The draft guidelines of the EDPB on the performance of the contract as a legal basis under privacy laws of data processing for online services draw attention to how avoiding mistakes in its usage under the GDPR.
We want to let you do what you want
My team and I often end up in lengthy discussions with managers of my clients on what data processing activities are vital for the performance of a contract. The general comments are:
If they don’t want to give us their data, they just don’t get the service, as simple as that!
Everyone collects that data…
Clients want to give us their data!
We are doing something socially useful for them (making some money out of it…)
Then we need to explain that we are not the “enemies of their business” that will prevent them from reaching their annual bonus. We want to find the legal basis to justify what they want to do!
The performance of the contract cannot be under privacy laws a legal basis “stretched” too much
Clients will try to expand such a legal basis to fit almost anything they want. But with reference to online services, the European Data Protection Board clarified in its draft guidelines on scenarios when it is possible to rely on the performance of the contract as legal basis of the data processing pursuant to article 6(1)(b) of the GDPR that such a legal basis cannot be used to justify data processing
when a requested service can be provided without the specific processing taking place.
Therefore, it shall be used narrowly. According to the EDPB, “if there are realistic, less intrusive alternatives, the processing is not necessary.”
Data controllers to rely on such a legal basis shall establish both
- that the processing takes place in the context of a valid contract with the data subject and
- that processing is necessary so that the particular agreement with the data subject can be performed.
You need to watch when the contract ends
In case of termination of a contract, the EDPB held that the legal basis of the performance of an agreement could not be relied on anymore. A different legal basis shall be used such as the compliance with a legal obligation according to Article 17(3)(b) of the GDPR, or the establishment, exercise or defense of legal claims, according to Article 17(3)(e). But such a different legal basis shall be identified at the outset and described in the relevant privacy information notice.
It is a debated aspect in my view since such a legal basis might also apply to activities connected to the performance of a contract such as a follow-up dispute. It is one of the aspects to be reviewed in the ongoing consultation on the draft guidelines that will end on 24 May 2019.
Legitimate interest might sometimes suit better
The EDPB clarified that the performance of the contract
- cannot be used as the legal basis for “service improvement,” but in such case, it is possible to use the legal basis of legitimate interest;
- cannot be used as the legal basis for “fraud prevention” purposes that may involve monitoring and profiling customers, but in such case, the legal bases of the legal obligation or legitimate interests can be applicable;
- cannot be used as the legal basis for “online behavioral advertising, and associated tracking and profiling of data subjects,” considering that data protection is a fundamental right and personal data cannot be a tradeable commodity; but
- may be used as a legal basis for “personalization of content” when it is an essential or expected element of certain online services.
Picking the right legal basis of data processing is crucial to let a company do what they want, reducing risks of potential fines. An in-depth privacy law assessment of scenarios is imperative at the outset.
On how to identify the correct legal basis of data processing, you may read on a similar topic the article “Legitimate interest, the performance of the contract and privacy consent under the GDPR.”