The General Data Protection Regulation (GDPR) provides that data processing is generally not allowed. The only ways that data processing can lawfully take place are the circumstances enumerated in Article 6(1), commonly referred to as the legal bases for processing. While most of us think of consent when considering whether we can process data, the truth is that consent is not always the best basis for processing. GDPR allows data processing only under the following circumstances:
- The data subject has given consent;
- Processing is necessary for the performance of a contract to which the data subject is a party to or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The European Data Protection Board recently released some guidelines on data processing under contracts. In this post, we will discuss those guidelines and how they can be implemented in practice to ensure proper processing of data. Remember, legal basis of processing must be identified at the outset of the processing.
When processing data under a contract, you must make sure that the data is specified in explicit and legitimate purposes. Data must not be processed in a manner that is incompatible with those purposes. You must adequately disclose the purposes in the contract, which means that those purposes must be detailed enough to determine what kind of processing is and is not included in the purposes. For example, “marketing purposes” or “future research” are not specific enough and data processing under such broad purposes is not allowed.
When processing data under contracts, you must undertake a fact-based assessment of the processing for the objective pursued and of whether it is less intrusive compared to other options for achieving the same goal. You must establish that:
- The processing takes place in the context of a valid contract with the data subject; and
- Processing is necessary in order that the particular contract with the data subject can be performed. A contract cannot artificially expand the categories of personal information or types of processing operations that you need to carry out for the performance of the contract.
You should ask yourself the following questions when determining whether you can process data under a contract:
- What is the nature of the service being provided to the data subject? What are its distinguishing characteristics?
- What is the rationale of the contract?
- What are the essential elements of the contract?
- What are the mutual perspectives and expectations of the contract?
- How is the service promoted or advertised to the data subject?
- Would an ordinary user of the service reasonably expect that considering the nature of the service, the processing will take place in order to perform the contract to which they are a party?
For example, an online retailer must process the data subjects’ home address for shipments, but such processing is not needed if the data subject is picking up the shipment at the store. The controller should also anticipate what happens when the contract is terminated. In general, when the contract is terminated, processing under the contract needs to stop. It is generally unfair to swap a new legal basis when the original basis stops.
Processing under contract also applies where the processing is necessary in order to take steps at the request of the data subject prior to entering into a contract. In this case, the following types of processing are generally not allowed:
- Processing for service improvements;
- Processing for development of new functions;
- Processing for fraud prevention unless fraud prevention is the service;
- Processing for behavioral advertisements, even if that funds the service.
Protect yo’ self,
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.