On April 12, 2019, the European Data Protection Board (“EDPB”) published draft guidelines 2/2019 on the processing of personal data in the context of the provision of online services to data subjects (the “Guidelines”).
The basis for processing personal data must rest on one of the six legal bases provided for in Article 6(1)(a) to (f) of the EU General Data Protection Regulation (“GDPR”). Article 6(1)(b) of the GDPR provides the “contract” legal basis: situations where the processing is necessary (1) for the performance of a contract to which the data subject is party or (2) to take steps at the request of the data subject prior to entering into a contract, regardless of whether the contract is governed by the law of an EU Member State of the European Economic Area (“EEA”) or the law of a third country.
The Guidelines discuss how the “contract” legal basis applies in the context of online services or “information society services,” defined as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” This includes services that are not paid for directly by the individuals who receive them, such as online services funded through advertising.
The Guidelines note that the Article 29 Working Party’s previous guidance on the “contract” legal basis under the EU Data Protection Directive remains generally relevant. Against that background, the Guidelines focus on appropriate recourse to the “contract” legal basis in the context of online services. To that end, the Guidelines (1) outline the general conditions that data controllers must meet in order to rely on the basis and (2) discuss how it applies in specific situations when providing online services.
Conditions for Relying on the “Contract” Legal Basis
- Necessity: Necessity is a prerequisite for relying on the “contract” legal basis. The processing must be objectively “necessary” either for performing a contractual service or for taking relevant pre-contractual steps at the request of the data subject. If there are realistic, less intrusive alternatives to achieve the objective pursued, the data processing will not be considered “necessary.”
- Necessary for performance of a contract with the data subject: Where a data controller seeks to establish that the processing is based on the performance of a contract with the data subject, the data controller must be able to demonstrate for accountability purposes that (1) a contract exists between the parties; (2) the contract is legally valid; (3) the processing is objectively necessary for a purpose that is integral to delivering the online contractual service to the data subject. The Guidelines confirm that merely referencing or mentioning the data processing in a contract is not enough to establish that the processing is necessary to perform the contract. In this respect, the Guidelines endorse the guidance previously provided by the Working Party in its Opinion on the notion of legitimate interests under the EU Data Protection Directive; and in so doing, suggesting a narrow interpretation of the “contract” legal basis under the GDPR in the context of online services. The Guidelines further provide four questions to help businesses assess whether they may rely on the “contract” legal basis for processing in that context. This assessment must be conducted before data processing commences, and for each individual service the data subject has actively requested or signed up for if the contract consists of several separate services or elements of a service that can in fact reasonably be performed independently of one another.
- Necessary for taking steps prior to entering into a contract: The Guidelines clarify that the “necessity to take pre-contractual steps” will not cover unsolicited marketing or other data processing activity that is driven solely by the data controller’s initiative or at the request of a third party.
Applicability of the “Contract” Legal Basis in Specific Situations
The Guidelines also discuss using the “contract” legal basis for the following purposes in the context of online services:
- improving a service or developing new functions within an existing service;
- fraud prevention;
- online behavioral advertising; and
- personalization of content.
The Guidelines note that data controllers must also ensure that they comply with all the basic data protection principles set out in Article 5 of the GDPR (such as the purpose limitation and data minimization principles which are particularly relevant in contracts for online services), the other requirements of the GDPR and, where applicable, the ePrivacy requirements (such as the cookie law requirements). The EDPB is accepting comments on these Guidelines until May 24, 2019.