The guidelines of the EDPB on the performance of the contract as a legal basis under privacy laws of data processing for online services draw attention to how avoiding mistakes in its usage under the GDPR.
We want to let you do what you want
My team and I often end up in lengthy discussions with managers of my clients on what data processing activities are vital for the performance of a contract. The general comments are:
If they don’t want to give us their data, they just don’t get the service, as simple as that!
Everyone collects that data…
Clients want to give us their data!
We are doing something socially useful for them (making some money out of it…)
Then we need to explain that we are not the “enemies of their business” that will prevent them from reaching their annual bonus. We want to find the legal basis to justify what they want to do!
The performance of the contract cannot be under privacy laws a legal basis “stretched” too much
Clients will try to expand such a legal basis to fit almost anything they want. But with reference to online services, the European Data Protection Board clarified in the final version of the guidelines on scenarios when it is possible to rely on the performance of the contract as legal basis of the data processing pursuant to Article 6(1)(b) of the GDPR that such a legal basis cannot be used to justify data processing
when a requested service can be provided without the specific processing taking place.
Therefore, it shall be used narrowly. According to the EDPB, “if there are realistic, less intrusive alternatives, the processing is not necessary.”
Data controllers to rely on such a legal basis shall establish both
- that the processing takes place in the context of a valid contract with the data subject and
- that processing is necessary so that the particular agreement with the data subject can be performed.
You need to watch when the contract ends
In case of termination of a contract, the EDPB held that the legal basis of the performance of an agreement could not be relied on anymore. A different legal basis shall be used such as the compliance with a legal obligation according to Article 17(3)(b) of the GDPR, or the establishment, exercise or defense of legal claims, according to Article 17(3)(e). But such a different legal basis shall be identified at the outset and described in the relevant privacy information notice.
It is a debated aspect in my view since such a legal basis might also apply to activities connected to the performance of a contract such as a follow-up dispute.
Legitimate interest might sometimes suit better
The EDPB clarified that the performance of the contract
- cannot be used as the legal basis for “service improvement,” but in such case, it is possible to use the legal basis of legitimate interest;
- cannot be used as the legal basis for “fraud prevention” purposes that may involve monitoring and profiling customers, but in such case, the legal bases of the legal obligation or legitimate interests can be applicable;
- cannot be used as the legal basis for “online behavioral advertising, and associated tracking and profiling of data subjects,” considering that data protection is a fundamental right and personal data cannot be a tradeable commodity; but
- may be used as a legal basis for “personalization of content” when it is an essential or expected element of certain online services.
My top 5 recommendations on how to deal with the selection of the legal basis of the data processing
- Don’t just list in a privacy information notice all the potential legal basis of the data processing, indicating that depending on the circumstances of the case, each of them will apply. This would not be transparent;
- Pick the right legal basis of data processing, running a privacy law assessment of the potential scenarios and outlining them in the privacy information notice;
- Don’t use legitimate interest to justify any possible data processing activity for which you struggle to find an alternative legal basis. Legitimate interest needs to be based on a deep balancing test which should be able to resist to potential challenges from regulators;
- Rely on technical solutions to minimize data processing activities, if this conduct cannot be otherwise justified under data protection law; and
- Check with the business if they really need that data or the same goal can be achieved through other routes.
On how to identify the correct legal basis of data processing, you may read on a similar topic the article “Legitimate interest, the performance of the contract and privacy consent under the GDPR.”