The European Data Protection Board ("EDPB") published on April 12, 2019 the draft Guidelines 2/2019 (the "EDPB Guidelines") on the processing of personal data under Article 6(1)(b) of the General Data Protection Regulation (the "GDPR")1 in the context of the provision of online services to data subjects (available here). These Guidelines clarify the applicability of one of the legal basis for processing laid down under GDPR which justifies the processing of personal data necessary for the performance of a contract.
The EDPB Guidelines are mainly focused on the online services sector.
Regulatory background The performance of a contract legal basis may be relied upon to process data such as contact information, purchase history, location data or payment data where such data is necessary to provide an online service. The legal basis may authorize the processing of data in the context of services provided upon payment by the data subject but also in the context of services which are free for the user.
Processing activities which take place before the contract is actually entered into, at the request of the data subject, may also be covered by the performance of a contract legal basis. This would be the case, for instance, where contact information or location data is processed in order to verify whether the service requested by the data subject is available in the area.
The performance of a contract legal basis should be understood within the broader framework laid down by the GDPR. Article 5 contains a reference to two key principles in this regard: purpose limitation and data minimization. Under the purpose limitation principle, data should be collected for "specified, explicit and legitimate purposes" and such data may not be "further processed in a manner that is incompatible with those purposes".2 Consequently, the data processed under the performance of a contract legal basis should be clearly specified and distinguished from the data processed pursuant to other legal basis. In addition, the data minimization principle requires that processing should only involve as much data as necessary to fulfil those purposes.3 Although there is a potential to collect vast amounts of personal data for a variety of purposes when providing online services this must be balanced against the above principles imposed by the GDPR.
The necessity test The GDPR indicates that the performance of a contract legal basis covers the processing of data which...