On 9 April 2019, the European Data Protection Board ("EDPB"), an independent European body which contributes to the consistent application of data protection rules throughout the European Union, published draft guidelines on the interpretation of 'contractual necessity' as grounds for processing personal data (the "Guidelines").
The Guidelines relate to Article 6(1)(b) of the General Data Protection Regulation ("GDPR") as applied to contracts for online services provided by online retail shops, news aggregation service providers, hotel search engines and the like. While some of these online services are financed by user payments, the services are often for free but funded by advertising which targets data subjects. One of the reasons why the EDPB adopted these guidelines is that users are not always aware that their behaviour is tracked by the service providers for the purposes of advertising.
Article 6 of the GPDR sets out the lawful bases for processing personal data. Article 6(1)(b) of the GDPR specifically relates to the processing 'necessary for the performance of a contract'. This covers both situations in which a contract was concluded with the data subject and those in which specific information is needed before it is possible to enter into a contract.
If a contract was concluded, the EDPB interprets this 'necessity' narrowly and finds that merely referencing or mentioning data processing in a contract is not enough to bring that processing within the scope of Article 6(1)(b). The 'necessity' requirement points to something more than a contractual condition. Regard should be given to the particular aim, purpose and objective of the service.
The Guidelines refer to a 'fundamental and mutually understood contractual purpose' in order to justify this necessity. The data controller should examine carefully the perspective of an average data subject in order to ensure that there is such a genuine mutual understanding on the contractual purpose.
For instance, an online retailer will be able to rely on Article 6(1)(b) of the GDPR to process credit card information and the home address if the data subject (i.e., the customer) opted for payment by credit card and delivery at home. By contrast, processing the data subject's home address will not be necessary for the performance of the purchase contract if the customer opted for shipment to a pick-up point. If the online retailer still wishes to receive the customer's home...