The European Data Protection Board (EDPB), successor to the G29, published early April its draft guidelines on the use of the legal basis “Contract performance or pre-contractual measures” in the context of online services.
For reminder, article 6 of the General Data Protection Regulation (GDR) requires that any processing of personal data must be based on a valid legal basis, recognised by the GDR. Paragraph 1 (b) thus provides for the possibility of processing data where this is “necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the data subject’s request. »
The EDPB seeks to clarify the application of Article 6(1)(b) to online services, namely “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services” but also to services which are not paid directly by the persons receiving them, such as online services financed by advertising.
The EDPB intends to lay down clear and strict rules, which will undoubtedly be subject to rigorous supervision by the supervisory authorities….
This article summarizes the key points to remember from the draft guidelines.
The analysis of the necessity of the processing operation to perform the contract or pre-contractual measures must be strict, even uncompromising.
In line with the principle of accountability, the EDPB expects the controller to be able to demonstrate that the very purpose of the contract concluded cannot be achieved if the specific processing of personal data in question does not take place. The processing must be objectively necessary for a purpose that is integral to delivering the online contractual service to the data subject.
To help controllers carry out this analysis, the EDPB provides 4 questions to assess whether Article 6(1)(b) is applicable :
As far as possible, the results of this assessment should be documented in order to secure the risks in the event of control.
On the other hand, Article 6(1)(b) will not be the appropriate legal basis where the processing is merely useful and it is possible to execute the contract or measures without recourse to them, even if the processing is carried out for the benefit of the data subject.
For example, the EDPD considers that an e-merchant cannot base a credit card fraud prevention processing operation on the execution of the sales contract: protecting against fraud is not vital to the management and execution of the order (even if it benefits both the customer and the e-merchant).
However, the EDPB accepts that “incidental” processing operations related to the performance of the contract, such as the management of the contractual guarantee, may be based on Article 6(1)(b). Abuse of this margin of manoeuvre should be prohibited: the processing deemed “necessary” may not be artificially extended to data or operations which are not essential for the performance of the contract or measures. The link with the contract must be real and cannot be forced (for example, the mere reference or mention of the data processing in a contract is not enough to establish that the processing is necessary to perform the contract).
A strict interpretation of the necessity also implies that processing must be stopped once the contract has been fulfilled, as is pointed out by the EDPB. The data will, in principle, have to be deleted at the end of the performance of the contract and the retention of the data beyond that point cannot be based on Article 6(1)(b).
However, the controller may retain the data if it has a legal obligation (such as an accounting obligation) or a legitimate interest (such as defending itself in a litigation/ asserting a right). The existence of this “subsequent” processing operation and the definition of its applicable legal basis must be considered from the outset and notified to individuals, in accordance with the GDPR information obligation.
For more information about the retention of personal data, consult our article dedicated to the subject.
The EDPB also recalls that other legal bases may provide a basis for parallel processing to that necessary for the performance of the contract.
For example, improving the user experience and/or services, targeted advertising or personalisation of content, which should be considered as separate processing, cannot, in the EDPB’s view, be based on Article 6(1)(b). They may, however, be implemented subject to the consent of the data subject, and possibly the legitimate interest of the controller.
Online service companies are also advised to exercise caution when deciding to package services together, which could be provided independently of each other. In this context, a detailed analysis must be carried out to analyse, for each individual service, which is the most appropriate legal basis.
The other principles of the GDPR should of course not be forgotten, in particular the principle of minimisation, as well as the legal conditions for the validity of a contract such as the minimum age for contracting.
Where online services are intended for minors, greater attention must be paid to the processing operation and its conditions of implementation.
The EDPB invites stakeholders to comment on this project before 24 May. This article will be updated once the final version of the guidelines is adopted.