errors or delays in the performance of the contract (e.g. wrong color sent)
- storing certain data for a specified retention time after exchange of goods/services/payment has been finalized for the purpose of warranties
- for terminated agreement: returning goods, payment or other associated administrative actions
- personalization of content if intrinsic and expected as part of the provision of an online service and necessary (not just for increasing user engagement).
- establishment of a company-wide internal employee contact database containing the name, business address, telephone number and email address of all employees, to enable employees reach their colleagues
- keeping, for a limited period of time, address details and information on what an individual has requested (e.g. for sending a product offer)
- insurer processing of necessary data (e.g. make and age of car, and other relevant and proportionate data), in order to prepare an insurance quote requested by a consumer.
Examples of Processing That Is Generally Not Necessary for Performance:
- online retailer building profiles of the user’s tastes and lifestyle choices based on their visits to its website
- unsolicited marketing or other processing which is carried out solely on the initiative of the company, or at the request of a third party
- collection of organizational metrics relating to a service, or details of user engagement
- processing for the purpose of improving a service
- processing to develop new functions within an existing service
- processing for fraud prevention purposes
- processing for online behavioral advertising and associated tracking and profiling
- providing personalized product suggestions to increase interactivity
- electronic monitoring of employee internet, email or telephone use
- video surveillance of employees
- more elaborate processing of data, which may or may not involve third parties
- detailed background checks, for example, an insurance company processing the data of medical check-ups before it provides health insurance or life insurance to an applicant (because it is not at the request of the individual)
- credit reference checks prior to the grant of a loan (because not at the request of the individual)
Odia Kagan is a partner at Fox Rothschild and chair of the firm’s GDPR Compliance and International Privacy Practice. For assistance with the full range of CCPA compliance issues contact Odia at [email protected] or 215.444.7313.