Can you rely on your contract to process personal data? Everything you need to know about Article 6(1)(b) GDPR, and more

The European Data Protection Board (“EDPB”) adopted on 9 April 2019 a set of draft guidelines on personal data processing under Article 6(1)(b) GDPR in the context of providing online services to data subjects (“the Guidelines”). The Guidelines complement the still-relevant Article 29 Working Party’s opinion 06/2014 (“the Opinion”), which already partly tackled the (pre-)contractual necessity criterion enshrined in Article 6(1)(b) GDPR. Together, the Guidelines and the Opinion answer some questions that remained unanswered up to now. 

What follows is everything you need to know about the (pre-)contractual necessity criterion, the Guidelines, and the Opinion. We’ve also set out below a (pre-)contractual necessity toolkit that can be helpful.

1. Lawful is not equivalent to legal

Article 6 GDPR lays down 6 “legalizing” criteria. These are criteria that, when fulfilled, will render the processing of personal data lawful. However, data controllers can reach the GDPR compliance threshold only if they comply with all the GDPR requirements, and these include lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. In other words, lawful processing is necessary, but it is far from being sufficient for GDPR compliance, not to mention the various pieces of legislation on ePrivacy, consumer protection, competition, and contracts.

2. No valid contract, no valid processing

Article 6(1)(b) GDPR requires an existing valid contract under the applicable national law to be in place. Data controllers should therefore be particularly careful when they process minors’ personal data on the basis of the (pre-)contractual necessity criterion because children may only enter into contracts under specific conditions.

3. A contract between the controller and the data subject

Article 6(1)(b) GDPR is not the right basis for processing a third party’s personal data. For example, if a data subject wishes to use the services of a bank to transfer money to a third party, the bank may not process the third party’s personal data on the basis of the (pre-)contractual necessity criterion.

4. Processing for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract

Processing is restricted to contract performance (the former scenario) or to taking such steps (the latter scenario), so Article 6(1)(b) GDPR is not the right basis for legalizing data processing for the purpose of suing the debtor or collecting debts. However, sending formal reminders to the debtor is deemed to happen in a normal contractual relationship. In the same vein, if the contract is terminated, the processing of personal data will logically no longer be necessary for the performance of the contract, so the controller will have to stop processing personal data unless it had already based such post-contractual processing on another legal basis prior to such processing and had also informed the data subject thereof.

5. The processing must be “necessary”

Controllers must ask themselves whether they could perform the particular contract with this particular data subject without processing the personal data of that data subject. If processing is only useful but not necessary, Article 6(1)(b) GDPR is not the right basis.

6. Fairness

In the Guidelines, the EDPB also clarifies the concept of fairness. It states that firstly, the fairness principle applies to the choice of a lawful basis, so the controller must take into account the impact on data subjects’ rights when identifying the appropriate lawful basis. Secondly, this principle implies that the data controller must take into account the reasonable expectations of the data subject, the consequences of the processing on him or her, and consider the balance (or rather, any imbalance) of the relationship. Overall, the fairness principle incorporates a proportionality assessment in the GDPR.

7. Freely-given consent and contractual necessity

A common mistake is to rely too easily on the consent criterion. It is even completely illogical to rely both on consent and Article 6(1)(b) for the same processing. Indeed, a controller cannot presuppose that it has obtained freely-given consent if the processing is necessary for the performance of the contract or for its creation. To put it another way, data subjects cannot consent freely if they know that eventually, without their consent, they won’t receive the service or good they contracted for.

8. Accepting Terms and Conditions ≠ accepting the processing of personal data

Another common mistake is to believe that signing or agreeing to terms and conditions amounts to consenting to the processing of personal data. However, the consent to enter into a contract and the consent in the context of data protection are different concepts with different requirements. As a result, the data protection consent has to be specific for determined data processing purposes. The data protection consent is not validly obtained if it relates to general terms and conditions. Concretely, the consent to contract should therefore be separated from the consent to data processing.

9. No sensitive personal data

Sensitive personal data (i.e., the personal data defined by Article 9 GDPR, such as health data, racial data, religious data, biometric data, etc.) cannot be processed on the basis of Article 6(1)(b) GDPR. Another legalizing criterion, such as the data subject’s explicit consent, must therefore be selected.

10. Necessary for the controller does not mean it’s necessary for the contract

For instance, Google’s business model is based on data and advertising, so if Google does not receive any data, Google cannot provide its service. However, according to the EDPB, the business model necessity does not imply contractual necessity. In addition, it is not because the contract provides that personal data will be processed that the processing of personal data is necessary for the performance of the contract. Hence, merely saying in the contract that personal data will be processed does not provide the data controller with any legal basis; data controllers need to conduct a fact-based assessment on whether the main obligations of the contract can be performed without processing personal data. In the same way, Article 6(1)(b) GDPR should not be used for justifying data processing in the context of service improvement, development of new functions, or fraud prevention. All in all, data controllers must reflect on the substantial nature of the service and the reasonable expectations of data subjects, so it all depends on the concrete circumstances of the contract.

11. A necessary split into different services

The EDPB indicates that if the contract consists of several separate services (take-it-or-leave-it bundle contract) that can reasonably be separated and performed independently, the contract must be divided into main services so that one can assess what is the right legal basis for each service, and not necessarily for the contract as a whole. It comes back to the business model necessity problem explained above (point 10).  

12. Data is not the new oil

The EDPB explicitly qualifies personal data as a non-tradeable commodity. There is little doubt that this statement will breed lots of controversies. The fact that personal data is conceptually different from monetary payments also leads to the following conclusion: although processing of personal data can support the funding of a service (e.g., Google search or Facebook), such processing is considered separate from the objective purpose of the contract, so the controller cannot rely on Article 6(1)(b) to legalize the processing of personal data.

13. The (pre-)contractual necessity toolkit

On the basis of the Guidelines and the Opinion, we believe that businesses must conduct a five-step test to analyse whether they can rely on the (pre-)contractual necessity criterion.

• A contractual context. Is there a valid contract to which the data subject is a party (first scenario)? Or, has the data subject taken steps towards entering into a contract (second scenario)?
• Identifying the substance of the contract. The data controller must identify what is the aim, purpose, or objective of the contract both from its perspective and from an average data subject’s perspective. In the second scenario (taking pre-contractual steps), what are the substantial steps that should be taken in order to properly answer the data subject’s request?
• Necessary processing of personal data. Does the performance of the substantial obligation(s) of the contract necessarily imply that personal data must be processed? In the second scenario, do the steps that should be taken necessarily imply an ancillary processing of personal data?
• Subsidiarity. Couldn’t the goal (performance of a substantial obligation or the answer to the data subject’s request) be achieved through realistically less invasive means, i.e., with no data, less data or less “intimate” data?
• Proportionality. Is the goal proportionate to the means (the processing)? Concretely, it may be that processing personal data is necessary to enter into or perform a contract, and that there is no other way to achieve the goal, so that the first four steps are fulfilled, but that such processing would yet be disproportionate. This could for instance be the case if the substance of the contract is very demanding in personal data, but the service provides in comparison little value added for the data subject.