The Contract As Legitimate Basis In The Context Of Online Services

As explained in a previous post on legitimate basis, a data processing activity can only be lawful if it is based on one of the six situations established in Article 6.1 of the General Data Protection Regulation (GDPR or GDPR). Among them, Article 6.1.b states that the processing of personal data will be lawful when it is necessary for the performance of a contract or to take steps prior to entering a contract.

To this end, the European Data Protection Board (EDPB) has adopted draft guidelines for data processing based on this legitimate basis in the context of online service provision. These guidelines intended to clarify the limits of the use of the legitimate basis included in Article 6.1.b of the GDPR (since it is a draft submitted for public consultation, its final text could be modified in the future). Therefore, the essential points pointed out by the EDPB in its guide are summarized below.

1 Necessity Principle

It is necessary to clarify that the legitimate basis included in Art. 6.1.b GDPR covers two different situations. On the one hand, it would cover the case where processing is necessary for the performance of a contract to which the data subject is a party. On the other hand, it would also cover, as the article indicates, the situation where the processing activity is necessary to take steps, at the request of the data subject, prior to entering a contract; i.e., pre-contractual activities that are necessary for the contract to be signed. To this end, it should be borne in mind that, according to the EDPB, there is a “necessity principle” which would apply equally in both cases (performance of the contract and application of pre-contractual measures).

In this sense, according to the EDPB, Article 6.1.b of the GDPR clearly indicates that the processing must be strictly necessary for the performance of the contract or the application of contractual measures. This means that for any other case where a processing activity, even if linked to a contract, could be considered not to be completely necessary for the same, Article 6.1.b would not be a valid basis, so the data controller would need to seek alternatives to rely on for such processing activity. Likewise, any processing that takes place after the termination of the contract could not be based on this legitimate basis either.

Therefore, as stated above, the EDPB interprets this “necessity principle” rigorously. This leads the EPDB to exclude cases in which, although the contract itself includes provisions related to a specific activity, such activity is not absolutely necessary for the performance of the contract or for the application of pre-contractual measures. For example, if an individual purchases a product online and this product is to be delivered to their home, Article 6.1.b would cover the processing of this consumer’s home address. However, if the product is delivered, for example, to a pick-up point (as a shop), this legitimate basis would not cover the processing of the individual’s home address.

2 Applicability Of Article 6.1.B In Specific Situations

One of the most interesting points included in this guide is the reference to concrete situations in which it would not be clear whether this legitimating basis could become applicable. The following is a summary of the assumptions made by the BSA and the conclusions drawn about them:

2.1. Processing for service improvement. Although this is a fairly common processing, EDPB considers that it would not comply with the principle of necessity set out above and therefore the legitimating basis of Article 6.1.b. could not be relied upon. As alternatives, the EDPB refers to both consent (Art. 6.1.a GDPR) and legitimate interests (Art. 6.1.f).

2.2. Processing for fraud prevention. The EDPB again considers that this processing could not rely on this legitimate basis. Alternatively, reference is made to “compliance with a legal obligation” (Art. 6.1.c, where applicable) or legitimate interests.

2.3. Processing for online behavioural advertising. The EDPB indicates that, as a general rule, Art. 6.1.b would not constitute a valid legitimate basis for this type of advertising, since it could hardly be considered necessary for the contract. To this end, it is stated that this legitimate basis would not be valid even in cases where such advertising indirectly defrays the costs of the service. It is also recalled that, in accordance with ePrivacy requirements and the Opinion of the Art. 29 Working Party on behavioural advertising (Opinion 2/2010), it will be necessary to obtain consent prior to the installation of cookies to carry out this type of advertising.

2.4. Processing for personalisation of content. In this regard, the EDPB considers that Article 6.1.b may be applicable where customization of the content may be considered necessary to fulfil the purpose of the contract. For example:

– A service consisting of showing the user news in different forms, on a single platform and automatically selected according to their interests: in this case, the processing of data necessary to identify their interests and customize the content of the service could not rely on the performance of the contract as legitimate basis.

– An online travel agency considers previous bookings made by the user to provide recommendations for future trips. In this case, it would not be considered that this processing was really necessary for the essential purpose of the service, which is the management of hotel and travel reservations, and therefore Art. 6.1.b would not be considered as a legitimate basis applicable to this case.

3 Conclusion

In conclusion, the EDPB takes a rather strict interpretation of this legitimising basis. This means that, according to this guide, there will not be many cases in which we will be able to safely rely on Article 6.1.b. In spite of this, the examples included in the guidelines can be quite useful in solving numerous interpretative problems in this respect, so that at least they provide some added value. Finally, it should not be forgotten that, since this is a draft version submitted for public consultation, it will be interesting to note possible changes to the final text adopted after the consultation.

Share:
Written by Jose Caballero Gutierrez
Lawyer specialized in IT, privacy and media. Associate at Promontory (UK). Previously at PwC and ECIJA. Writing about law, internet, strategy and innovation.